Web filtering software on test
Company web access can destroy productivity as well as throw up some legal issues. David Ludlow looks at how web filtering could protect your organisation's reputation.
The internet is an attractive business tool, providing up-to-the-minute information and fast communication.
Online working can save employees and companies a great deal of time and money. On the downside it is also the source of infinite distractions for users.
While checking the internet for the latest holiday information may not seem like a bad thing, it is your employer that is footing the bill.
Web filtering products are there to police an acceptable-use policy. By ensuring that users cannot browse restricted websites you have removed a lot of the temptation.
In this group test carried out by vnunet.com's sister title Computer Reseller News (CRN) we managed to look at nine filtering products. Most of them offer standard URL filtering, and work by holding a categorised database of known URLs. Categories include pornography and online shopping.
The administrator's job is to choose which categories to allow and which to block. In particular we looked for the flexibility of the software.
Scheduling was also an important factor. You might want to block online shopping sites during work hours, but why not let employees do this after work or during their lunch breaks?
With this kind of product the quality of the categorisation is important. URL filtering should be there to restrict access to banned sites, not the entire internet. As with antivirus software, the database needs to be constantly updated.
We were interested in how often this task can be done and how easy it is to set up. Next, we were interested in the number of additional features in the software.
Many programs have keyword filtering as well. This scans URLs and, in some cases, CGI scripts looking for banned words. This can block illegal sites, even if the URL is not in the database.
The last product, WEBsweeper, does not rely on URL filtering. Instead it uses a range of administrator-entered checks to categorise and block sites. This includes checking online site ratings, which the legitimate sites comply with, and text searching.
In this way the product has more in common with email content filtering than the URL filters.
For this product we were interested in how easy the product makes it to set-up rules to block or restrict different categories of website.
This can be difficult to set up, so we looked for as much help as we could get from the software. The problems encountered are that rules are too restrictive and innocent sites get blocked.
While more flexible than URL filtering, this kind of product can suffer from complex administration and rule sets that have to be constantly monitored.
The business case
The business case for web filters is self evident. There are two real reasons to own the software: productivity and legality.
Productivity means ensuring that users have the tools to do their jobs but not the means to waste time. By blocking sites that are not related to work the user is forced to use the internet more productively.
Surfing outside of work sites increases bandwidth on the wide area network link. As this is the most expensive part of the network you should ensure that traffic run on it is for a business use.
Restricting use in this way can help reduce load and prevent you from having to upgrade a link that is perfectly suited to business needs.
Second, if users are downloading pornography and other illegal items, the company can suffer. Its image can be tarnished. Rather than catching users out, it is better to prevent this kind of activity.
For those working in an educational environment, blocking this type of thing will protect students from the harmful influences of the web. Overall, content filtering gives you an added layer of protection.
By clearly defining acceptable internet activity and installing the software, you have taken all reasonable means to restrict surfing. Make sure that you inform staff of the policy and you have grounds to take action against users breaking the policy.
This kind of software will pay for itself and cut down on the number of disciplinary actions.
8e6 Technologies X-Stop 4.5
At first CRN didn't think that 8e6 Technologies would be a part of this test, as the US PR department failed to answer the emails we sent.
However, we found the UK distributor and downloaded the current Microsoft ISA version from the site, which is a tiny 2MB.
The product is basic in operation and management takes place from the local machine using a dated application. There is no online help so you will have to trawl through the manual.
The first part of the software is designed to set up the default access controls. There are four options for each URL category: blocking, monitoring, bypassing and white list.
The white list option specifies the websites that are allowed. If you have guest users coming in, this can be used to allow them access only to the corporate site.
One of the facilities the software offers is full library management. The URL lists are split into two libraries: black and white, or denied and allowed. New sites can be added into the library category structure or deleted from the software.
More detailed control comes from the profiles. First, it is worth creating category profiles. These work like access control lists (ACLs) and select which categories are banned.
CRN created one called 'work hours', which encompassed all of the categories not suitable for browsing. Each profile needs to have a colour associated with it, which comes into play later.
Next, user profiles can be created by either domain name or IP address. Inside each profile we could set a default-blocking scheme and run a category profile at timed intervals.
This involved colouring in the time grid with the colour of the category profile created earlier. This became confusing; there should be no need for the administrator to pick colours for categories.
The software has most of the options offered by other programs in the test, but it was so difficult to see what was available. The management will have to improve a lot before this product matches up to many of its rivals.
Price: from £710
Contact: Entrix (01480) 414 131
www.8e6.com
FutureSoft DynaComm i:Filter
Part of FutureSoft's DynaComm range of products, i:Filter uses packet-sniffing technology to detect web connections and boasts a database of seven million URLs.
To stop it from being overloaded on large networks, multiple network monitors can be installed. You may want to install one on each network segment, or logical virtual private network.
To get the most out of the i:Filter on a switched network you have to use port mirroring or Layer 4 routing based on destination port. CRN installed a single monitor onto our network.
Management is performed through a custom-built Windows application, which provides a neat structured view of the software's operation. A quick set-up wizard fires it up for the first time.
This configures the email settings for alerts and sets up the network monitors. Each monitor is set to scan defined subnets and i:Filter makes an educated guess based on the monitor's IP address.
Filtering is a matter of applying rules to users or groups of IP addresses. First, the components of the rules have to be populated. i:Filter provides access to this information through a tree menu of options.
Components include users, time intervals, file types and URL keywords. Once fully populated, rules need to be created.
Rules are grouped into Rule Sets. A management console maintains multiple Rule Sets, but each monitor runs only one active Rule Set at a time. Individual rules follow the firewall pattern of who, when, and where.
The 'who' and 'when' parts of the rule are the components we created earlier. This leaves the 'where', which is taken care of by the extensive URL library.
Updates to it are handled by the task scheduler, which can also retrieve log files and run one of the many reports.
If the automatic updates are not enough then new URL categories can be added. i:Filter has changed a lot since we last saw it and now offers a simple management platform and powerful distributed filtering.
Price: from £1,100
Contact: FutureSoft (01260) 292 222
www.futuresoft.com
ClearSwift WEBsweeper
WEBsweeper is designed to replace URL filtering with more complex analysis of web pages as they are downloaded. It acts as a proxy server and has to download a page before any analysis can be carried out.
CRN found that it was difficult and time-consuming to set up. There are a substantial number of building blocks that have to be put in place. First, the user lists have to be populated with Lightweight Directory Access Protocol or Windows NT users.
Next, categories have to be created. These are containers for multiple checks that allow a web page to be correctly identified. We set up a basic container called 'Pornography', which looked for the keywords 'porn' and 'sex', and also checked the platform for Internet Content Selection rating.
Next, scenarios need to be put in place. Each applies to a set of users, although the highest-level scenario applies to all users. A scenario uses containers and other checks to classify a web page.
The checks include predefined containers, which can be used in multiple scenarios, or a range of standalone tests. These include text searching, looking for banned data types, scanning for viruses and managing portable code.
Each check passes the code onto the appropriate classification, which blocks the traffic, sends an alert, or passes it on. In our example, any pornographic sites would get passed onto the 'Dirty' scenario and blocked with a custom message.
It takes a lot of management and steps to even reach this stage. Once here, rules have to be fine-tuned so that they do not block innocent sites or overload the administrator with alerts.
To counter this complexity ClearSwift has introduced a URL filtering component, complete with library updates, but even this is difficult to set up and seems to be a bit of a cop-out from the original program idea.
WEBsweeper has a full range of features, but you are going to need a full-time administrator to keep the system in operation, or opt for the URL filtering plug-in, which makes this expensive.
Price: from £1,260
Contact: ClearSwift (0118) 903 8100
www.clearswift.com
N2H2 Sentian
N2H2 has a good name in the home filtering market, but also sells the Sentian range of business products. We have reviewed the Microsoft ISA version.
The software integrates with ISA server to the point where the N2H2 filtering options are accessed through the same Microsoft Management Console as the ISA server.
Despite this, the policy elements created for ISA cannot be used inside N2H2 filtering, and settings might have to be replicated.
Access to the filtering components is simple, although you will not find some of the advanced features, such as keyword filtering, that other products in this test offer.
The basic options allowed us to change the URL database update schedule, turn filtering on and off, and change the logging options.
The filtering control of the software comes from three basic options. 'Define Filters' is exactly what it says, allowing custom ACLs to be created by picking the categories of sites that are allowed and denied.
More advanced operations allow categories to be monitored or monitored with a warning. There is a good range of categories, although no in-depth sub-categories that some other products in this test offer.
If the current list is not enough, then the software allows custom categories and sites to be entered. If you do not want the hassle of entering additional categories, URLs can be entered directly to allow and deny lists.
Once the filters are created they need to be applied to groups of users. This starts by assigning a schedule to a filter and then applying the result to either a list of NT domain users or IP addresses.
Certain users, such as administrators, can be given override privileges from the filter categories.
It all works, but it is a simplistic approach to filtering. Without building rule components there can be overlap. Once the filtering rules are put into place it is difficult to see how the system fits together or when the schedules are running.
Price: from £1,000
Contact: N2H2 (01225) 337 171
www.n2h2.com
Secure Computing SmartFilter
SmartFilter has been designed as an enterprise product. It comes as three separate components, which makes distribution in large networks easier to manage.
First is the agent, which does the filtering. This is available for all big proxy servers, although we installed the Microsoft ISA version.
Next is the management server. This holds the filtering settings and is used to deploy agent configurations. Finally, the Java-based management console is used to hook into the management platform.
CRN installed the three components on one machine to review the software. With the management software, each filtering agent had its own management settings.
CRN started by looking at the update schedule. Strangely, updates were restricted to a maximum of twice a week but came set to update on a weekly basis. Other products in this test offered daily updates.
In addition, SmartFilter allows the administrator to input URLs to block. An additional tool sits round this, checking that custom entries do not conflict with database entries. If they do the software can delete them.
Filtering profiles are implemented in the same way as most products. First, an ACL policy needs to be put in place. This defines which sites can be accessed.
There is no concept of scheduling the times the policies work. Instead, each category inside a policy has a schedule. Secure Computing has a different implementation of URL blocking.
In addition to 'allow' and 'deny' there is also 'coach' and 'delay'. 'Coach' displays a warning before a site is accessed. 'Delay' halts access to the site for a defined number of seconds. This reduces the load on the network caused by non-work-related sites being accessed.
Policies then have to be associated with user groups. These are containers for multiple users and workstations. Once complete the settings have to be distributed.
This is a good product, but better scheduling options and more frequent updates would take it further.
Price: from £892
Contact: Secure Computing (0175) 341 0900
www.securecomputing.com
SurfControl SuperScout
SuperScout has versions available for all of the common proxy servers and a standalone version that uses packet sniffing.
With all versions the software comes as two components: monitor and rules administrator. The rules administrator is where the program is configured from and is easy to use.
It follows the same configuration methodology as a firewall: each rule consists of a 'who', 'where', 'when' and 'allow' or 'deny'. Building these rules is a matter of building each component.
First, the 'who' components have to be populated. This can either be the automatically discovered NT Domain information or a manually entered subnet, IP address or MAC address. Finally, a 'who list' can be created to group together several objects.
Next, comes the 'where'. SurfControl's URL library automatically populates the extensive category list. In addition, each category can have the SmartScan keyword checker turned on.
This scans the URL for the administrator entered keywords and categorises the site automatically. Finally, the 'when' section says when a rule is in operation.
We created a work time one that was in operation from Monday to Friday from 10am to 6pm. With the building blocks created, rules are dropped into the correct place and administrators can choose to allow or deny.
However, this is not where it ends. SurfControl has realised how quickly websites spring up and provides the virtual control agent to combat this.
This categorises the monitored sites but, even so, we recommend updating this daily. Fortunately, a scheduler program exists. This is more than URL updates, and automatically runs the virtual control agent, a command line utility, or a report based on the collected data.
SurfControl has always provided a high-quality URL filtering tool and hasn't rested on its laurels. The program is as easy to use as ever, but the virtual control agent gives the software more power and flexibility than ever before.
Price: from £995
Contact: SurfControl (01260) 296150
www.surfcontrol.com
St Bernard iPrism
The iPrism is the only appliance on review. Installation simply requires plugging the internal and external network interfaces in and powering up the box.
Annoyingly, neither of the network interfaces have any status lights, which can make it hard to tell if there is a link or not. Configuration can put the box in routed, transparent bridge, or proxy mode.
The transparent mode is useful as it makes the iPrism third-party proxy independent. With the box switched on we pointed a web browser at the default IP address to get into the Java-based management. This is used to set up access control profiles.
Each profile consists of one or more Access Control Lists (ACLs) which define the categories of sites allowed and denied. Each ACL has an active schedule associated with it, although the control method to implement this can be cumbersome. A time grid has to be filled out, but multiple cells cannot be selected at once.
Control of allowed and denied sites in the ACL is much better. Websites are divided into categories, including 'questionable', and sub-categories including 'weapons/bombs' and 'violence'.
Each sub-category has two options: 'monitor' and 'block'. The monitor mode allows reports to be generated at a later date.
Once a profile has been finished, it has to be associated with a group of users. This can be based on either IP address or user name. However, user names do not work if the appliance is in transparent mode.
One change to the product we noticed was a change in the custom filters. In the old version of the software this was the part of the system used for manually entering URLs.
The update has changed this so that when a user gets a denied page they have to email the administrator for permission to view. Requested sites then get added into the 'allow' or 'deny' category.
Updates to the URL library and the system itself are handled daily by a scheduled process, but cumbersome management gets in the way of an otherwise good product.
Price: from £2,492
Contact: St Bernard (01276) 609 991
www.stbernard.com
Symantec Web Security
Web Security is Symantec's corporate web protection platform. In this review CRN concentrated on the web filtering aspects, although the software also provides virus scanning as well.
Installation takes place on a single server, and it installs a new web service for management. This screen is first used, as with other Symantec products, to get a licence key. This happens online after filling out a simple web form.
The ideas behind the management are the same as for the others on test, but Symantec has a slightly different way of implementing them.
First, clients, users and groups need to be populated. Clients are added by IP address, while users can be synchronised with an existing LDAP server. Groups are merely a container for sets of these items.
At this point only the default filtering rules at install time are in place. To apply customised filters a new schedule needs to be applied to either a group or individual user. The schedule contains the filtering rules and when they should apply.
The URL filtering rules are basic and allow only specified categories to be allowed or denied. However, even if a category is allowed, keyword filtering can still be turned on.
The one advantage of this system is that the login method for a user can be picked before the schedule will run. We set our system up so an entire group had to log in.
The URL database is scheduled to be updated daily, but URLs can be manually added to any existing category, or new categories can be created. The URL database is entirely manageable and URLs can even be deleted from the database.
Each category also has a dictionary. This performs keyword filtering on web pages and helps improve the filtering success rate even if a URL does not exist in the category.
Although the antivirus scanning gives this software an additional edge, we feel that the filtering is lacklustre and it is not easy to see what rules are in place, unlike the other systems on review.
Price: not available
Contact: Symantec (0800) 389 7030
www.symantec.com
Websense ISA
The Websense product comes with a huge range of support for third-party proxy servers including CacheFlow, Check Point, Cisco, iPlanet and Microsoft.
Once installed, management switches to the Java-based management console. The system works by assigning profiles to user and network objects.
Software users can be taken from a directory server or input manually for workstations and networks. While populating the lists we discovered that the right-click menu is not context-sensitive.
Clicking on workstations, for example, brings up the options available in the software, not just for workstations. This is annoying, although we did get used to it.
You then have to create policies. Websense populates the software with several defaults, which gives a good starting point. A policy consists of a number of ACLs, called category sets, and the days and times each one applies.
Building our own category set immediately showed the flexibility of the software. Each category and sub-category can be allowed, denied, deferred until after work or limited by a predefined quota.
This allows access to a category for a defined amount of time each day. This could be used to allow employees to read the standard newswires in the morning.
The 'defer until after work' service lets users bookmark sites they are not allowed to view at work to the AfterWork.com website, which they can later view through any browser.
For extra protection, URL and CGI keyword filtering is provided. Websites that the software does not block can also be added into the existing category structure.
Unfortunately, no automatic categorisation software exists, such as the one provided by SurfControl. This means you have to rely on the quality of the daily updated database.
The server is pre-configured to download the latest update every day between 9pm and 6am. However, these settings can be changed to suit the local network.
Websense provides a comprehensive set of tools for filtering URLs, but could do with more automated tools for reporting and site classification.
The full directory support for users, and clever categorisation tools make this product one of the most end-user friendly tools on the market while retaining full administrator control.
Price: from £1,070
Contact: Websense (0193) 2796 001
www.websense.com