A web filter is essential to keeping hazards and distractions away from businesses. To stay safe, productive, and compliant, every organization must block certain websites.
Recent developments have made this harder for small businesses. Popular sites – including Facebook, YouTube, and Yahoo! – have adopted the HTTPS standard. While this is good news for security, it’s bad news for some companies.
The HTTPS standard encrypts data transmitted between a host and server. This renders the data almost useless to attackers. It also prevents eavesdropping and man-in-the-middle attacks. But not all web filters can block HTTPS sites. For example, some can block http://twitter.com but not https://twitter.com. This gives users an easy way around the filter. The result is more wasted time and greater risks for organizations.
In this report:
• Why use an HTTPS web filter? • How it works - policy enforcement
• Settings for the AccessEnforcer HTTPS web filter
• How the AccessEnforcer HTTPS web filter compares to others
AccessEnforcer
HTTPS web filter overview
Four reasons why every organization needs the ability to allow or block HTTPS sites.
#1. Increase staff productivity
At one time, HTTPS was mostly used for online transactions, online banking, and other sensitive sessions. However, websites that do not handle sensitive data are adopting HTTPS. Leading the way are popular sites that are often viewed as time-wasters.
Facebook, Twitter, YouTube, Google, and other sites that many businesses would prefer to block now use HTTPS by default. For a small business, having the ability to block HTTPS is the only practical way to prevent employees from wasting time on these sites.
#2. Block malicious sites
Millions of websites are dangerous. Through drive-by-downloads, session hijacking, spoofing, and other tactics, they can inject malware onto the user’s system or trick users into supplying sensitive information.
These techniques work on HTTP sites, and they work on HTTPS sites as well. The HTTPS filter helps protect businesses from these hazards.
#3. Block offensive web content
Websites with offensive or inappropriate content abound on the web. Nothing prevents them from using HTTPS. The only way an organization can remain free of this disruptive material is to use a web filter that can manage both HTTP and HTTPS sites.
#4. Comply with regulations
Education, healthcare, and retail are three industries among many that are required to have enhanced network security. Some standards, such as the Children's Internet Protection Act (CIPA), require organizations to filter web content. Any industry that requires HTTP filtering is all but certain to require HTTPS filtering as well.
Not all web filters are created equal. The way they handle traffic and enforce policies can have a significant impact on performance. Performance determines, in part, whether an organization will use the filter, so speed is critical.
The HTTPS filter in AccessEnforcer, the UTM firewall from Calyptix, is fast and effective. It monitors sites by comparing the server’s identity with the filtering policies set by the administrator. If a site is not allowed by the policies, then the connection is not established. If the site is allowed, then the connection is made.
This approach does not decrypt the data, so security and connection speeds remain strong. Disallowed connections are never established with the gateway, so threats stay out of the network.
Some filters use other methods, but they are often complicated, labor intensive, and demanding of network resources. In short, they are not practical for small businesses.
AccessEnforcer filters HTTPS sites in a single click. Assuming the organization has filtering policies for HTTP traffic, a click on a single checkbox automatically applies the same policies to HTTPS traffic.
Policies
When the HTTPS filter is active, the following policies will apply to HTTPS traffic: • URL whitelist
• URL blacklist
• Web filter exemptions
Activation
The HTTPS filter has three options for how it enforces policies: • Disabled – the HTTPS filter is off.
• Monitor – the filter will log HTTPS traffic, but it will not enforce policies. • Enforce – the filter will log and enforce policies on HTTPS traffic.
How it works – Policy enforcement
Protocols
AccessEnforcer monitors HTTPS requests that use TLS 1.0 and later on port 443. In settings, administrators can choose whether to allow or deny all non-TLS HTTPS connections.
Some firewall vendors are able to block HTTPS sites, but very few can provide the feature alongside these benefits:
Faster activation
Some filters require complicated and time-consuming configurations to enable HTTPS filtering. AccessEnforcer does it in one click.
Faster connection speeds
Many web filters decrypt HTTPS traffic to inspect it before filtering. This demands a tremendous amount of resources from the device and can slow connection speeds.
AccessEnforcer filters HTTPS traffic without decryption, so the network stays fast.
Stronger chain of security
HTTPS traffic is encrypted to prevent eavesdropping and man-in-the-middle attacks. Web filters that decrypt HTTPS traffic break the chain of security, creating a point at which the data is in plain-text. This can potentially expose the data to threats.
AccessEnforcer does not break the chain of encryption, so additional opportunities are not provided for threats that enter the line of communication to steal data.
Compared to other HTTPS web filters
Settings for the HTTPS web filter
(cont.)
The HTTPS filter is included with standard service for AccessEnforcer from Calyptix. In fact, standard service includes every security feature we offer.
Additional standard features include:
• Intrusion detection and prevention (IDS/IPS) • Quality of service (QoS)
• Web filtering • Email filtering
• Automatic firmware updates • Automatic security updates • Unlimited network users
• Unlimited virtual private networks (VPNs) • GUI-based management
Give your organization simple and powerful security with AccessEnforcer.
