Firewall Jail

The other day I tried to click on a link while at work. I was surprised to see a site-blocked message from our SonicWALL firewall. Why block tinyurl? All it does is let you take a very lengthy URL (which are increasingly common for a lot of reasons) and convert it into a very short one. This is very useful for putting URL’s in email because some email readers break URL’s in half if they are longer than one line. This of course renders the URL useless, unless you take the time to paste it back together.

I did a short search, and it turns out that tinyurl is one of the sites that firewall companies have decided we don’t need to see. Actually, they classify it as a proxy bypass tool, but the net result is that they’ve decided tinyURL is guilty until proven innocent. Like the extra ounce of shampoo in the TSA security line, because it could be dangerous, it is dangerous.

This is fascinating to me because it creates a huge gap.

You see, tinyURL is blocked by default. You can unblock it, but the interesting part is that must be done by IT. IT, who has just about everything else to do but answer requests like this, and has a built-in defense against spending any time on it: It’s a default setting on the firewall, and we trust their judgement.

The employee probably isn’t motivated to get it unblocked, because going to some IT departments with a request like this is a great way to ask for trouble, even if you’ve got some ironclad business reason for needing it unblocked. Never mind that the tinyurl you can’t read may be pointing to a relevant article on a blog; It ain’t the Wall Street Journal or a company memo.

That leaves Or Facebook. Or Linkedin or a ton of other quasi-business sites to find a way to get firewall companies to not block them by default. They end up blocked in the first place at least partly because the firewall users block them, or some of them do.

From SonicWALL’s site:

SonicWALL CFS categorizes millions of URLs, IP addresses and domains in a continuously updated, dynamically rated database. CFS rates over four million URLs, with hundreds more added daily. Because the ratings are determined both by artificial intelligence and human observation, the database is highly accurate, and the instance of false positives is minimized.

I think it’s safe to say that part of the process is measuring how much time people spend on sites, so, ironically, the usage a site promotes might just be what gets it blocked.

Consider Linkedin and Facebook. Facebook is blocked, but Linkedin isn’t. I think that’s because Facebook came from the non-business end of the social networking space, but Linkedin came from the business end. Facebook can be a sinkhole for time. Between the applications, the photos, the groups and discussions one could really spend all day there and some probably do. Linkedin was the stoic busienss site. There wasn’t much to do except invite people, process requests, or tweak a rather limited profile. Linkedin has since tried very hard to become a lot more like Facebook. My prediction is that very soon Linkedin will cross the threshold, and will become a site that chews up so much time that companies block it.

The firewall blocks a site because a segment of it’s customers decide to, and by automation. The customer company probably has no way to check the list of blocked URLs in any reasonable way – it’s got to be in the millions – so probably has very little understanding of what they’re missing, so to speak. The user has the ability to lobby with their local IT group to get a site whitelisted if they choose, but that still leaves the site blocked elsewhere the firewall is used.

Here’s the gap: Suppose a site that started out blocked turns out to have a lot of value – does it’s rating ever decline? Automatically? Hard to say. SonicWALL doesn’t mention that, and I’m guessing that there’s only one way it ever happens, and that’s by people asking them to re-rate sites.

YOU can ask for SonicWALL to re-rate a site here.

2 thoughts on “Firewall Jail

  1. The blocking that you describe is not new. It’s been going on a while as small businesses and individual entrepreneurs have access to more cutting edge technology today than their corporate brethren. iPhone is going through the same thing. Supposedly it can’t be used for “big business” but almost everyone I know who is on the small business side has a great preference and dependence on it. There have been many times over the years where I could not even send .zip files to executives, or send them things over They always ended up giving me their personal e-mail address. Skype is another product that is a true marvel, yet corp IT generally hates it. It’s an incredible era in personal technology, and corp IT’s reputation for stonewalling or being bureaucratic is finding new depths in many companies.


  2. It gets worse – many companies are even blocking RSS at the firewall, and refusing access to blogspot, wordpress, or typepad.

    There are always workaround –, urlpass, and the like, but it doesn’t help you if the tinyurl comes from someone else, of course.

    Using these sites or not using them has consequences. A company that blocks LinkedIn is one where if you can find an employee, they know they’re not being monitored by corporate. Recruiting Nirvana.

    The best part is companies still don’t have social media policies in place. They have dress codes, they have internet use policies, but they don’t spell out what you can and can’t do.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s