The network acceptable use policy is an issue that has been discussed in just about every HR department. It’s a serious subject that must be dealt with as ignoring the issue can lead to internet abuse.
Being a NetFlow and IPFIX reporting company, we have plenty of customers addressing this issue almost on a daily basis. Some of the network acceptable use policy questions that come up include:
- What should this document contain?
- What warnings should be given out?
- Who should perform the monitoring?
- How will the traffic be monitored?
As many network administrators have learned, blocking sites often doesn’t work due to anonymous proxy sites and certain individuals (i.e. upper management) who request access to blocked sites. This blog will give you some great ideas that you can use to update your existing policy.
What should this document contain
For schools, I feel the Network acceptable use policy at Chapel Hill put in several sentences that are important for most educational facilities:
- “The use of the University Network is a revocable privilege.”
I think that sums it up quite nicely. Network access is not a right!
- “Users agree to comply with this AUP and other applicable University policies which may be implemented from time to time, as well as all federal, state, and local laws and regulations.”
This a great sentence because it basically says the school can change its mind at anytime and that it is the students responsibility to be aware of the changes.
- “Each User is expected to be considerate of the needs of other Users by making every reasonable effort not to impede the ability of others to use the University Network and show restraint in the consumption of shared resources.”
In other words, don’t use tools like BitTorrent that allow you hog and steal bandwidth from others trying to use the same internet connection.
- “Users may not attempt to disguise their identity, the identity of their account or the machine that they are using.”
This is another way of saying, don’t use anonymous proxies to hide who you are.
- “The University reserves the right to review and/or monitor any transmissions sent or received through the University Network.”
Translation: we can and will monitor everything you do!
I suggest you read the whole thing as it also includes the basics regarding things like dissemination of pornography, unlawful communications (e.g. cyberstalking, obscentities, etc.). Kudos to UNC.edu for a well written Network Acceptable use Policy.
Here is what shouldn’t be in your Network Acceptable Use Policy “The use of the network must be used for the purposes of furthering the mission of xxxx corporation.“ On the surface it sounds like an all encompassing good idea but, now we could be preventing people from emailing spouses and friends. Allowing employees to take care of a little personal business often allows them to stay focused on work, knowing that their personal life is in order.
Schools and companies should also review my post on monitoring social networking traffic as it covers what network users can and can’t do with these sites. Users claiming “Freedom of Speech” doesn’t always work. If you search the web you will come up with a Network acceptable use policy template that can be customized to meet your unique needs.
What Warnings should be given out
If you have ever dealt with our legal system, you know that you must have a paper trail prior to taking corrective action. UNC lays out what ‘may’ happen:
- restricted access or loss of access to the University Network;
- disciplinary actions against personnel and students associated with the University,
- termination and/or expulsion from the University, and
- civil and/or criminal liability.
Depending on the venue, the above may be bit too vague. Subjective consequences can lead to loop holes if an issue should escalate to litigation. Some businesses or schools may want to consider something like the following:
- 1st Violation: verbal warning and notification to manager
- 2nd Violation: written warning and notification to manager
- 3rd Violation: written warning and notification to manager
- 4th Violation: termination
A clear escalation of consequences could avoid expensive legal fees.
Who Should Perform the Monitoring
In most organizations, the IT team does the monitoring. In smaller companies the IT manager calls the individuals perpetrating the violation directly. In larger organizations the violation and culprit details are sent off to HR and that is the last the IT team hears about it. In one policy I read “Interpretation and enforcement of this Policy is the responsibility of the Chief Technical Officer (CTO).”
Whichever strategy is taken, confidentiality is important. We don’t want to embarrass anyone especially if the evidence and our suspicious end up being wrong. False accusations can lead to unwanted attrition.
How will the Traffic be Monitored
There are a several different approaches to monitoring what users are doing on the network. Squid is a popular solution that can track and log internet activity however it lacks insight into internal traffic. My preference of course is NetFlow or IPFIX collection and reporting. Even though flow reporting provides limited details, we can still determine certain activities due to the behavior of the application in use even if the communication randomly chooses ports.
Cisco NBAR, SonicWALL Application Recognition, Exinda NBAR and other companies are now performing deep application inspection to correctly identify the actual application. Even tough applications to identify such as Skype and BitTorrent can be detected with these new NetFlow and IPFIX technologies.
Determining web sites however is a problem with most NetFlow exports. The DNS name of an IP address to determine the web site, can’t depended on in NetFlow Domain Reporting. A typical Cisco router today does not have the ability to export URL details however, this may change in the future. The nBox and SonicWALL appliances already export IPFIX with URL details which has been the coup de grâce for many network administrators looking for further details on filtered traffic. With the URL, we can filter on domains reliably and then drill in to find out who is hitting them and causing the excessive traffic as well as how frequently.
Your network acceptable use policy probably already includes many of the above details. Personally I’m a fan of not blocking anything and encouraging employees to be responsible with the companies internet connection and IT resources. If the consequences are clear and enforced, most responsible people will play by the rules.