What controls should be used to block social networking sites?

If your company has decided it must block social networking sites such as Facebook, Twitter and others, you may want to reevaluate the security risks, benefits and costs of this action. It is easy to get around these types of blocks; all an employee really needs is a smartphone beyond the controls of the corporate firewall. Also, because your restrictions may lead to a backlash from your users, security resources may be better utilized on other risks.

If you really need to implement these types of blocks, depending on your environment, you may want to go with a...

network-based device or one installed locally on your client computers. Make sure to have a clear policy supported by management so you can justify implementing the best technology for the job. Some devices will allow you to get as granular as allowing particular groups to perform specific actions, like visit approved sites during lunch hour.

There are several multifunction Web proxies or similar devices that will enable the necessary network controls. Some operate inline, through sending TCP resets, and others via client configurations. Many come with other features like antimalware. If you allow unmanaged computers on your network or allow users to install their own software, you will probably need a network-based control to make it more difficult to bypass. Some of these devices also block many of the ways around traditional Web-only proxies.

Client-side software may work in your environment and not increase the complexity of your network infrastructure, but it can be bypassed if you allow unmanaged clients or users with administrative access. This option also requires complete coverage for pushing software out where the install could be missing. If you have a small environment and tight control of the computers, you could even restrict social network access through configuration of the Web browsers, but this may be difficult to do correctly and efficiently.