Web filtering’s second act
Once used just to keep workers on task, filters are now a cornerstone of enterprise security
- By John S. Webster
- Jul 24, 2006
Editor's note: This story was updated at 10:45 a.m. July 27, 2006, to correct that Devin Redmond is senior product manager at WebSense, vice president of product marketing.
The once-straightforward process of Web filtering has become far more complex — and crucial — for government agencies. A few years ago, government information technology managers addressed the main risks associated with employee Internet access by simply blocking Web sites that contained inappropriate keywords. Back then, the primary concerns were users who were looking at pornography or gambling on the organizations’ time.
With new risks from malicious Internet-borne code and pernicious Web-based fraud schemes — some of which can bring down a network, compromise organizational security and generally make life difficult for IT employees — Web filtering is a whole new and far more complex ballgame. New wireless and remote connectivity options that support mobile workers and teleworkers also raise fresh challenges.
The new threats are fueling an evolution in Web-filtering software. Once a technology for addressing user productivity, bandwidth efficiency, and legal or liability issues, Web filtering is now all about security.
“We did have a number of infections and issues with spyware prior to putting [a Web filter] in place, and I can only imagine that would have grown astronomically, based on what you read and see happening,” said Andy Atencio, information and technology manager for Greenwood Village, Colo., which uses Web-filtering software on a network for the town’s 250 employees.
“For us, the biggest benefit to the technology is our ability to, on yet another level, protect our network infrastructure,” he said. “There are so many different types of threats and new threats being developed every day. If you aren’t protecting your infrastructure at multiple levels, you are just asking for trouble.”
Security concerns emerge
In the past year or so, security has become paramount for organizations looking to deploy Web-filtering software, said Lawrence Orans, a networking and communications analyst at Gartner.
“In the early days of the Internet boom, organizations were driven to implement URL-filtering solutions for three reasons: to protect themselves from legal liability, to safeguard bandwidth and to mitigate a loss of productivity from employees,” Orans said. “In 2005, security jumped to the top of this list. Organizations increasingly use URL filtering as a first line of defense by blocking access to Web sites that spread spyware and other forms of malware.”
Vendors have also noticed a shift in those IT management concerns and have included the appropriate features in their products to ensure that more recent threats do not intrude on networks.
Web filters work by scanning databases that identify the addresses of undesirable Web pages. Vendors constantly update their databases using teams of Web analysts and automated software tools that scour the Internet for problematic content. Secure Computing maintains a database that has millions of Web addresses and data from 66 countries, said Paul Henry, the company’s vice president of strategic accounts.
The scope of the sites covered by the databases reflects the new mission of Web-filtering products. For example, SurfControl’s database of Web addresses contains the following groups:
- Viruses and blended threats.
- Malicious applications.
- Legal liability.
- Confidentiality and privacy.
- Asset protection.
In a move akin to forming a neighborhood watch, some filter vendors now allow users to add Web addresses and file download rules to their organizations’ threat databases, said Shawn McCarthy, program manager for U.S. IT opportunities in the Government and Education division at IDC’s Government Insights group.
“This takes time, but it helps establish proper filtering,” McCarthy said.
Besides keeping an eye out for new Web-based threats, vendors have also adapted their products to support changes in how organizations work. For example, some products now let managers apply the same filtering rules to users who are working at home or traveling.
“You need to cover folks off the government network,” said Devin Redmond, senior product manager at WebSense. “For teleworkers, there are security aspects with laptops and productivity, as well as accountability. What if they are logging in at Starbucks? That’s why we’ve added remote filtering, now a key feature.”
Available as an addition to the company’s WebSense Enterprise Suite or Web Security Suite, remote filtering software redirects HTTP requests on remote workers’ computers to a WebSense Policy Server. It then allows or blocks access according to preset rules.
Vendors have also recently improved their products’ reporting capabilities. Some organizations are reluctant to aggressively monitor their employees’ Web use, but circumstances arise when they need to analyze Web traffic.
Using the reports, IT employees can pinpoint threats, their origins, and their status and activity on the internal network. The reports also identify which computer first accessed the pernicious code.
Besides blocking user access to potentially harmful Web sites, Greenwood Village officials use their Web filter to passively monitor employees’ Internet use, Atencio said. The filter constantly logs usage data, but managers only review that information if they question an employee’s on-the-job performance.
Alabama reaps filtering benefits
Once an organization deploys a solution, who should administer Web filtering? It depends on the organization, but central control usually resides in a network operations center, whose administrators set overall filtering policies in accordance with agency policies. From there, departmental or geographically dispersed users might have subsets of filtering rules, which an IT manager at those locations oversees, Redmond said.
Alabama officials spent about $150,000 for a Web-filtering appliance from Blue Coat Systems that could help them curb employees’ improper Internet use and protect the state’s computers from security threats, said Jim Burns, Alabama’s chief information officer.
State officials let workers access certain Web sites and Web mail services, but the organization now has much more control over file downloads and other potentially harmful transactions, Burns said.
“We’re not as draconian as banks, for example,” Burns said. “We let people check eBay once in a while or ESPN. But when the network was unfiltered, people presumed downloading porn was OK, because there wasn’t any emphasis on that, even though a policy was in place. People had explicit images on their computers that could have been construed as sexual harassment.”
Because Alabama buys $10,000 worth of network bandwidth per month from BellSouth, the errant Web browsing was also costing taxpayers. The Blue Coat WebFilter system has already paid for itself in bandwidth cost savings, Burns said.
“We could see the [return on investment] in 15 months, and that’s not even including worker productivity and the legal and security aspects,” Burns said.
The complex nature of business and personal interactions via the Web and the panoply of malicious threats are driving organizations to restrict user access to the Internet while at work.
“Web filtering is still in an evolution,” said Jim Murphy, vice president of product marketing at SurfControl. “The world is morphing beyond the Web and e-mail. More and more Internet applications facilitate data transfer. Plus, we have Web services, Web-based e-mail, peer-to-peer file sharing and voice over IP. Information control is the key.”
Webster is a freelance writer covering technology and outdoors topics, based in Providence, R.I.