Rollout: SmoothWall's Corporate Guardian 5

Smoothwall Corporate Guardian 5 makes it easier to control your employees' personal Web surfing habits without destroying morale. You say what's OK during business hours, but you can also open the pipe at any set time, when you'd rather not discourage people from spending some extra hours in their cubicles.

Corporate Guardian 5 is a Web content filter for the enterprise, but it's also well-suited for a small office environment. As long as you have effective control over your computers and don't let your users remove your enterprise's Web proxy settings on their browsers, this product will let you decide what content your users can view at different hours.Corporate Guardian's standard features resemble those of its competitors, SurfControl's Web Filter and Websense Enterprise. All three products have similar functionality: Each uses URL block lists to filter content, employs Web caches to increase speed, applies rule sets to specific users and filters Web content based on time of day. All block file downloads based on MIME type, but only Corporate Guardian 5 includes a built-in antivirus engine to detect other hostile downloads. Both SurfControl's and Websense's antivirus solutions are add-ons.

Corporate Guardian truly distinguishes itself with its Dynamic Content Analysis technology, which lets it examine individual pages' content to determine appropriateness, whether or not the page is included in the URL block list. This trainable filter looks for specific phrases in any downloaded page and scores it. Any score that exceeds a set threshold is automatically blocked. SurfControl includes a similar feature that looks for keywords.

Corporate Guardian 5 also scans Web pages for dangerous code, such as malicious ActiveX, JavaScript, unsolicited pop-ups and Web bugs (single-pixel images embedded in a Web page, designed to provide information about what sites a computer has browsed).

Like its competition, Corporate Guardian 5 is priced per computer on the network, not as an appliance. This one is a relative bargain: $5 to $8 per computer, per year in an enterprise environment, depending on the number of users. After the first year, the price per computer is halved, and support costs 20 percent of the purchase price. For installations with more than 250 users, pricing is not published; however, running Corporate Guardian 5 on a smaller network with 10 users costs about $750. SmoothWall's price includes the underlying operating system, which the company patches along with the filtering software. By comparison, SurfControl's 100-user price is $1,800, and Websense's product is about $2,500; neither includes the OS.Transparent Benefits

Corporate Guardian 5's strength lies in its ability to work in almost any environment. Besides being able to run as a standard Web proxy, it operates as a transparent filter that routes all traffic through the device. In transparent mode, it needs no client configuration, and users can't install a different Web browser or use encrypted Web (https) to circumvent Corporate Guardian. The software supports any browser that can use a Web proxy, including Firefox, Internet Explorer and Safari. To accommodate all the traffic filtered in transparent mode, hardware requirements increase by about 25 percent.

In our tests, Corporate Guardian's Dynamic Content Analysis engine added no appreciable delay to Web browsing. To root out any delays this feature adds to Web page downloads, we measured how long it took to download an e-book--a 4.5-MB text file of Shakespeare's complete works. Dynamic Content Analysis added less than 150 milliseconds to the download process.

Regardless of the mode, Corporate Guardian 5 integrates into the network and can use existing data sources, such as Microsoft Active Directory, Novell eDirectory or any other LDAP source, for user authentication. Corporate Guardian 5 integrated quite nicely with our Open LDAP server, and we were able to create custom filtering groups for specific users on our network.

If you don't have a central repository of user information, Corporate Guardian 5 has a built-in authentication server. The first time a user tries to access a Web page outside your organization, the software redirects the user to an encrypted Web page and asks for credentials. Management of all these settings is accomplished through a Web interface, which includes online help.Hit Or Miss Blocking

Like any Web content filter, we found Corporate Guardian to be erratic about what it blocked when we first installed it. The phrase-based filtering also required tweaking. Out of the box, the program got a little overzealous and blocked access to sites we did not intend it to block. In addition, when we typed a sometimes-objectionable word into a search engine, the results page would be blocked only half the time. Our results depended on the ads being displayed along with the results. If one of the ads contained objectionable content, occasionally, Corporate Guardian blocked the entire results page. We could, however, access objectionable images using Google's images search engine.

To mitigate most of these odd results, you can enable the phrase-based filter for search engine queries or force the product's safe search mode to be enabled for any search engine that supports that feature. Corporate Guardian lists this option in its interface.

Some of the product's most useful features don't come enabled by default. These features have to do more with network security and workstation protection than with content filtering, but we would be remiss not to mention them.

Corporate Guardian's logging and notification are extraordinarily flexible. The program can notify the administrator by e-mail of pretty much anything (or how much) a user is doing, as often or as little as the administrator desires. For the most paranoid administrators, Corporate Guardian even has an SMS (Short Message Service) alerting function.Corporate Guardian 5 has a robust set of features and comes at a reasonable price. The ability to manipulate Web page content, disable obnoxious behavior such as unrequested pop-up windows, address-bar spoofing and Web bugs, and scan files for viruses provide ample incentive to buy this product. The content-filtering aspects, too, make Corporate Guardian a worthy watchdog. n

David Decoster is the network security administrator for the computer-aided engineering center at the University of Wisconsin-Madison. write to him at [email protected].