Download technology

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
Document related concepts

URL shortening wikipedia , lookup

URL redirection wikipedia , lookup

Transcript 
1 AUGUST 2001 NETWORK NEWS
technology
Web filtering benchtest
Internet under control
I
Web filtering software can help to speed up employee productivity and internet connections, as well as
giving network managers peace of mind, says David Ludlow
t’s not always paranoia
if you think your users
are up to something.
And you can bet that
the corporate internet
connection isn’t full of work
orientated traffic. Instead
you’re likely to find users
browsing the web as they see fit.
The problem with this is
threefold. First, the internet
connection is slower for genuine work traffic. Second,
employees can be downloading offensive or illegal materials, which you as the
administrator could be held
liable for. Finally, there’s a loss
of productivity associated with
this kind of activity.
It’s clear that browsing at
work should be restricted,
which is where web filtering
comes into play. The majority of
products in this test work by
restricting access based on
URL. The list of URLs is categorised by the software vendor
and, like AV software, regularly
updated. So, while the software
will miss the brand new sites
it’s still enough of a deterrent to
cut back on uncontrolled surfing.
Company secrets
The last product, WEBsweeper
from Baltimore, is designed to
work on a different principle
and check the actual content
being downloaded. This, for
example, can be used to check
the contents of a web-based email form to make sure that no
company secrets are being sent
out via this often unchecked
service. This kind of software
can be used in conjunction with
access. This kind of information
is useful when it comes to refining, or creating, the acceptable
use policy.
The next stage is to use the
rules administrator to put this
information to use. Fortunately, it’s a breeze to do this.
The rules created are akin to
those used in a firewall and are
made up of four elements –
who, where, when and notify.
Who’s who
Before rules can be created,
these elements need to be completed. For example, the who
SurfControl is one of the best pieces of URL filtering software on the market
SURFCONTROL
standard URL filtering to give
more complete protection.
SURFCONTROL
SUPERSCOUT
The guide to acceptable use policies
is useful even if you decide not to buy
SurfControl SuperScout will fit
into many different environments, as it doesn’t necessarily
need a third-party proxy server
to work. While the usual suspects – Microsoft ISA and Proxy
and Checkpoint – are supported, the product will also
operate in promiscuous mode.
This works by ‘sniffing’ the
Lan for web traffic and resetting
connections for traffic destined
for banned websites. Of course,
for this to work properly you
need to make sure that the
server is located on the main
throughway to the internet
gateway. This can be achieved
by setting up a spanning port
on the switch that the gateway
is connected to. Fortunately,
these points are covered in the
installation documentation.
Once the software is in place,
the obvious thing to do is set up
an acceptable use policy. SurfControl provides a free guide to
help you achieve this. It’s even
useful if you decide that SuperScout isn’t the product for you.
Assuming that you know
what you want to enforce, there
are two main programs used to
control operation – rules
administrator and monitor.
Monitor records all the surfing going on the building and
who’s visiting where. As a
standalone tool this is very useful. In fact, some companies
make a living out just providing
this side of the equation.
Once the data has been collected there’s a huge amount of
reports that can be generated to
show exactly what’s happening on the network. For example, you can see who’s doing the
most browsing or to how many
sites users have been denied
Product SuperScout
★★★★
Management ★ ★ ★ ★ ★
Documentation ★ ★ ★ ★
Performance ★ ★ ★ ★
Installation
Overall rating
★★★★★
section needs elements to identify a single browser. This can be
host name, IP address or user
name.
Anything monitored is automatically imported by rules
administrators. Once you have
your list of users or machines,
it’s possible to group them
together in a who list. This is
useful for creating policies
based on work groups, such as
sales or marketing.
A similar process is carried
out for the where elements. The
noticeable difference is that
there’s already a list of categorised websites. These relate
to the URL database, which is
automatically updated through
1 AUGUST 2001 NETWORK NEWS
technology
the scheduler software. For the
most part it’s easier to work
with entire categories, such as
‘Adult/Sexually Explicit’.
The when section is used to
create time blocks. For example, you could create a time
block that represents the working day. Finally, notify sets up
who to send e-mail notifications to.
Once this is complete, rule
creation is laughably easy –
drag the elements you want
into the rules window and
select to allow or deny the rule.
So dragging the ‘Sales’ work
group, ‘Adult’ category and
‘Work Hours’ time block into
the window and selecting deny
does exactly what you think it
will.
This
component-based
method of rule generation
makes it easier to update the
acceptable use policy as time
goes on. The only thing to be
aware of is the order in which
the rules execute. Like a firewall, rules operate in list order.
No rule further down the list
can override a rule further up
the list.
As a result, a rule designed to
block all access to all websites
that appears first in the list will
deny all users no matter what
another rule says. Fortunately,
the software automatically
warns if such a general rule is
created. We’d suggest that the
rules at the top of the list should
be the very precise ones, while
the more general rules should
sit at the bottom.
Overall, this remains one of
the best pieces of software on
the market for filtering URLs. A
lot of work has gone into making it easy to use, while not losing any of the power behind the
product.
FUTURESOFT
DYNACOMM I:FILTER
It’s easy to keep a watchful eye on the
network without really having to do a lot
The DynaComm i:filter from
FutureSoft is similar in opera-
tion to SurfControl’s SuperScout. It sits on the local network
and
‘sniffs’
web
connections. When it finds a
request being made to a site that
is blacklisted, it resets the TCP
connection and sends a denied
page to the offending machine.
However, this is the only
mode that the product can
work in. If you have a proxy
server in place, then i:filter will
not work in conjunction with it.
In addition, it’s not as easy to
get up and running as other
products in the test.
After the basic installation –
which takes an age – the software is still not ready to run. A
promiscuous mode network
driver has to be installed so that
the product can perform its job.
This driver has to be
installed manually from the
installation directory, which
requires another reboot of the
machine.
There are two main applications that can be used to enforce
the acceptable use policy –
Bloodhound and the management console.
Redundant Bloodhound
Bloodhound is designed as a
monitoring program to see
what’s happening on the Lan.
However, it’s not actually that
useful. It will only display a list
of websites that have been visited since it started.
Current state information is
lost on closing the application.
On top of this, it can’t be used to
directly generate any reports.
This is performed through the
management console, making
Bloodhound a mostly redundant tool.
Fortunately, things get better with the management console. Visually, it follows the
design layout of the Microsoft
Management Console (MMC).
All of the product features are
listed in a tree menu running
down the right-hand side of the
screen, while options for each
feature are displayed in the
main window.
The first task is to import net-
work monitors into the console
to be told which policy to
enforce. This is a mission in
itself.
It’s not just a matter of telling
it which machines have the
software installed. The monitor
also needs to be told which network addresses it is to monitor.
represents one-hour of the day
and each day of the week is represented.
The next step is to select
which websites a rule applies
to, which is helped by the category definitions. These relate to
the contents of the URL database – called the destinations
i-filter comes with good defaults in place, but is not particularly intuitive
This requires typing the network address and its type (A, B
or C) as the number of bits that
represent its size. For example,
a class C network has a 24-bit
number representing the number of available nodes on that
network.
The product is based around
rules. Arule states if an action is
allowed or denied and who,
when and where it applies to.
This does require some basic
work to populate the software
with data relating to the local
network. If you want to create
rules based on individual
machines then you need to
input that data. Unfortunately,
this doesn’t accept user names
as only Netbios, IP or Ethernet
addresses are supported.
The software does come
with some good defaults in
place. The setup comes with
time-intervals that describe
work hours and out of work
hours and these can be used
inside a rule to let users browse
unproductive websites outside
of work. Setting up new time
intervals is an easy process
using a time grid. Each square
database internally. There’s a
category to describe most activities on the web so it’s easy to
enforce the policy that you’ve
created.
Updates to the database are
performed according to the
manually-set up scheduler
task. The scheduler can also be
used to gather logs from multiple network monitors and to
generate reports. There are a lot
of canned reports available, so
it’s no problem keeping a
watchful eye on the network
without really having to do a lot
of work.
Overall, the software does
do the job properly, but it’s not
quite as intuitive as other products.
FUTURESOFT
Product DynaComm i:filter
★★
★★★★
Documentation ★ ★ ★
Performance ★ ★ ★
Installation
Management
Overall rating
★★★
1 AUGUST 2001 NETWORK NEWS
ST. BERNARD
IPRISM
Easy to set up and the appliance’s
profiles are a good way to manage access
The iPrism is one of the only
appliances for web filtering on
the market. The rationale
behind this is that it’s easier to
set up and manage – and firewalls moved the same way.
Updates to the URL database are performed daily. St.
Bernard is particularly proud of
the method used to search out
new URLs, which the company
calls I-Guard.
Spiders crawl the web and
check sites for content, automatically categorising them.
On top of this, the human touch
is applied with a team of people
who check out the URLs as they
come in. This ensures that categorisation is correct.
The actual product comes as
a 1U-high bright-purple box
and is similar in appearance to a
firewall thanks to the dual network interfaces labelled ‘Internal’ and ‘External’ respectively.
The box then acts as a proxy
server for all web traffic.
However, the physical interfaces don’t have the standard
lights to show the link status.
This potentially can make it difficult to tell if the device is connected to the network properly.
Once connected, the setup is
designed to be as quick and
easy as possible. The box comes
configured with a default IP
technology
address. The Java-based management software can then connect to this and input a proper
configuration.
This first connection is basically to get the device visible on
the local subnet and how the
interfaces will be seen. The easiest option is to go for the bridging option where the device sits
between the local network and
the firewall. This installation
doesn’t require any client-side
configuration.
Once this basic configuration is applied, the job falls to
enforcing the local acceptable
use policy.
The first step to rule generation is to understand how the
box works internally. At the top
level are content categories,
with sub-categories inside. For
example, there is a sex category
that has the sub-categories
nudity and pornography.
Controlling categories
The categories are quite broad
and cover all ranges of internet
use including health, recreation
and business. All updates to the
URL database, automatically
ST BERNARD
Product iPrism
Installation ★ ★ ★ ★
Management
★★★
★★★
★★★★
Documentation
Performance
Overall rating★ ★ ★ ★
St. Bernard’s iPrism is packed full of options which allow it to be customised
retrieved on a daily basis, are
downloaded into these categories.
Categories are then used
inside profiles to determine
which sites are blocked and
which are allowed. A profile
contains an access control list
(ACL) that states if each subcategory should be allowed, monitored or denied. A profile can
can contain multiple ACLs,
which becomes useful when
combined with the time override feature.
We told the system to block
all pornographic sites using
one ACL, while we told another
to block all shopping sites during the day, but to allow them
after work hours.
This kind of scheduling has a
graphical interface. A grid of
squares, each one representing
15 minutes, is used to highlight
when the ACLis enforced. Each
ACL in a policy is represented
by a different colour, which can
get confusing when multiple
ACLs overlap.
Part of the problem lies with
the Java interface, which is not
very stable running under IE. In
fact, St. Bernard ships a copy of
Netscape 4.7 on the provided
CD along with the Java virtual
machine.
After a profile has been created it needs to be attached to
the physical object. Two choices
exist – network or user. If the
network option is taken then
any device within a given range
of IP addresses falls prey to the
profile.
Alternatively, by creating a
list of users, each user can have
their own profile that overrides
TABLE OF RESULTS
Company
Website
Contact no
Price
Installation Management
Document- Performance Overall
ation
SURFCONTROL SuperScout
www.surfcontrol.com
01260 296150
£955
★★★★
★★★★★
★★★★
★★★★
★★★★★
FUTURESOFT Dynacomm i:filter www.futuresoft.com
01260 292222
£1800
★★
★★★★
★★★
★★★
★★★
ST. BERNARD iPrism
www.stbernard.com
01276 609717
£2000
★★★★
★★★
★★★
★★★★
★★★★
WEBSENSE Enterprise 4.3
www.websense.com
0870 4581113
£1645
★★★
★★★★
★★★
★★★★
★★★★
8e6 X-Stop 4.5
www.8e6technologies.com 020 83993111
£885
★★
★
★★★
★★★
★★
BALTIMORE WEBsweeper 4
www.baltimore.com
£1260
★★★
★★★★★
★★★
★★★★
★★★★
0118 9301300
1 AUGUST 2001 NETWORK NEWS
the basic network profile. If this
is the case, then the most secure
option is to have one network
profile that denies all web
access and user profiles that
map to real profiles.
The only thing to watch out
with user profiles is that the
proxy server setting has to be
turned on in each user’s
browser for the authentication
technology
technology there will be cases
where certain websites will be
missed by the software. If the
administrator should discover
one, then they can enter this
into the software.
The only thing difficult to
deal with is the denied page,
which is displayed every time a
user tries to access an unproductive site. The box gives the
Microsoft, Netscape and even
NetScreen
firewalls
and
CacheFlow
products
are
amongst the choice. However,
the software does not have a
standalone version and needs
one of these products to work.
Despite this, there is no
direct need for the Websense
server to sit on the same
machine as the proxy server. It’s
Websense’s Enterprise console - and the wa it works - is easy to understand
to work. We also had the problem that we couldn’t create user
groups, only single users. The
only way to get round this
restriction is to pass all authentication requests onto an LDAP
server instead.
Denied page problems
The system is packed full of
options to allow it to be customised. Even with the I-Guard
WEBSENSE
Product Enterprise 4.3
Installation ★ ★ ★
Management
★★★★
★★★
★★★★
Documentation
Performance
Overall rating ★ ★ ★ ★
option to put some contact
details on the bottom of the
default page, or to give the URL
of the denied page. We’d have
liked this customisation to be
available directly on the box.
Overall, while the interface
gave us some problems, the
appliance is easy to set up. The
profiles are a good way to manage access, as they’re a customisable method of locking
down the box.
WEBSENSE
IPRISM
‘Intelligent’ software is comprehensive,
while remaining easy to use
Websense Enterprise has the
biggest supported range of
third-party servers in this test.
quite happy just communicating, although this will obviously generate more network
traffic. The choice for position is
likely to come down to the size
of the network and the number
of users than need to be supported.
Once installation is complete, a server can be managed
anywhere on the network via
the Websense manager. The
first time the manager connects
to a new server it requests that a
new password is entered to lock
configuration. After this anyone connecting to the server
must provide the password.
We found the console, and
the way it worked, easy to pick
up. As with other software in
this test, policies are built
around components, such as
who, when and where.
Inside Websense it’s best to
start defining who to block,
which can be done on four levels – user, group, workstation or
network.
The user and group level lets
the administrator personalise
the level of filtering in very fine
detail. Users can be imported
from either an LDAP or Windows-based server. Groups are
a method of tying users
together in a logical order.
Workstations and Networks
are more usefully defined for
general rules to pick up the
slack where users don’t exist.
So if you want to use a network
rule to block all sites, this will
prevent people without a username and password from surfing the web.
Once these entries have been
populated, policies to control
them need to be put in place.
These define the times and days
that the policy is in place and
which sites to block and allow.
This choice comes from picking
a category set. The software
comes with default sets to allow
or deny all sites, but userdefined lists can be created to
match the acceptable use policy.
This involves choosing from
a list of categories to allow or
deny. Categories are also split
into sub-categories, so rules can
either be applied to the toplevel or individually down the
list. For example, under ‘Information Technology’, ‘Web
Hosting’ could be allowed,
while ‘Hacking’ is denied.
Multiple category sets can
be attached to a policy, triggered to operate at different
times. Each user, group, workstation and network needs to
have a policy selected from the
drop down list.
A neat feature of the software comes from entering in
user URLs. This kind of entry
typically appears in its own category and is then uniformly
blocked. Fortunately, this soft-
1 AUGUST 2001 NETWORK NEWS
technology
X-Stop’s tick boxes can be irritating if you have to create alot of profiles
ware is a little more intelligent.
Daily updates to the
database
Any custom URLs are entered
into the existing category structure allowing them to immediately take part in existing
policies. Of course, you don’t
have to do this too often, as
Websense updates the URL
database daily and the default
scheduling will download the
new database overnight. While
this suits most environments,
the schedule can be modified.
The same server configuration screens are also used to
enter in an e-mail address of an
administrator. This is used for
notification if the local policy is
broken.
Overall, the software is comprehensive while remaining
easy to use. However, the lack
of standalone support means it
won’t be suitable for smaller
networks without this kind of
equipment.
8E6 TECHNOLOGIES
X-STOP 4.5
Looks dated and there are no online help
files. Pick a different product
X-Stop from 8e6 Technologies
manages to squeeze all of its
functionality into a 1.9MB
installation file. The reason for
this became painfully obvious
when we installed the software
and found that there’s not a lot
to it.
Management
revolves
around a single application
running on the host machine. It
looks very dated and doesn’t
even have simple functionality,
such as online help files.
Instead the manual will have to
be used on many occasions, as
the purpose of some features in
the console is not immediately
obvious.
The application consists of
one window with multiple tabs
used to set the program’s
options. The first tab is used to
define default actions for the
software should any other profile not match. The default setting will deny requests made to
all web pages stored in the local
library – not all requests – but
can be modified if necessary.
The best bet is to leave this
section in place and muddle
through the more detailed profiles. These profiles can work on
a network or domain basis. The
network choice is just a list of IP
addresses, while the domain
basis can drill down to the NT
Domain user level. This is probably the better choice as it gives
more control over settings.
Once the profile has been
created, the website categories
associated with the profile need
to be set. This is through the use
of simple tick boxes, which can
be irritating if a lot of profiles
have to be created.
White list websites
For each category chosen there
are multiple options to choose:
blocking, monitoring or white
list. After scouring through the
manual we found out that
white list specifically allows a
website. The manual also states
that this option can be used to
create a white list of acceptable
websites – provided you can be
bothered to type them all in.
Each profile can also have a
schedule attached to it, but it’s
not easy to do. First, a category
profile must be created. This
states which categories of site
are allowed or denied. Then a
colour must be associated with
the profile. The manual warns
that white is the worst colour to
pick, however, this is the
default.
With the category profile in
place, the original network or
domain profile has to be edited
again. Under the time options
tab a grid is brought up, representing the entire week, day
and time. Selecting the category
profile from a drop-down
menu selects the category profile and the grid can be filled in
with its associated colour. It’s a
long way round doing something that is essentially easy.
Unfortunately, easy is not a
word we would associate with
this software. For example,
there are only three types of
report that can be generated –
showing which sites were visited, blocked or allowed. While
the report can be made based on
a single user, the administrator
has to manually enter in data
that relates to that particular
user.
We also had trouble using the
database editor. A dialogue box
appears with a text entry box for
8e6 TECHNOLOGIES
Product X-Stop
Installation ★ ★
Management
★
★★★
★★★
Documentation
Performance
Overall rating ★ ★
the URL, a category selector and
an add and remove button.
However, when we selected a
category and started typing, an
error
message
appeared:
‘Unable to search. Search
process failed! Please try again
later’.
Overall, it’s difficult to rate a
product like this when there are
so many better choices on the
market. It also needs thirdparty software to work so it’s
not even suitable for the lower
end of the market. Our advice
would be to pick one of the
other products in this test.
BALTIMORE
WEBSWEEPER 4
Deals with the threats of the internet,
without blindly denying access to all sites
WEBsweeper isn’t really about
URLfiltering. The product looks
at web page content and make
decisions based on that. For
example, e-mail is a common
threat to a company, but webbased e-mail is often ignored.
WEBsweeper checks the
content of forms as they’re submitted and ensures that company policy is not broken. The
only thing it can’t check is the
content of SSL sites. However,
using proxies such as SafeWeb
won’t fool the software (see
user tricks box on page 18).
WEBsweeper works by sitting between the users and the
internet. Before a user can
access any web page it is
checked for content. Only
when a page passes the checks
is it passed onto the user. Typically this means that web pages
are a few seconds slower in
downloading.
WEBsweeper has been
around for a while, but version
4 is a massive departure from
previous incarnations. This
will come as a relief to anyone
who played with version 3,
which was difficult to get working.
The main advancement is
the way the software works.
Previous versions needed a
1 AUGUST 2001 NETWORK NEWS
technology
WEBsweeper is different to traditional URL filtering but has something to offer
third-party proxy server to
work, which could be difficult
to set up. Version 4 still supports
this operating mode, but can
also act as a proxy server as well.
Another big change is the
management console, which
drags WEBsweeper into line
with MIMEsweeper. Running
under MMC it gives access to
the rules mechanism of the software, which conceptually follows the other Baltimore
products.
The concept is simple – web
traffic passes through a list of
scenarios that classify the traffic
according to user-defined clas-
sifcations. From here the classification engine springs into
action. Each defined classification has a list of rules that specify what should be done. The
offending site could be blocked
with a custom error page while
the administrator is alerted via
e-mail.
The software has a large
range of checks that can be used
to classify traffic and it’s not
hard to build up a profile to
deny all unwanted surfing.
Each scenario has three different checks that can be performed – URL list, text search
and the Platform for Internet
Content Selection (PICS).
Trustworthy and legitimate
This is a system that categorises
sites based on submissions of
the web master. For the most
part this is an honour system,
but as most legitimate pay sites
follow the rules it makes sense
to check for it.
Obviously, not everyone is
trustworthy, so simple URL
blocking is provided. However,
Baltimore does not provide
URL list updates and it’s quite
difficult to block. The next best
option is to use the text search.
This option looks for key
phrases on a website. Each
phrase has a score, which is
added to the total for the web
page every time that phrase
appears. If the final tally
exceeds the pre-defined score
BALTIMORE
Product WEBsweeper
Installation ★ ★ ★ ★
Management
★★★★★
★★★
★★★★
Documentation
Performance
Overall rating ★ ★ ★ ★
limit then the web page is
blocked. Fine tuning this system takes some time and you
might get a lot of false-positives
in the meantime.
Once all definitions are in
place, a schedule is applied. In
addition to categorising data,
other scenarios exist for protection. Examples include blocking mobile code – Java script,
ActiveX – executable files and
virus scanning downloads.
A major consideration with
this software is the size of the
machine that it will run on. As
analysis is performed on each
transaction, the server has to
store items in order to virus
check them. If the internet connection is particularly busy
then this can have a big effect on
surfing speed.
Overall, the software has a
place alongside the traditional
URL filtering software on the
market. Its strength lies in dealing with the other threats of the
internet, not just blindly denying access to all sites. It would
be good to see SSL support, but
even without that it has something to offer.
NN
[email protected]
CONCLUSION
URL filtering has come a long way since
we first reviewed it a few years back,
which makes picking the winning products
difficult. However, we think that two
products particularly stood out from the
crowd.
Our Editor’s choice award goes to
SurfControl. Since pushing the technology
before it became popular, it has rolled out
solidly-performing software. It’s easy to
use, but this never gets in the way of
functionality. As it doesn’t rely on thirdparty software, it will suit almost any environment.
Our Recommended award goes to Websense. Again this
is a simple to use piece of software, and very powerful. It
doesn’t have standalone support, but does support the
largest range of third-party products in this test. This
ensures it fits seamlessly into the existing infrastructure.
REPRINTED FROM NETWORK NEWS 1ST AUGUST 2001 © VNU BUSINESS PUBLICATIONS 2001
WWW.VNUNET.COM
Related documents
Safe internet Network Base for schools and business use: Οδηγός
Safe internet Network Base for schools and business use: Οδηγός
Electrical Safety
Electrical Safety
Reliable Sources Worksheet
Reliable Sources Worksheet
Internet Overview - Data Service Center
Internet Overview - Data Service Center
Chapter 2 The Internet and Multimedia
Chapter 2 The Internet and Multimedia
Websense Completes Acquisition of SurfControl
Websense Completes Acquisition of SurfControl
Web Design Guides
Web Design Guides
Keywords 2.1
Keywords 2.1
Enable Java Console (In Windows) and set log tracing
Enable Java Console (In Windows) and set log tracing
Character Education
Character Education
Lecture1 Website Development Forth Stage Assistant Lecturer
Lecture1 Website Development Forth Stage Assistant Lecturer
DC Agent Configuration and Troubleshooting
DC Agent Configuration and Troubleshooting
Product Glossary - Websense Knowledge Bases
Product Glossary - Websense Knowledge Bases
SurfControl Web Filter for Cisco CE Installation Guide
SurfControl Web Filter for Cisco CE Installation Guide
Installation Guide for Websense Web Security and Websense Web
Installation Guide for Websense Web Security and Websense Web
Inktomi Traffic Server - Websense Knowledge Bases
Inktomi Traffic Server - Websense Knowledge Bases