Before securing Internet access for private network users, your organization should consider drafting an Internet acceptable use policy. This policy will define what is acceptable employee usage of the Internet.
After this lesson, you will be able to
- Develop an Internet acceptable use policy that defines the required security mechanism for allowing private network users to access the Internet
Estimated lesson time: 30 minutes
It's important to define your organization's policy before designing the network infrastructure and services that will enforce and monitor that policy.
Determining Contents of the Policy
An Internet acceptable use policy must contain the following elements to ensure that private network users understand the rules when they access the Internet using corporate resources:
- The policy must contain descriptions of the available services. You must clearly define the specific services that are available to designated users. Defining the available services will help you determine whether a new service meets the standards defined in the Internet acceptable use policy.
- The policy must define user responsibility specifically. For example, the policy needs to state whether the user is responsible for the account and password if an attacker gains the account information. Some Internet acceptable use policies state that users are responsible for any actions performed with their user account.
- The policy must define what constitutes authorized use. The policy must define the tasks that are acceptable when a user accesses the Internet. A security policy could allow the following:
- Users can access the Internet with authorized protocols. Include a list of acceptable protocols for accessing the Internet. This list may be defined for individual cases based on the organization's security model.
- Users can send and receive e-mail for business purposes.
- Users can send e-mail messages with attachments less than 2 megabytes (MB) in size.
- Users can connect to any Web pages that are related to business purposes.
- Users can download files for business purposes as long as the organization's virus scanner is running at all times.
- Users can access Usenet newsgroups subject to business purposes. The policy may prohibit all access to all alternative newsgroups (alt.*).
- The policy must define unauthorized use of the Internet. A security policy could prohibit the following:
- Users could be prevented from accessing the Internet with unauthorized protocols. Include a comprehensive list of unacceptable protocols.
- Users could be preventing from exposing sensitive company information to persons outside the company.
- Users could be prevented from attempting to bypass the organization's security mechanisms.
- Users could be prevented from portraying the organization in a derogatory or nonprofessional manner in public discussion groups.
- Users could be prevented from accessing the Internet for personal use.
- Users could be prevented from accessing Web sites that have no business purposes. These can include Web sites related to sex, hate speech, online gambling, online merchandising, gaming, or job search engines.
- Users could not use e-mail inappropriately. Examples include forwarding unsolicited bulk e-mail messages or forwarding chain letters.
- Users could not install unauthorized software on their local disk.
The Internet acceptable use policy must also make provisions for new technologies. For example, a new technology could be defined as unauthorized use until management reviews it.
- The policy must define who has ownership of resources stored on the organization's computers. Clearly defining that the organization owns all data stored on company-owned hardware makes it easier for an organization to search for unauthorized data.
- The policy must define the consequences of performing unauthorized access. The policy must clearly define what actions the organization will take should an employee violate the Internet acceptable use policy. The consequences may include
- Removal of Internet access privileges
- Referring the employee's actions to local legal authorities
After defining the Internet acceptable use policy, create a document outlining the policy. The document should include a contract that employees sign before gaining access to the Internet. Your organization's legal representatives should review the contract and the policy to ensure that the contract is legally binding and in accordance with federal and local government policies.
Making the Decision
Table 15.1 outlines the decisions you will make when designing an Internet acceptable use policy for your organization.
Table 15.1 Design Decisions for an Internet Acceptable Use Policy
|To ||Do the Following |
|Develop a fair Internet acceptable use policy ||Accept input from all potential users of the Internet. Getting input from all sources will help develop a secure but fair policy. |
|Determine which protocols will be allowed for Internet access||Poll users for the protocols that they require, or are currently using, for business use. Asking employees for a business case ensures that the protocols are screened. |
|Verify authorized usage and identify unauthorized usage||Implement auditing to track all Internet access originating from the private network. Logging can take place at the Proxy Server or at an internal firewall. |
|Enforce the Internet acceptable use policy |
Clearly define the actions that will be performed if the Internet acceptable use policy is violated.
Ensure that all employees as well as management sign the acceptable use contract.
Applying the Decision
Wide World Importers' Internet acceptable use policy is missing a key component. The document needs to describe the consequences of violating the policy. There's no mention of whether employees can provide input during the drafting of the Internet acceptable use document. If Wide World Importers includes its employees in the decision process, the company would have a better chance of developing a policy that's accepted by both management and employees. General acceptance will make it easier to enforce the Internet acceptable use policy.
The first step in designing security for internal users is defining which actions are allowed when accessing the Internet. A clear definition of authorized and unauthorized actions in an Internet acceptable use policy will allow network administrators to design a security infrastructure that enforces acceptable Internet usage.