IT managers using Palo Alto Networks firewalls are now able to switch Facebook into a “read-only” mode, thanks to an update released today. There is no relationship between Palo Alto Networks and Facebook – the changes are all within the customer’s network. Previously, managers using Palo Alto Networks firewalls have had the option to block all Facebook apps (but not individual apps) as well as Facebook’s e-mail and chat features. The update adds the ability to disable posting, making Facebook effectively read-only.
Palo Alto Networks firewalls enable granular control over 1,000 applications cataloged in the company’s Applipedia – regardless of port, protocol, or evasive strategy (so the company says). The firewalls connect to Active Directory or other LDAP based directory to assign permissions by group or by individual user. All of the application detection and user permissions take place on dedicated firewall devices to avoid bogging down servers with analytical duties.
Turning read-write applications into read-only applications may seem antithetical to the read/write philosophy, but we think solutions like this will help enterprises adopt social media and break out of a binary world where they can either offer full access to Facebook or other web applications or no access at all.
Brave New Enterprise
Managers could, for instance, grant full Facebook access to its social media team, partial access to a customer service team, and read-only access to its competitive research team. Access can also be assigned by time of day, so permissions could be relaxed during lunch or after business hours.
Social media is being put to use in many enterprises; Ford, for example, is spending 25% of its marketing budget on social media. Social media reputation tracking is a hot topic in marketing, too. Yet, according to a Robert Half Technology report published in October, 54% of CIOs surveyed say they block social media websites completely.
Chris King, director of product marketing at Palo Alto Networks, says “IT departments are stuck in an old world. In the old world, if an application has a business use, then it’s safe and you allow it. If it doesn’t have a business use, then it’s a threat and you block it. That black and white world is gone. Facebook has business uses, but it also poses threats.”
King hopes that Palo Alto Networks can bring IT departments into a new world, where the benefits of Facebook can be embraced and the threats mitigated. The company says its product can help prevent data leaks, improve worker productivity, and reduce the threat of malware spread through social networks like Facebook.
King also suggests allowing some use of Facebook in the workplace could improve morale. One idea he mentions, though he’s quick to point out the product isn’t currently being used by the military, is limiting soldiers read-only access to social media sites in the weeks before a deployment. This would keep sensitive information from being leaked, but allow soldiers to view pictures and status updates from home.
Plugging the Proxy Holes
Another problem the company hopes to solve is the use of proxies to bypass firewalls and browsing restrictions. An increasing number of users are routing their Web traffic through public proxies or proxies on their home computers. King says, referring to the Robert Half report, that although 54% of enterprises are trying to ban Facebook, 94% of the companies whose network traffic Palo Alto Networks analyzed had employees actively using Facebook. We wrote about the company’s research in this area last year.
Palo Alto Networks firewalls use their own AppID technology to identify applications based on an analysis of a number of parameters including application protocol detection and decryption, application protocol decoding, application signatures, and heuristics. This enables the firewalls to block applications regardless of what port the application is using. The firewalls can also identify many individual proxies, such as Ultrasurf and TOR.
The End of Whack-a-Mole?
All of this control sounds great for companies. However, if the technology works the way its supposed to, couldn’t it also be used by governments, such as China and Australia, which restrict access to the web? Could it also be used by ISPs to restrict their customers activities? If evasive technologies can’t stay one step ahead of control technologies it’s good news for enterprises, but bad news for freedom of speech.
Still, it’s hard to believe that any company or country can win the game of whack-a-mole that’s afoot. Short of creating a whitelist of sites that employees (or citizens) can visit, there will always be holes in the firewall. But Palo Alto Networks’ technology offering is far more interesting than that tedious game, and its success isn’t riding on it. They just need to offer a better way for enterprises to manage the dizzying array of Internet applications and bring useful tools into the work place. And they seem to be succeeding thus far.
