Tuesday, January 15, 2008

"Blocking" vs Logging: Which is A Better Deterrent?

Loved this quote from one of the mailing lists: "The best deterrent is going to be a policy stipulating consequences for violation, a logging server with at least many months of firewall/proxy/Internet access logs, and your employees understanding that you can track it back to them after the fact."

Why aren't more people thinking about it? Why such obsession about trying (and failing!) to block if you can log - and achieve the same policy outcome!?


Augusto Barros said...

Anton, I tried this in "the real world", and you are right about it. I warned the users, then started the monitoring process. After the first warnings to managers informing inappropriate behavior from their employees, the rate of forbidden content being accessed dropped more than 50%. But it must be a continuous process, people are always "testing" to see if the monitoring is really taking place.

Anton Chuvakin said...

Also, if you actually PUBLISH all web access logs on the Intranet, you can achieve near perfect compliance with 0 blocking!

Dr Anton Chuvakin