Content filtering Day One - Taming the wild Web

Filtering incoming web traffic sounds simple, but as Lisa Phifer explains doing so effectively requires skill and knowledge of some complex standalone products.

The World Wide Web has been a boon to business and a bane to those tasked with managing Internet use. According to IDC, 40% of workplace Internet activity is unrelated to business. Nearly four out of five FBI-surveyed companies report that employees abuse Internet privileges by downloading pornography or pirated software. Worse, even business-related Web surfing has grown dangerous. For example, losses from phishing attacks alone exceeded $2.8 billion last year. Delivering safe, fast, transparent Web access that meets workforce needs has never been more challenging.

Business case for content filtering

Gartner recently identified five steps to "dramatically reduce the risk of valuable information ending up in the wrong hands or forcing an embarrassing public disclosure." Topping that list: content monitoring and filtering for common Internet vectors, including email, IM, FTP and HTTP. Email security covers part of this territory; content filtering can tackle the rest.

Web content filters permit or deny outbound HTTP and related requests in accordance with your Internet Acceptable Use Policy (AUP). This can reduce the bandwidth and productivity drain of non-business activities such as personal Web mail, music downloads, online gambling and porn surfing. Documenting countermeasures can limit liability for employee misdeeds or help you comply with industry-specific regulations. For example, the Children's Internet Protection Act requires that schools and libraries prevent online access to sites that are obscene, contain child pornography, or are harmful to minors. Phishing, pharming, drive-by spyware and other Web exploits also offer ample motivation for inspecting responses, preventing HTTP-borne threats from entering your network.

Adding content filtering to your network

Content filters can be deployed on firewalls, Web caches, or dedicated servers/appliances. Although each has its benefits, appliances are designed to offload the burden of URL filtering, detailed HTTP inspection, and Web usage logging -- resource-intensive tasks that could turn a heavily used cache or firewall into a bottleneck. In short, content-filtering appliances complement those systems, adding the muscle and features necessary to efficiently enforce your AUP.

Content-filtering appliances may operate in line and/or out of band. For example, the 8e6 R3000 supports three modes: invisible, router or firewall. In invisible mode, switch port replication copies Web requests to the appliance, which returns a "blocked page" response for denied requests. In router mode, the appliance sits in line, filtering outbound Web requests but not inbound responses. Firewall mode filters both outbound and inbound Web packets. In all cases, outbound Web traffic must be sent through the appliance, by the network or browser. But relying on browser settings (even automated configuration via PAC files) won't cover visitors or unsupported devices/browsers.

Content-filtering appliances should be placed inside your perimeter firewall. The firewall provides TCP/IP screening, while the appliance enforces Web content-specific policies. In larger distributed networks, appliances can be deployed for each site/subnet or in load-balanced clusters. Content filtering adds latency to a transactional application with high user expectations, so performance and transparency are important.

Finding a content-filtering appliance

Content-filtering features are widely available for firewalls (e.g., CheckPoint, Cisco, eSoft, Fortinet, Juniper, SonicWALL) and Web caches (e.g., Blue Coat, Network Appliance, Network Engines, Stratacache). Such packages leverage a platform that already inspects Web traffic but spreads existing resources across multiple tasks.

Those who prefer to dedicate a system to content filtering can install similar software on an off-the-shelf server, using such products as WebSense Web Security, Secure Computing SmartFilter, SurfControl Web Filter and Symantec Web Security. This focuses resources on content filtering and requires expertise and elbow grease to harden the platform and optimize performance.

Content-filtering appliances combine the TCO advantages of turnkey security hardware with the laser-like focus of a dedicated filtering server.

Some are general-purpose appliances that can be deployed as dedicated content-filtering servers. For example, Crossbeam blade servers can run Secure Computing or Websense content-filtering software. Others are purpose-built appliances developed exclusively to provide "Internet filtering." Which is the better fit for your company? That depends on your filtering feature needs, performance requirements and security architecture.

Read more on Network monitoring and analysis