I've been using, happily, opendns to block facebook on my network. Then I started thinking about tricks to circumvent this block and, of course, I've read here on serverfault how to block the facebook ip address. But if someone uses tor or freegate?
What can I do?
What you have isn't really a technical problem, it's a management problem, don't try to make it a technical problem. You need to have an acceptable use policy that clearly defines what users can and can't do with the resources provided by your organisation. This should also detail what steps may be taken to enforce the AUP (monitoring usage/auditing machines etc) and what the sanctions for breaking the AUP are.
I think you need to ask Why you are trying to block Facebook? I'm assuming this is a corporate network not home. Why should you allow your staff to use myspace, twitter and amazon, friends-reunited etc but not Facebook?
This sort of corporate content filtering (the organisation I work for does this as well) is almost always pointless. It tries to block websites it considers rude. Why? I'm a grown-up (most of the time), I can deal with rude words. My org tries to block webmail to prevent us e-mailing information home, but it doesn't block my ntl webmail becuase the person setting up the rules didn't think of it. Nor does it block my personal webmail server.
I'm all in favour of companies monitoring the web usage of staff, and having management policies in place to say what is considered acceptable web usage, both work related and personal. But the automated blocking of sites is annoying (especially in the case of a false positive) and is ultimatly not actually going to prevent anything significant. Save yourself the hassle, make sure the proxy virus scans content and downloads and that your firewall is configured well, leave the policing your users internet habits to their managers.
The harder you try to block it, the harder the users will try to get access to it.
What can I do?
The old-fashioned means for enforcing similar "productivity policies" remains: get managers watching over employees' shoulders whenever a TPS report is late (or the wrong cover sheet is used).
Well, for starters (beyond what everyone else said about policy and governance), you should be blocking egress traffic on your network outside of what's required (and I generally don't allow client machines to make direct TCP/UDP connections anywhere; there's no need 99% of the time when you have a proxy server in-house), especially UDP/TCP 53 to outside DNS servers.
I've used Layer 3 filtering and OpenDNS together with alot of success at clients (such as yours) that are not treating this like a management problem (which it is). However, if they want to pay me to come in and set this up after explaining that then so be it.
Even better than dropping outbound DNS would be to setup a proxy server (Squid is open source/free and does a good job caching as well; depending on your size, aging workstation hardware is likely fine).
Now you can drop all direct TCP/UDP connections from the clients to the outside and force everyone to use a proxy (transparently, and they won't even notice).
I suppose the next step would be to look at Facebook's URL's, headers or data. Just make sure whatever filtering you use (Squid is an example) doesn't affect the `Like' button, since many popular sites implement that now. To be honest, there isn't really a way to stop a user if they have some form of tunnel or VPN running.
First off, do you have a policy, backed at a high level, that forbids Facebook? If not, then you may be treading on the toes of your boss, or their boss, who actually want to use Facebook. Many companies are happy to accept reasonable levels of social network use at work anyway, and view an all out block as counter productive. I'll assume there is a banning policy in place though.
If you worry about circumvention then you'll need to start investigating blocking Tor or Freegate, and then the next thing and the thing after that - but I'd advise monitoring your network for evidence that these, or other circumvention techniques are in use, and a friendly word in the ear of the guilty party on first instance, and their manager on the second. Usually just letting someone know you can tell what they are up to is enough to get it under control.
Anyone with the smarts to use Tor or other "clever" ways around should also be smart enough to use Facebook on their mobile phone, which you can't block.
The Barracuda Web Filter is convenient for this. There are recent options to disable proxying applications and workarounds.
Don't close it fully! Just make a "happy hour" when users can use any social network they want facebook, hi5 etc, so that they will know that f.example at 14.00 when they can make a cofee break, eat donuts and check what's going on and be social. and they will not think to break the system. Otherwise they will do it hidden and all day long... Dont forget that anyway they can go in with mobiles and 3g which you cannot close. Cheerz.
FWIW,
my company doesn't require us to block any social networking sites, and we have zero problems with users spending too much time on them. I completely agree with the "treat them like adults" mindset.
