Web filtering’s second act

Once used just to keep workers on task, filters are now a cornerstone of enterprise security

Editor's note: This story was updated at 10:45 a.m. July 27, 2006, to correct that Devin Redmond is senior product manager at WebSense, vice president of product marketing.

The once-straightforward process of Web filtering has become far more complex — and crucial — for government agencies. A few years ago, government information technology managers addressed the main risks associated with employee Internet access by simply blocking Web sites that contained inappropriate keywords. Back then, the primary concerns were users who were looking at pornography or gambling on the organizations’ time.

With new risks from malicious Internet-borne code and pernicious Web-based fraud schemes — some of which can bring down a network, compromise organizational security and generally make life difficult for IT employees — Web filtering is a whole new and far more complex ballgame. New wireless and remote connectivity options that support mobile workers and teleworkers also raise fresh challenges.

The new threats are fueling an evolution in Web-filtering software. Once a technology for addressing user productivity, bandwidth efficiency, and legal or liability issues, Web filtering is now all about security.

“We did have a number of infections and issues with spyware prior to putting [a Web filter] in place, and I can only imagine that would have grown astronomically, based on what you read and see happening,” said Andy Atencio, information and technology manager for Greenwood Village, Colo., which uses Web-filtering software on a network for the town’s 250 employees.

“For us, the biggest benefit to the technology is our ability to, on yet another level, protect our network infrastructure,” he said. “There are so many different types of threats and new threats being developed every day. If you aren’t protecting your infrastructure at multiple levels, you are just asking for trouble.”

Security concerns emerge
In the past year or so, security has become paramount for organizations looking to deploy Web-filtering software, said Lawrence Orans, a networking and communications analyst at Gartner.

“In the early days of the Internet boom, organizations were driven to implement URL-filtering solutions for three reasons: to protect themselves from legal liability, to safeguard bandwidth and to mitigate a loss of productivity from employees,” Orans said. “In 2005, security jumped to the top of this list. Organizations increasingly use URL filtering as a first line of defense by blocking access to Web sites that spread spyware and other forms of malware.”

Vendors have also noticed a shift in those IT management concerns and have included the appropriate features in their products to ensure that more recent threats do not intrude on networks.

Web filters work by scanning databases that identify the addresses of undesirable Web pages. Vendors constantly update their databases using teams of Web analysts and automated software tools that scour the Internet for problematic content. Secure Computing maintains a database that has millions of Web addresses and data from 66 countries, said Paul Henry, the company’s vice president of strategic accounts.

The scope of the sites covered by the databases reflects the new mission of Web-filtering products. For example, SurfControl’s database of Web addresses contains the following groups:

  • Viruses and blended threats.
  • Malicious applications.
  • Legal liability.
  • Confidentiality and privacy.
  • Asset protection.
  • Productivity.
In a move akin to forming a neighborhood watch, some filter vendors now allow users to add Web addresses and file download rules to their organizations’ threat databases, said Shawn McCarthy, program manager for U.S. IT opportunities in the Government and Education division at IDC’s Government Insights group.

“This takes time, but it helps establish proper filtering,” McCarthy said.

Besides keeping an eye out for new Web-based threats, vendors have also adapted their products to support changes in how organizations work. For example, some products now let managers apply the same filtering rules to users who are working at home or traveling.

“You need to cover folks off the government network,” said Devin Redmond, senior product manager at WebSense. “For teleworkers, there are security aspects with laptops and productivity, as well as accountability. What if they are logging in at Starbucks? That’s why we’ve added remote filtering, now a key feature.”

Available as an addition to the company’s WebSense Enterprise Suite or Web Security Suite, remote filtering software redirects HTTP requests on remote workers’ computers to a WebSense Policy Server. It then allows or blocks access according to preset rules.

Vendors have also recently improved their products’ reporting capabilities. Some organizations are reluctant to aggressively monitor their employees’ Web use, but circumstances arise when they need to analyze Web traffic.

Using the reports, IT employees can pinpoint threats, their origins, and their status and activity on the internal network. The reports also identify which computer first accessed the pernicious code.

Besides blocking user access to potentially harmful Web sites, Greenwood Village officials use their Web filter to passively monitor employees’ Internet use, Atencio said. The filter constantly logs usage data, but managers only review that information if they question an employee’s on-the-job performance.

Alabama reaps filtering benefits
Once an organization deploys a solution, who should administer Web filtering? It depends on the organization, but central control usually resides in a network operations center, whose administrators set overall filtering policies in accordance with agency policies. From there, departmental or geographically dispersed users might have subsets of filtering rules, which an IT manager at those locations oversees, Redmond said.

Alabama officials spent about $150,000 for a Web-filtering appliance from Blue Coat Systems that could help them curb employees’ improper Internet use and protect the state’s computers from security threats, said Jim Burns, Alabama’s chief information officer.

State officials let workers access certain Web sites and Web mail services, but the organization now has much more control over file downloads and other potentially harmful transactions, Burns said.

“We’re not as draconian as banks, for example,” Burns said. “We let people check eBay once in a while or ESPN. But when the network was unfiltered, people presumed downloading porn was OK, because there wasn’t any emphasis on that, even though a policy was in place. People had explicit images on their computers that could have been construed as sexual harassment.”

Because Alabama buys $10,000 worth of network bandwidth per month from BellSouth, the errant Web browsing was also costing taxpayers. The Blue Coat WebFilter system has already paid for itself in bandwidth cost savings, Burns said.

“We could see the [return on investment] in 15 months, and that’s not even including worker productivity and the legal and security aspects,” Burns said.

The complex nature of business and personal interactions via the Web and the panoply of malicious threats are driving organizations to restrict user access to the Internet while at work.

“Web filtering is still in an evolution,” said Jim Murphy, vice president of product marketing at SurfControl. “The world is morphing beyond the Web and e-mail. More and more Internet applications facilitate data transfer. Plus, we have Web services, Web-based e-mail, peer-to-peer file sharing and voice over IP. Information control is the key.”

Webster is a freelance writer covering technology and outdoors topics, based in Providence, R.I.

Choosing a solution

Web filter newcomers such as Secure Computing, 8e6 Technologies, Tangent and others have joined market veterans such as WebSense and SurfControl. Depending on the vendor, the solutions vary in form and include stand-alone software, software plug-ins that work with other management or security suites, and hardware appliances.

Choosing the right product will depend on a variety of factors specific to each organization, but Shawn McCarthy, program manager for U.S. information technology opportunities in the Government and Education division at IDC’s Government Insights group, offers two general tips to get the ball rolling.

He advises agencies to look for products that have undergone the Common Vulnerabilities and Exposures process review, McCarthy said. Products in compliance with CVE use a standard set of names to describe security problems, which makes it easier for different security and management tools to share information.

“Beyond that, the most competitive companies in this space — and in general — are those that are dedicated, stand-alone products,” McCarthy said.

— John S. Webster

New Web threats keep filters busy

Web-based threats to network security have become more bountiful — and more costly — in the past several years. In the early 2000s, bandwidth-intensive pornographic videos and peer-to-peer file transfers — such as movies and MP3 music files — created the biggest problems for Web filters. But now the filters must quickly identify, locate and counter many complex, duplicitous Web-based codes created by malicious hackers intent on crashing government networks. Here are the most prevalent threats.

Key loggers: When downloaded to an organization’s internal network, this code records users’ keystrokes, such as passwords, and sends the information to a third-party site for unauthorized use.

Phishing: This ruse starts with a spam message that encourages readers to click on a link to a counterfeit Web site. The links appear familiar and innocuous, such as links to MSN’s help page or an American Express account. Once clicked, the link directs the Web browser to a fraudulent Web site, which often asks users to supply account numbers, passwords and other personal information.

Malware: Such application code installs itself on the network and creates technical problems, sometimes bringing down entire software infrastructures. For example, in a distributed denial-of-service attack, the code could trigger a zombie attack timed for release on the network to cripple an organization’s infrastructure.

Pop-up windows, graphics and JPG files: Similar to phishing scams and disguised as innocent-looking images, these items can be links to malicious Web sites.

Spyware: This software places cookies on users’ computers, usually without their knowledge, and can send Web behavior and personal information to a third-party site.

Blended threats: These threats can be any combination of the previous ones or they can feature new threats. They are becoming more frequent and require more sophisticated filtering software for detection.

— John S. Webster

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.