The Fix Is In: Filtering Workplace Web Use

Your 50-employee business is experiencing sluggish Internet access. You get the budget approval and upgrade to a higher speed connection. But you don't notice any increase in Web download performance. Your boss is disappointed that the higher bandwidth link isn't as fast as you said it would be.

You hook up a packet analyzer and find out that 50 percent of your bandwidth is being consumed by personal usage of the Web during business hours. This wastes their work time as well as company bandwidth. You tell your boss. She puts out a memo asking people to stop. No one stops. What can you do?

In addition, it turns out that several employees are tying up bandwidth by viewing sports-related online videos, and you want to block them. However, they and other employees are expected to view various news broadcasts as part of their daily job, and you don't want to block those accidentally. Can that be done?

Products Tested:
We decided to test three of the best-known products that are directed toward the SMB market and see how effective they were in blocking unnecessary Internet use in order to save bandwidth: WebSense Enterprise, Secure Computing SmartFilter, and St. Bernard iPrism.WebSense Enterprise and Secure Computing SmartFilter are software solutions that require a PC running proxy or firewall software such as Microsoft ISA Sever 2004. .St.Bernard iPrism is a standalone hardware appliance that can be connected between the firewall and the internal network so that all network traffic must flow through it. It can also be connected directly to the internal network and used in proxy mode; this requires configuring each computer on your network to use it as a proxy.

Typically, these products are used to configure subject areas to monitor and block such as shopping, banking, pornography, etc. When a user browses a site that belongs to one of these categories, their session can be terminated automatically. Reports can be generated displaying who tried to browse what and when.

Secure Computing's SmartFilter
Secure Computing’s SmartFilter products enable organizations to understand and monitor their Internet use based on 73 filtering categories. Results are reported by SmartReporter, a separate application that is part of the SmartFilter package. SmartFilter runs on 30 different platforms, such as Check Point FireWall-1, Cisco PIX Firewall, and Squid Proxy Server.

For this test, I ran SmartFilter on Microsoft ISA Server 2004. Installation was straightforward -- I just had to run the install package and follow the prompts. However, the package's use of passwords was slightly confusing. There are separate passwords for the ISA Server plug-in and the SmartFilter Administration Console, and it took me a while to pick up that the SmartFilter Administration Console password is used when launching the console and the ISA Server plug-in password is used when connecting to the plug-in in order to manage it within the console interface..

SmartFilter makes it possible to monitor or limit Internet usage by person, IP address, time of day, and content category. The SmartFilter control list provides comprehensive and granular coverage, including categories for security (spyware, malware, P2P), confidentiality (chat, IM), and bandwidth management (Internet audio/video, streaming media).

In order to accomplish my goal -- to block sports videos but allow news videos -- I had to roll up my sleeves and dive deep. From the SmartFilter Admin Console, I configured a new individual plug-in management entity and connected it to the plug-in running on my ISA Server. From here I could create policies or simply enter URLs to be blocked.

The process of configuring filters to meet the test requirements was a bit roundabout compared to competing products such as Websense Enterprise. I had to click on Create Policies, then on Policies, and then either Customize an Existing Policy or Create New Policy. This enabled me to block sports sites and allow news sites. I also created another filter that blocked all streaming media for all employees except those who needed to watch the news. Between these two filters, I felt that SmartFilter adequately addressed my needs. (To verify this, I launched Internet Explorer and surfed to CNN's site. I was able to read the news to my heart’s content, but was blocked from reading sportsillustrated.cnn.com.)

With SmartReporter, I could quickly access information on Web and bandwidth usage, isolate problems, and customize my filter settings. There is an easy-to-use Web interface that initially provided me with a top level overview of recent Web activity and then gave me the ability to drill down by category, IP address, or user. Reports can also be schedule to run and distributed via e-mail. A helpful feature for the SMB market is that SmartReporter includes an embedded database for data storage and report generation; as your company grows you can upgrade to Microsoft SQL Server.

St. Bernard's iPrism Model 1200
The St. Bernard iPrism 1200 is a versatile 1u rack-mountable appliance designed to deliver perimeter protection from emerging Internet threats in HTTP, IM, and P2P traffic, including spyware, malware and phishing.

The Model 1200 is a proprietary combination of hardware, a hardened and optimized OS and a kernel level filtering engine. Under certain circumstances, this can be a problem: Due to its proprietary nature, the Model 1200 shields users from its inner workings and can only be configured using its appliance management software. If, for some reason, the appliance management software fails to detect the Model 1200, then your only recourse is to cycle power to the Model 1200 until the appliance management software can connect to it.

The iPrism can be configured either in bridge mode, so that all traffic passes through it, or in proxy mode, so that it resides on the internal network and proxies all Internet applications. I chose to install the test device in proxy mode as suggested by the well-written and thorough installation/configuration guide.

Installation could not have been simpler. I plugged it in and connected the internal interface to my switch (this has to be the same switch to which the management workstation is connected). I then installed and ran St. Bernard’s appliance manager software, which found the device on my network and launched the IP Assignment Wizard. Once I assigned IP information, I was able to move on to configuring filters.

The iPrism can be set to allow or block Web, IM, and/or P2P traffic. All configuring is done through the management GUI. I did have some problems with the interface during initial configuration -- it was not what you would call intuitive. For example, controlling content to be filtered required me to click on Configure, not on Manage Filters, as I expected.

Once that was done, I selected a policy (or I could create a new one) and edited the access control list. The iPrism had to be configured similarly to SmartFilter Corporate: block sports and allow news, allow streaming video only for those users who need it to watch the news. Not the most elegant solution when compared to Websense, but it worked.

iPrism’s reporting features include standard and customizable templates, drill-down capabilities, tabbed reporting, and real-time monitoring. The Report Wizard allowed me to quickly compile reports that met my requirements by walking me through all the necessary steps of creating a report. It was also simple to create reports for any type of Web traffic, including HTTP, IM, and P2P. Because reports are dynamic, I could drill down to whatever level I wanted. Real Time Monitoring displayed a table of Web sessions so I could see at a glance whether any browsing activity deserved my attention. Reporting capabilities are located “on-box,” with no requirement for a separate reporting server.Websense Enterprise

Websense Enterprise is the leader in the Web filtering market, and it’s easy to see why. It goes beyond simple Web filtering and moves down the protocol stack to offer features that might more easily be compared with a firewall than with Web filtering software.

For example, the package lets you set policies (allow, block, continue, quota, block by bandwidth and block by file type based on the time of day and user) for a variety of file types and over 50 application protocols. It’s also possible to set policies based on users/groups defined in Microsoft Windows Active Directory, Sun Java System Directory Server, and Novell eDirectory access via LDAP (Lightweight Directory Access Protocol).

Websense Enterprise was, by far, the easiest to configure of the three products in this roundup. Installation was a no-brainer -- the software walked me through installing the ISA Server plug-in and then gave me the choice to filter or monitor all traffic. I configured it to monitor traffic, then downloaded the 192MB database of categorized URLs.

Using Websense Manager, the well-designed and intuitive management GUI, I double-clicked the listed server and was provided with a list of categories of Web content and a list of protocols such as SQL Net, FTP, Gopher, IM, P2P, Anonymizers, Remote Access, and Streaming Media. I could choose to allow or block any of these; in addition, I could allow IM but block attachments or simply block all IM traffic. Context-sensitive and informative help is available during each step of configuration..

Reporting is another simple yet powerful feature of Websense Enterprise. I was able to generate reports on the fly and drill down to access data by risk class, category, URL, application, user, workstation, or date and time. Reports can be scheduled to run and then automatically be e-mailed in a variety of formats such as HTML, PDF and Microsoft Excel. Reports can also be run from a Web browser.In order to block the sports category, I just had to click Edit and check off the appropriate box. Within the category, I could choose to block by file type -- so, for example, I could block sports audio and video files, but not text. This was by far the most elegant solution to the problem among these three products; in fact, Websense is really the only device that could be configured exactly how I wanted. As a result, Websense is the clear winner in our test scenario, providing unrivaled granular control over its Web content filter settings.

Conclusion
While all three of the products covered here can be used to control Web access by content category and content type, the most straightforward solution for this problem was Websense Enterprise. Websense Enterprise was the only solution that allowed me to explicitly block sports video streams and allow news video streams in a straightforward and intuitive manner. We could get the same results with the others but it was a three or four step process vs. a one step process in Websense.

The others, Secure Computing SmartFilter and St. Bernard iPrism, required slight workarounds such as blocking all sports content and all streaming video for everyone in the organization and then enabling streaming video for those who need to watch the news. The end results were the same, but Websense Enterprise deserves kudos for ease with which it met the test criteria.