GCN Lab Test: Web-content-filtering appliances can keep your employees away from unwanted sites

mary | 20 November, 2007 16:43

By Greg Crowe

A network administrator is sometimes faced with the onerous task of monitoring Web activity and blocking sites the organization deems inappropriate. This can be made even more difficult if the administrator is working with an already-strained budget.

Fortunately, Web-content-filtering systems are common, and they are often integrated with other network security functions, such as firewalls, antivirus programs and even intrusion- detection/prevention programs. This can save an administrator not only money but also precious rack space.

Web-content filters use two basic methods. The first, URL-based filtering, is a sure way of blocking specific sites because it categorizes the URL of the page. This type of filter has its drawbacks. It only works if the database of URLs is constantly updated as new domains and Web sites are created. It won’t work on sites that aren’t in the database yet. Also, because the database must be maintained, most providers charge a nominal subscription fee. On the positive side, this method is fast because it takes relatively little processing time to compare a URL string with those in the database.

The second method — content filtering or dynamic filtering — scans the Web page in question for words or word patterns and blocks pages that meet certain criteria. This is a powerful method that works on any Web site regardless of how new it might be, but it has two major drawbacks. First, to scan every page, the appliance must download it. If you have a lot of users, Web browsing can be slow unless you also have a very powerful filtering appliance. Also, if the filter is set to be too aggressive, it will create more false positives than you may consider acceptable.

An ideal filtering solution would use a combination of these methods, primarily relying on the database and only scanning for content when necessary.

We received a variety of security appliances with Web filtering capabilities from six companies: ContentWatch, eSoft, IronPort Systems, Mi5 Networks, St. Bernard and WatchGuard Technologies. The appliances ran the gamut of user capacity and offered a variety of additional features.

All of the appliances were rackmountable and, with one exception, took up 1U of space. Each had, as a bare minimum, two 10/100/1,000 megabits/sec data ports and a serial console port.

To test the Web filtering capabilities of each device, we connected them in turn to our test network. Appliances could be set up in a variety of configurations within the network, but we set them up in-line between the router and the rest of the network. This is almost always the configuration recommended by the manufacturer because it is largely foolproof. Setting them up in sniffer mode, connected to the network alongside everything else, is usually not a good idea. Every client’s browser has to be set to use the device as a Web proxy, which can, therefore, be disabled locally. You can prevent this by setting the router/firewall to block all Web traffic from sources other than the Web filter appliance, but setting it up in-line is definitely the preferred method.

We set each appliance’s policy to block some of the more common categories of verboten Web sites, such as those featuring adult content or nudity, gambling, games, and illegal drugs. Although each interface was slightly different, we were able to set each one to block the same categories.

We then listed Web sites we felt would be especially challenging, such as those that straddle typical category definitions and others that contain little-used domain extensions, such as .info, .biz and the relatively new .mobi.

We also put in several URLs that could easily result in false positives, such as government drug-use information and university-sponsored sexual-health sites. And we tried to play several online games, including popular ones such as “Lord of the Rings” and more obscure ones such as a German site that offers casual board games.

Although some came close, none of the filters performed perfectly. Some were fooled by certain domain extensions, and all of them failed to block a page with prohibited material within an otherwise acceptable domain — for instance, the Gambling tab on the official Las Vegas Web site. Any appliance could be adjusted to near-perfect operation for an organization willing to devote enough time and effort, but we were interested in how the devices’ out-of-the-box category definitions fared.