Product Group Tests
Web content management (2008)
Top of the line for large deployments, we rate 8e6 Professional Edition our Best Buy for its power and analysis capabilities along with surprising ease of use.
Our Recommended choice is the Barracuda Web Filter 310. Offering high value and affordability in most environments, it is a jewel for small and medium-sized enterprises.
Full Group Summary
Web content management solutions have come a long way from simply filtering for bad sites and dirty words. Peter Stephenson reports on tools that can deal with a variety of internet-borne threats.
We have been watching the web content management landscape for almost three years now and have seen a steady evolution from a group of products that were largely URL filters. The first time we tested these products, all we had to do was develop a suite of blacklists for various websites and types of content and tell the device under test to try to go to those sites. We then read the success rates and that was that.
Today, web content managers go way beyond filtering on bad sites and dirty word lists. They now include peer-to-peer, instant messaging, social networking sites and even look at various types of malware.
These are critically important functions in the currently emerging cyber-threat environment. While identifying bad sites and dodgy content is still important, the definitions of what that means have changed markedly in the past two years. Even a cursory web search on the term provides a wide variety of definitions, discussions and products. These range from the types of tools and the context we are discussing here to solutions that help web developers manage the content of their websites.
What is important as we look forward is that the products we review this month stay current with all of the types of web-borne threats that are emerging on the internet. When you are evaluating web-content management products, make sure that you are clear on how employees in your organisation are using the web.
While we see this class of product converging with other types of perimeter defences, that really has not happened yet. It is true that some aspects of web content management are showing up on other perimeter appliances, just as some elements of anti-malware are being incorporated into web content management tools, but we are still waiting for a real convergence.
That said, you probably will need to fit web content management into your perimeter architecture. Because the products we looked at are inline solutions, you can expect them to add some level of latency. With that in mind, you should be careful about how you build policies. It is possible to create real latency issues if you have a perimeter heavy with inline devices of various kinds.
We also saw two distinct types of products with regard to scalability. One kind was intended for very large enterprises, the other was not. The good news is that the products that are intended for smaller networks are scalable by virtue of their ability to use multiple devices on different internet-facing segments. The bad news is that they are not easily managed as a group from a central location and they do not scale well to a single very large pipe. There were exceptions, of course.
How we tested
Testing web content management tools this year took a twist towards the more complicated. No longer is it enough to test for URLs and word lists. We also had to include some malware capability, peer-to-peer sites and instant messaging sites in our test suite.
We found that there is a tendency to connect into the enterprise infrastructure. So this time our test bed had to include domains, Active Directory etc. We also had to attempt to connect to various types of disallowed sites such as IM channels.
What we saw was a high level of competency in general, a few warts and a few standouts on some products. One important point we observed was the ease with which these products deploy and are subsequently managed. We took these boxes through the lab in near record time, but that did not hamper their performance or ease of use.
The bottom line for this product group is that you probably need it, you absolutely will benefit from it and there are some precautions you need to take as you evaluate and purchase. Beyond the feature set, you should consider the latency it adds into the network. Usually this is not great unless your policies are very complicated or badly written.
Once you decide on a product - after a thorough requirements analysis, of course - plan your deployment carefully. That means plan your policies, address everything you need to, but don't create a needlessly complicated set of policies.
You probably don't need to deal with every imaginable type of threat, unless your organisation is very large or sensitive, so be sure that you identify what you do need to protect against.
- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/