I
t’s not always paranoia if you think your users are up to something. And you can bet that the corporate internet connection isn’t full of work orientated traffic. Instead you’re likely to find users browsing the web as they see fit.The problem with this is threefold. First, the internet connection is slower for gen-uine work traffic. Second, employees can be download-ing offensive or illegal materi-als, which you as the administrator could be held liable for. Finally, there’s a loss of productivity associated with this kind of activity.
It’s clear that browsing at work should be restricted, which is where web filtering comes into play. The majority of products in this test work by restricting access based on URL. The list of URLs is cate-gorised by the software vendor and, like AV software, regularly updated. So, while the software will miss the brand new sites it’s still enough of a deterrent to cut back on uncontrolled surf-ing.
Company secrets
The last product, WEBsweeper from Baltimore, is designed to work on a different principle and check the actual content being downloaded. This, for example, can be used to check the contents of a web-based e-mail form to make sure that no company secrets are being sent out via this often unchecked service. This kind of software can be used in conjunction with
standard URL filtering to give more complete protection.
SURFCONTROL
SUPERSCOUTThe guide to acceptable use policies is useful even if you decide not to buy SurfControl SuperScout will fit into many different environ-ments, as it doesn’t necessarily need a third-party proxy server to work. While the usual sus-pects – Microsoft ISA and Proxy and Checkpoint – are sup-ported, the product will also operate in promiscuous mode.
This works by ‘sniffing’ the Lan for web traffic and resetting connections for traffic destined for banned websites. Of course, for this to work properly you need to make sure that the server is located on the main throughway to the internet gateway. This can be achieved by setting up a spanning port on the switch that the gateway is connected to. Fortunately,
these points are covered in the installation documentation.
Once the software is in place, the obvious thing to do is set up an acceptable use policy. Surf-Control provides a free guide to help you achieve this. It’s even useful if you decide that Super-Scout isn’t the product for you.
Assuming that you know what you want to enforce, there are two main programs used to control operation – rules administrator and monitor.
Monitor records all the surf-ing gosurf-ing on the buildsurf-ing and who’s visiting where. As a standalone tool this is very use-ful. In fact, some companies make a living out just providing this side of the equation.
Once the data has been col-lected there’s a huge amount of reports that can be generated to show exactly what’s happen-ing on the network. For exam-ple, you can see who’s doing the most browsing or to how many sites users have been denied
access. This kind of information is useful when it comes to refin-ing, or creatrefin-ing, the acceptable use policy.
The next stage is to use the rules administrator to put this information to use. Fortu-nately, it’s a breeze to do this. The rules created are akin to those used in a firewall and are made up of four elements – who, where, when and notify. Who’s who
Before rules can be created, these elements need to be com-pleted. For example, the who
section needs elements to iden-tify a single browser. This can be host name, IP address or user name.
Anything monitored is auto-matically imported by rules administrators. Once you have your list of users or machines, it’s possible to group them together in a who list. This is useful for creating policies based on work groups, such as sales or marketing.
A similar process is carried out for the where elements. The noticeable difference is that there’s already a list of cate-gorised websites. These relate to the URL database, which is automatically updated through
Product SuperScout Installation
★★★★
Management★★★★★
Documentation★★★★
Performance★★★★
Overall rating★★★★★
SURFCONTROL
Internet under control
Web filtering benchtest
Web filtering software can help to speed up employee productivity and internet connections, as well as
giving network managers peace of mind, says David Ludlow
the scheduler software. For the most part it’s easier to work with entire categories, such as ‘Adult/Sexually Explicit’.
The when section is used to create time blocks. For exam-ple, you could create a time block that represents the work-ing day. Finally, notify sets up who to send e-mail notifica-tions to.
Once this is complete, rule creation is laughably easy – drag the elements you want into the rules window and select to allow or deny the rule. So dragging the ‘Sales’ work group, ‘Adult’ category and ‘Work Hours’ time block into the window and selecting deny does exactly what you think it will.
This component-based method of rule generation makes it easier to update the acceptable use policy as time goes on. The only thing to be aware of is the order in which the rules execute. Like a fire-wall, rules operate in list order. No rule further down the list can override a rule further up the list.
As a result, a rule designed to block all access to all websites that appears first in the list will deny all users no matter what another rule says. Fortunately, the software automatically warns if such a general rule is created. We’d suggest that the rules at the top of the list should be the very precise ones, while the more general rules should sit at the bottom.
Overall, this remains one of the best pieces of software on the market for filtering URLs. A lot of work has gone into mak-ing it easy to use, while not los-ing any of the power behind the product.
FUTURESOFT
DYNACOMM I:FILTER It’s easy to keep a watchful eye on the network without really having to do a lot The DynaComm i:filter from FutureSoft is similar inopera-tion to SurfControl’s Super-Scout. It sits on the local net-work and ‘sniffs’ web connections. When it finds a request being made to a site that is blacklisted, it resets the TCP connection and sends a denied page to the offending machine.
However, this is the only mode that the product can work in. If you have a proxy server in place, then i:filter will not work in conjunction with it. In addition, it’s not as easy to get up and running as other products in the test.
After the basic installation – which takes an age – the soft-ware is still not ready to run. A promiscuous mode network driver has to be installed so that the product can perform its job. This driver has to be installed manually from the installation directory, which requires another reboot of the machine.
There are two main applica-tions that can be used to enforce the acceptable use policy – Bloodhound and the manage-ment console.
Redundant Bloodhound Bloodhound is designed as a monitoring program to see what’s happening on the Lan. However, it’s not actually that useful. It will only display a list of websites that have been vis-ited since it started.
Current state information is lost on closing the application. On top of this, it can’t be used to directly generate any reports. This is performed through the management console, making Bloodhound a mostly redun-dant tool.
Fortunately, things get bet-ter with the management con-sole. Visually, it follows the design layout of the Microsoft Management Console (MMC). All of the product features are listed in a tree menu running down the right-hand side of the screen, while options for each feature are displayed in the main window.
The first task is to import
net-work monitors into the console to be told which policy to enforce. This is a mission in itself.
It’s not just a matter of telling it which machines have the software installed. The monitor also needs to be told which net-work addresses it is to monitor.
This requires typing the net-work address and its type (A, B or C) as the number of bits that represent its size. For example, a class C network has a 24-bit number representing the num-ber of available nodes on that network.
The product is based around rules. Arule states if an action is allowed or denied and who, when and where it applies to.
This does require some basic work to populate the software with data relating to the local network. If you want to create rules based on individual machines then you need to input that data. Unfortunately, this doesn’t accept user names as only Netbios, IP or Ethernet addresses are supported.
The software does come with some good defaults in place. The setup comes with time-intervals that describe work hours and out of work hours and these can be used inside a rule to let users browse unproductive websites outside of work. Setting up new time intervals is an easy process using a time grid. Each square
represents one-hour of the day and each day of the week is rep-resented.
The next step is to select which websites a rule applies to, which is helped by the cate-gory definitions. These relate to the contents of the URL data-base – called the destinations
database internally. There’s a category to describe most activ-ities on the web so it’s easy to enforce the policy that you’ve created.
Updates to the database are performed according to the manually-set up scheduler task. The scheduler can also be used to gather logs from multi-ple network monitors and to generate reports. There are a lot of canned reports available, so it’s no problem keeping a watchful eye on the network without really having to do a lot of work.
Overall, the software does do the job properly, but it’s not quite as intuitive as other prod-ucts.
Product DynaComm i:filter Installation
★★
Management★★★★
Documentation★★★
Performance★★★
Overall rating★★★
FUTURESOFT
ST. BERNARD
IPRISMEasy to set up and the appliance’s profiles are a good way to manage access The iPrism is one of the only appliances for web filtering on the market. The rationale behind this is that it’s easier to set up and manage – and fire-walls moved the same way.
Updates to the URL data-base are performed daily. St. Bernard is particularly proud of the method used to search out new URLs, which the company calls I-Guard.
Spiders crawl the web and check sites for content, auto-matically categorising them. On top of this, the human touch is applied with a team of people who check out the URLs as they come in. This ensures that cate-gorisation is correct.
The actual product comes as a 1U-high bright-purple box and is similar in appearance to a firewall thanks to the dual net-work interfaces labelled ‘Inter-nal’ and ‘Exter‘Inter-nal’ respectively. The box then acts as a proxy server for all web traffic.
However, the physical inter-faces don’t have the standard lights to show the link status. This potentially can make it dif-ficult to tell if the device is con-nected to the network properly. Once connected, the setup is designed to be as quick and easy as possible. The box comes configured with a default IP
address. The Java-based man-agement software can then con-nect to this and input a proper configuration.
This first connection is basi-cally to get the device visible on the local subnet and how the interfaces will be seen. The easi-est option is to go for the bridg-ing option where the device sits between the local network and the firewall. This installation doesn’t require any client-side configuration.
Once this basic configura-tion is applied, the job falls to enforcing the local acceptable use policy.
The first step to rule genera-tion is to understand how the box works internally. At the top level are content categories, with sub-categories inside. For example, there is a sex category that has the sub-categories nudity and pornography. Controlling categories The categories are quite broad and cover all ranges of internet use including health, recreation and business. All updates to the URL database, automatically
retrieved on a daily basis, are downloaded into these cate-gories.
Categories are then used inside profiles to determine which sites are blocked and which are allowed. A profile contains an access control list (ACL) that states if each subcat-egory should be allowed, moni-tored or denied. A profile can can contain multiple ACLs, which becomes useful when combined with the time over-ride feature.
We told the system to block all pornographic sites using one ACL, while we told another to block all shopping sites dur-ing the day, but to allow them after work hours.
This kind of scheduling has a graphical interface. A grid of squares, each one representing
15 minutes, is used to highlight when the ACLis enforced. Each ACL in a policy is represented by a different colour, which can get confusing when multiple ACLs overlap.
Part of the problem lies with the Java interface, which is not very stable running under IE. In fact, St. Bernard ships a copy of Netscape 4.7 on the provided CD along with the Java virtual machine.
After a profile has been cre-ated it needs to be attached to the physical object. Two choices exist – network or user. If the network option is taken then any device within a given range of IP addresses falls prey to the profile.
Alternatively, by creating a list of users, each user can have their own profile that overrides
Product iPrism Installation
★★★★
Management★★★
Documentation★★★
Performance★★★★
Overall rating★★★★
ST BERNARD
St. Bernard’s iPrism is packed full of options which allow it to be customised
SURFCONTROL SuperScout www.surfcontrol.com 01260 296150 £955 ★★★★ ★★★★★ ★★★★ ★★★★ ★★★★★
FUTURESOFT Dynacomm i:filter www.futuresoft.com 01260 292222 £1800 ★★ ★★★★ ★★★ ★★★ ★★★
ST. BERNARD iPrism www.stbernard.com 01276 609717 £2000 ★★★★ ★★★ ★★★ ★★★★ ★★★★
WEBSENSE Enterprise 4.3 www.websense.com 0870 4581113 £1645 ★★★ ★★★★ ★★★ ★★★★ ★★★★
8e6 X-Stop 4.5 www.8e6technologies.com 020 83993111 £885 ★★ ★ ★★★ ★★★ ★★
BALTIMORE WEBsweeper 4 www.baltimore.com 0118 9301300 £1260 ★★★ ★★★★★ ★★★ ★★★★ ★★★★
TABLE OF RESULTS
Company Website Contact no Price Installation Management
Document-ation
the basic network profile. If this is the case, then the most secure option is to have one network profile that denies all web access and user profiles that map to real profiles.
The only thing to watch out with user profiles is that the proxy server setting has to be turned on in each user’s browser for the authentication
to work. We also had the prob-lem that we couldn’t create user groups, only single users. The only way to get round this restriction is to pass all authen-tication requests onto an LDAP server instead.
Denied page problems The system is packed full of options to allow it to be cus-tomised. Even with the I-Guard
technology there will be cases where certain websites will be missed by the software. If the administrator should discover one, then they can enter this into the software.
The only thing difficult to deal with is the denied page, which is displayed every time a user tries to access an unpro-ductive site. The box gives the
option to put some contact details on the bottom of the default page, or to give the URL of the denied page. We’d have liked this customisation to be available directly on the box.
Overall, while the interface gave us some problems, the appliance is easy to set up. The profiles are a good way to man-age access, as they’re a cus-tomisable method of locking down the box.
WEBSENSE
IPRISM‘Intelligent’ software is comprehensive, while remaining easy to use
Websense Enterprise has the biggest supported range of third-party servers in this test.
Microsoft, Netscape and even NetScreen firewalls and CacheFlow products are amongst the choice. However, the software does not have a standalone version and needs one of these products to work.
Despite this, there is no direct need for the Websense server to sit on the same machine as the proxy server. It’s
quite happy just communicat-ing, although this will obvi-ously generate more network traffic. The choice for position is likely to come down to the size of the network and the number of users than need to be sup-ported.
Once installation is com-plete, a server can be managed anywhere on the network via the Websense manager. The first time the manager connects to a new server it requests that a new password is entered to lock configuration. After this any-one connecting to the server must provide the password.
We found the console, and the way it worked, easy to pick up. As with other software in this test, policies are built
around components, such as who, when and where.
Inside Websense it’s best to start defining who to block, which can be done on four lev-els – user, group, workstation or network.
The user and group level lets the administrator personalise the level of filtering in very fine detail. Users can be imported from either an LDAP or Win-dows-based server. Groups are a method of tying users together in a logical order.
Workstations and Networks are more usefully defined for general rules to pick up the slack where users don’t exist. So if you want to use a network rule to block all sites, this will prevent people without a user-name and password from surf-ing the web.
Once these entries have been populated, policies to control them need to be put in place. These define the times and days that the policy is in place and which sites to block and allow. This choice comes from picking a category set. The software comes with default sets to allow or deny all sites, but user-defined lists can be created to match the acceptable use pol-icy.
This involves choosing from a list of categories to allow or deny. Categories are also split into sub-categories, so rules can either be applied to the top-level or individually down the list. For example, under ‘Infor-mation Technology’, ‘Web Hosting’ could be allowed, while ‘Hacking’ is denied.
Multiple category sets can be attached to a policy, trig-gered to operate at different times. Each user, group, work-station and network needs to have a policy selected from the drop down list.
A neat feature of the soft-ware comes from entering in user URLs. This kind of entry typically appears in its own cat-egory and is then uniformly blocked. Fortunately, this
soft-Product Enterprise 4.3 Installation
★★★
Management★★★★
Documentation★★★
Performance★★★★
Overall rating★★★★
WEBSENSE
ware is a little more intelligent. Daily updates to the database
Any custom URLs are entered into the existing category struc-ture allowing them to immedi-ately take part in existing policies. Of course, you don’t have to do this too often, as Websense updates the URL database daily and the default scheduling will download the new database overnight. While this suits most environments, the schedule can be modified.
The same server configura-tion screens are also used to enter in an e-mail address of an administrator. This is used for notification if the local policy is broken.
Overall, the software is com-prehensive while remaining easy to use. However, the lack of standalone support means it won’t be suitable for smaller networks without this kind of equipment.
8E6 TECHNOLOGIES
X-STOP 4.5Looks dated and there are no online help files. Pick a different product X-Stop from 8e6 Technologies manages to squeeze all of its functionality into a 1.9MB installation file. The reason for this became painfully obvious when we installed the software and found that there’s not a lot to it.
Management revolves
around a single application running on the host machine. It looks very dated and doesn’t even have simple functionality, such as online help files. Instead the manual will have to be used on many occasions, as the purpose of some features in the console is not immediately obvious.
The application consists of one window with multiple tabs used to set the program’s options. The first tab is used to define default actions for the software should any other pro-file not match. The default set-ting will deny requests made to all web pages stored in the local library – not all requests – but can be modified if necessary.
The best bet is to leave this section in place and muddle through the more detailed pro-files. These profiles can work on a network or domain basis. The network choice is just a list of IP addresses, while the domain basis can drill down to the NT Domain user level. This is prob-ably the better choice as it gives more control over settings.
Once the profile has been created, the website categories associated with the profile need to be set. This is through the use of simple tick boxes, which can be irritating if a lot of profiles have to be created.
White list websites
For each category chosen there
are multiple options to choose: blocking, monitoring or white list. After scouring through the manual we found out that white list specifically allows a website. The manual also states that this option can be used to create a white list of acceptable websites – provided you can be bothered to type them all in.
Each profile can also have a schedule attached to it, but it’s not easy to do. First, a category profile must be created. This states which categories of site are allowed or denied. Then a colour must be associated with the profile. The manual warns that white is the worst colour to pick, however, this is the default.
With the category profile in place, the original network or domain profile has to be edited again. Under the time options tab a grid is brought up, repre-senting the entire week, day and time. Selecting the category profile from a drop-down menu selects the category pro-file and the grid can be filled in with its associated colour. It’s a long way round doing some-thing that is essentially easy.
Unfortunately, easy is not a word we would associate with this software. For example, there are only three types of report that can be generated – showing which sites were vis-ited, blocked or allowed. While the report can be made based on a single user, the administrator has to manually enter in data that relates to that particular user.
We also had trouble using the database editor. A dialogue box appears with a text entry box for
the URL, a category selector and an add and remove button. However, when we selected a category and started typing, an error message appeared: ‘Unable to search. Search process failed! Please try again later’.
Overall, it’s difficult to rate a product like this when there are so many better choices on the market. It also needs third-party software to work so it’s not even suitable for the lower end of the market. Our advice would be to pick one of the other products in this test.
BALTIMORE
WEBSWEEPER 4Deals with the threats of the internet, without blindly denying access to all sites WEBsweeper isn’t really about URLfiltering. The product looks at web page content and make decisions based on that. For example, e-mail is a common threat to a company, but web-based e-mail is often ignored.
WEBsweeper checks the content of forms as they’re sub-mitted and ensures that com-pany policy is not broken. The only thing it can’t check is the content of SSL sites. However, using proxies such as SafeWeb won’t fool the software (see user tricks box on page 18).
WEBsweeper works by sit-ting between the users and the internet. Before a user can access any web page it is checked for content. Only when a page passes the checks is it passed onto the user. Typi-cally this means that web pages are a few seconds slower in downloading.
WEBsweeper has been around for a while, but version 4 is a massive departure from previous incarnations. This will come as a relief to anyone who played with version 3, which was difficult to get work-ing.
The main advancement is the way the software works. Previous versions needed a
Product X-Stop Installation
★★
Management★
Documentation★★★
Performance★★★
Overall rating★★
8e6 TECHNOLOGIES
third-party proxy server to work, which could be difficult to set up. Version 4 still supports this operating mode, but can also act as a proxy server as well. Another big change is the management console, which drags WEBsweeper into line with MIMEsweeper. Running under MMC it gives access to the rules mechanism of the soft-ware, which conceptually fol-lows the other Baltimore products.
The concept is simple – web traffic passes through a list of scenarios that classify the traffic according to user-defined
clas-sifcations. From here the classi-fication engine springs into action. Each defined classifica-tion has a list of rules that spec-ify what should be done. The offending site could be blocked with a custom error page while the administrator is alerted via e-mail.
The software has a large range of checks that can be used to classify traffic and it’s not hard to build up a profile to deny all unwanted surfing. Each scenario has three differ-ent checks that can be per-formed – URL list, text search and the Platform for Internet
Content Selection (PICS). Trustworthy and legitimate This is a system that categorises sites based on submissions of the web master. For the most part this is an honour system, but as most legitimate pay sites follow the rules it makes sense to check for it.
Obviously, not everyone is trustworthy, so simple URL blocking is provided. However, Baltimore does not provide URL list updates and it’s quite difficult to block. The next best option is to use the text search.
This option looks for key phrases on a website. Each phrase has a score, which is added to the total for the web page every time that phrase appears. If the final tally exceeds the pre-defined score
limit then the web page is blocked. Fine tuning this sys-tem takes some time and you might get a lot of false-positives in the meantime.
Once all definitions are in place, a schedule is applied. In addition to categorising data, other scenarios exist for protec-tion. Examples include block-ing mobile code – Java script, ActiveX – executable files and virus scanning downloads.
A major consideration with this software is the size of the machine that it will run on. As analysis is performed on each transaction, the server has to store items in order to virus check them. If the internet con-nection is particularly busy then this can have a big effect on surfing speed.
Overall, the software has a place alongside the traditional URL filtering software on the market. Its strength lies in deal-ing with the other threats of the internet, not just blindly deny-ing access to all sites. It would be good to see SSL support, but even without that it has
some-thing to offer. NN [email protected] Product WEBsweeper Installation
★★★★
Management★★★★★
Documentation★★★
Performance★★★★
Overall rating★★★★
BALTIMORE
URL filtering has come a long way since we first reviewed it a few years back, which makes picking the winning products difficult. However, we think that two products particularly stood out from the crowd.
Our Editor’s choice award goes to SurfControl. Since pushing the technology before it became popular, it has rolled out solidly-performing software. It’s easy to use, but this never gets in the way of functionality. As it doesn’t rely on
third-party software, it will suit almost any environment.
Our Recommended award goes to Websense. Again this is a simple to use piece of software, and very powerful. It doesn’t have standalone support, but does support the largest range of third-party products in this test. This ensures it fits seamlessly into the existing infrastructure.