Product Group Tests
Web filtering (2005)
While we were pleased with most of the products tested, two stood out. First, our coveted Best Buy award goes to SurfControl's Web Filter. This is a product that has just got better over the years, while retaining its ease of use. A large URL database and simple, rules-based management let you quickly and simply choose which websites to allow or to deny. It's very customizable and includes bandwidth and time quotas. Our Recommended award goes to Finjan's Vital Security Appliance NG-5100. It's a little more difficult to set up than some of the others, but is one of the most powerful. It has support for multiple scanning engines, as well as antivirus and anti-spam. Best of all, rather than keeping all these components separate, Finjan has integrated them into one policy generator. For large networks, its distributed approach and flexible rule management make it an excellent choice.
Full Group Summary
Every company needs to know what's coming in and going out on the web, which is why we have web policies. But enforcing those policies requires flexibility and capability, discovers Christopher Moody
While the internet might be a valuable tool for business - who picks up the phone now when the information they want is probably on a website? - we also know that it's a colossal waste of working hours, too. And even when it's not strictly a waste of time, no one is going to agree that booking a holiday is the best use of company time or bandwidth.
As well as the issues surrounding lost productivity, there are many others surrounding open web access. First and foremost is people downloading illicit material on your company's computers. This is a situation you don't want – your firm could be prosecuted.
Next, there are offensive images. Again there's the potential that these images are illegal, but there is also the harm this can do at work. Companies could easily suffer from a joker in the office downloading something offensive to other workers.
There is now also the growing problem of spyware, which can be cut by blocking access to the kinds of sites that carry this content.
Each company should have an acceptable usage policy that lays down policy and states which websites can be viewed.
But while this gives you legitimacy when disciplining staff who breach this policy, prevention must be better than cure.
As you can see, there is little reason not to enforce web filtering, which is why we have ten products to enforce policy. We have five software products, which require a dedicated server, and five appliances that you can just plug into an existing network.
Testing these products is tricky. They all, bar one, use a URL database as the main line of protection. These databases categorize millions of websites. The idea is that you can block swathes of sites through a single tick box.
The problem is that it is very difficult to check all of the sites in the database to ensure that they are categorized correctly. The next problem is that websites appear and disappear on a daily basis, so keeping these databases up to date is very tricky, as is verifying them.
That said, all the companies on test do a good job of categorizing the main, easy-to-find sites. For most companies, if the occasional website slips through the net it's still not as bad as a virus.
Even so, we wanted to ensure that the filtering was working, so we picked a range of test sites we think should be blocked by all companies. In all cases the sites were blocked.
Next on our list was HTTP-Tunnel (www.http-tunnel.com). This is a free, but slow, service that installs a Socks proxy on a local PC and tunnels web traffic through port 80 on the firewall. Doing this prevents internet monitoring, and can bypass blocking software and hardware.
We made sure that we blocked all remote proxies on each test product to see if we could remove this potential backdoor. Remember – employees can and will install open source tunnelling programs that connect to their home PCs, so in most cases you're better off blocking all sites unless specifically allowed.
We also paid attention to how the products can apply blocking. Scheduling was one important factor, as there is nothing really wrong with shopping online, provided it is done at lunchtime or after work. If you can relax your policy out of work hours, your employees will appreciate it. Some of the products featured have time and bandwidth quotas for categories. You can allow, say, 10MB of MP3 sites a day.
One of the biggest problems with URL filtering is that different departments often need access to different sites in order to do their jobs. In these cases, a blanket, company-wide policy isn't going to do the job.
We tested each product to see how it can use user-authentication (local or through connectors to Active Directory, Radius or NDS) to verify the current user and apply suitable policy.
Finally, other tools such as keyword filtering can help block sites that are uncategorized, although they need to be carefully implemented in order to cut down on the number of false positives.
Choosing the right product for your network can be difficult, which is why we have a large range. There are those that integrate into existing environments providing pure and simple web filtering. For other networks, we have some products that also have firewalls, antivirus and anti-spam tools in them as well.
In particular, these products are well suited to branch offices, as it gives you a single point of management for all of your security.
We hope the range of products tested gives you enough to choose from. In this day and age, no company should be without one.