Content filtering Day Two - Finding the right tools

Our short series on content filtering continues with a guide on how to select and implement filtering technologies.

Choosing the right appliance

Like other security systems, content-filtering appliances must be hardened against attack and unauthorized admin access. Effective content filtering requires speed and storage for a large number of transactions, so consider workforce size and average/peak request rate when selecting appliance models and deciding how many to deploy.

Beyond these fundamentals, look for an appliance that can implement your defined AUP and auditing requirements. Every content-filtering appliance can block outbound HTTP, but not all filter responses that might carry banned content. Similarly, most can deny HTTPS to forbidden domains, but some do not inspect SSL-encrypted payload. In fact, "Internet filtering" appliances often examine other traffic, from conventional protocols like FTP and NNTP to newer channels like IM and P2P. This diversity complicates comparison, so start by deciding how you want to distribute enforcement between your firewall and content-filtering appliance, then find products that can implement that split.

Next, consider how Web requests are filtered. Blacklists may be composed of configured IP addresses, domain names and URL patterns -- or they may contain dynamic quarantine entries that reflect recent experience. Many appliances also offer categorized URL databases. Evaluate coverage in categories that interest you, database update frequency, and the granularity of whitelist exceptions.

If you want the appliance to filter responses, what do you expect the appliance to look for? Possibilities may include blocking or cleansing responses that contain banned words, image files, risky MIME types, unsigned active code, or malware. Some appliances can force Google or Yahoo Safe Search mode "on" to eliminate explicit sexual content from search results, but this is more of a complement than replacement for policy-based filtering at the edge of your own network.

If your AUP establishes different rules for individuals or workgroups, appliance policies must reflect that granularity. User/group profiles may specify categories, whitelists, time of day, bandwidth, or supported user agents. To avoid extra authentication when users access the Web, look for an appliance that supports single sign-on and your existing authentication system (e.g., NTLM, AD, LDAP, eDirectory). Also consider whether organizations must have the ability to specify their own policies.

Finally, look carefully at reporting tools provided by the appliance to analyze and track Internet use throughout your network. Some companies start using content filters simply to spot and document inappropriate Web activity. This is an excellent way to learn what your network is really being used for when defining an Internet AUP. Unless your workforce is small, however, automated analysis and summary reports with drill-down capability will be key to isolating Web abuse and risk exposure.

About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications.

Read more on Network monitoring and analysis