One of the necessary evils of business today is the availability of seemingly unlimited web access to employees and customers. Security threats from allowing users’ web access on company computers are numerous. These include data leaks, loss of employee productivity, malware, phishing and other scams, loss of network bandwidth, as well as liability issues from inappropriate and, at times, illegal content on a network. Fortunately, web filtering capabilities have progressed beyond just blocking access to certain categories of websites or specific URL’s. Today’s web filtering software and appliances have many more capabilities that can help businesses protect themselves.
Capabilities of Web Filters
Today’s web filtering devices and software have capabilities even beyond the normal blocking of access to internet sites based on a specific category of websites, keywords, or content of the website. Web filtering can provide some level of malware protection which should include protection against zero-day exploits. It can also include some form of data loss protection capabilities. In addition, web filtering can allow you to block specific services, network protocols, or file types such as FTP, IRC, IM, mp3 audio files, or a variety of video file formats. Of course, not all web filtering offerings have all of these capabilities so they must be evaluated on the basis of what a business needs and can afford.
Content filtering for web filters should be able to recognize uncategorized web content and make filtering decisions based on company policies. An acceptable user policy or internet usage policy should be in place before implementing web filtering. Web filtering is meant to help enforce existing policies. Users should already have a clear knowledge of what is allowed before monitoring and filtering of web access is implemented.
Beyond filtering access to certain web resources, web filtering should also protect against what is being sent out from the computer. With the number of blogs, wikis, social media and other Web 2.0 sites increasing every day, a company’s web filtering solution must be able to inspect outbound content to make sure company data is not being lost. To protect against Web 2.0 content or sites, web filtering should allow very granular control of access to Web 2.0 applications, such as blogs, wikis, or sites such as FaceBook or LinkedIn. Since no web filter or other data loss prevention solution will prevent all data loss, computer users should be made aware of the data loss issue and how to guard company information when using social media, blogs, and other Web 2.0 sites. Web filtering should be only one piece of the security puzzle.
Selecting a Web Filtering Solution
The first step in choosing a web filtering solution is to determine its purpose and then match the features of the filter to the company’s needs. Future uses and needs should also be determined to ensure these capabilities are built in to the web filtering solution to prevent wasteful spending later.
Here are some questions to ask when selecting a web filtering solution:
- Will the filtering solution fit the size of the company and integrate easily with the existing network infrastructure? If a directory service such as LDAP or Active Directory is being used, will the web filtering solution easily integrate with it?
- If the company does not use a directory service, will the web filtering solution allow you to define policies for users, locally defined groups, or IP addresses or groups of IP addresses? Granular controls for the web filter must allow legitimate web access as well as prevent unwanted traffic.
- If the company has mobile or telecommuting users, does the web filtering solution allow it to control web use of these users. If it does, how difficult it is to set it up so that mobile users cannot gain access to the internet without using the web filtering solution? How is web access managed for mobile users, through the cloud or another means? How hard is this to manage?
- Does the URL database have to be manually maintained? This would be extremely time consuming. At the same time, make sure that whitelisted and blacklisted websites can be added.
- Does the web filtering solution allow the company to control web access for individual users, specifically by the time of day, etc?
- Can the company filter not only on its own LAN, but a wireless LAN or a VPN LAN as well? The VPN LAN may be the best way to handle web filtering for remote or telecommuting users depending on the network design.
- Can the web filtering solution filter both HTTP and HTTPS traffic? Also, can it handle the use of proxy sites? Both proxy sites and HTTPS are used to circumvent web filtering solutions. Any web filtering solution can be circumvented, and there are sites dedicated to this topic; therefore, web filtering solutions should be able to handle at least these two basic circumvention methods.
- Lastly, what are the reporting capabilities and configuration tools of the web filtering solutions? Do the reports provide the information needed to monitor and protect your network? Thirdly, are remote management capabilities required through a web interface? If remote management capabilities are desired, consider the security risk versus the convenience factor.
One final important consideration is the security features of any web filtering solution. If it can be easily circumvented or hacked into, it won’t do the company much good. Researching the answers to the above questions should help in narrowing down the many different web filtering offerings out on the market today. Always keep in mind, though, that web filtering is just one tool that can be used to protect the network.
This guest post was provided by Sean McCreary on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information about GFI web filtering solution can be found at http://www.gfi.com/internet-monitoring-software
All product and company names herein may be trademarks of their respective owners.
RetroHack is happy to consider guest posts. If you’re interested in submitting a post to this blog, please contact us rather than leaving a comment to this particular post. No compensation was offered, requested, expected, or received for posting this article…it’s just good content.
You might also enjoy:
