Ad Blocking at the Office
The vast majority of sites and services on the web are free to use. Many of those are supported by advertising but that advertising itself can make their services harder to use with pop-ups, distractions and the possibility of loading malware. Advert placement is often handled by automated engines. These can serve content that is only thinly related to the user’s interests or could be compromised and linked to fraudulent sites or to malware .
Adverts displayed on websites can be controlled by detecting scripts used to load them or by looking for the IP addresses linked to advert servers and blocking them. Many site owners see the effect this could have on their income and refuse to load pages if they in-turn detect the presence of an ad-blocker. YouTube for example is cracking down on ad-blockers, threatening to stop videos from playing unless the viewer subscribes to YouTube’s own premium service. This could be a particularly difficult stance to work around as the adverts are embedded within the videos themselves. Although YouTube hosts a wealth of frivolous content it also includes information that could be legitimately used in corporate education making an outright ban on YouTube in the office unpopular.
For a corporate network the use of ad blocker browser plug-ins or extensions might not be the optimal solution. Such services could be tracking and selling-on user data as part of their ‘free to use’ deployment agreement or commercial deployment costs could spiral with an increasing user base. There are also the usual issues of maintaining the most up to date version throughout a network. If a specific exception needs to be added to the default blocks this will require updating all installations or (hopefully not) having different rules for specific deployments.
The network solution is to work at the DNS server level as part of a general policy of restricting access to possibly harmful sites. This approach has the added benefit of controlling content on BYOD machines connecting through the organisation’s wifi. Kindus has discussed the government level PDNS services but private and corporate DNS servers can be set up for a similar effect. Some solutions run remotely; a browser is set to route traffic through a DNS server on the cloud. For Firefox this is an option in ‘Settings_Privacy and Security’. With ‘Max Protection’ an external DNS provider can be chosen that will filter traffic before it is directed to the client. For more refined control over blocked or white listed sites an internal DNS server can be set up. This also opens the options to track and audit which sites have been blocked or permitted to run. A relatively simple example is Pi-Hole which runs on Linux but will manage traffic directed to it from a Windows network. This type of solution will work for a home user or SME but is less likely to scale well to the larger enterprise. For wider implementations any existing Firewalls should be investigated as to their ability to block selected traffic.
Another means of controlling web traffic is to move the whole browsing experience to a cloud browser. Following the same principles as Virtual Machines and thin clients all the blocking, browsing and cookies are in the cloud but the screen output is scraped and displayed on the local device. Browsers often download files and then check them for malware. With downloads initially sent to the cloud there is an additional level of protection against infection. There are also privacy benefits as data such as location and IP addresses will be hidden from visited websites. Although cloud browser services have the potential to run fast enough for efficient browsing their user performance depends on how well they are programmed and the local bandwidth to the host machine.
There are few reasons not to run some sort of ad blocking system. One notable exception is for testing systems and services. A solution may appear to be robust and bug free but host intrusive ad services that are silently blocked. These could then make themselves apparent when the service is released into the wild. A clear case for ensuring that testing runs over a variety of situations and platforms.