Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
1 AUGUST 2001 NETWORK NEWS technology Web filtering benchtest Internet under control I Web filtering software can help to speed up employee productivity and internet connections, as well as giving network managers peace of mind, says David Ludlow t’s not always paranoia if you think your users are up to something. And you can bet that the corporate internet connection isn’t full of work orientated traffic. Instead you’re likely to find users browsing the web as they see fit. The problem with this is threefold. First, the internet connection is slower for genuine work traffic. Second, employees can be downloading offensive or illegal materials, which you as the administrator could be held liable for. Finally, there’s a loss of productivity associated with this kind of activity. It’s clear that browsing at work should be restricted, which is where web filtering comes into play. The majority of products in this test work by restricting access based on URL. The list of URLs is categorised by the software vendor and, like AV software, regularly updated. So, while the software will miss the brand new sites it’s still enough of a deterrent to cut back on uncontrolled surfing. Company secrets The last product, WEBsweeper from Baltimore, is designed to work on a different principle and check the actual content being downloaded. This, for example, can be used to check the contents of a web-based email form to make sure that no company secrets are being sent out via this often unchecked service. This kind of software can be used in conjunction with access. This kind of information is useful when it comes to refining, or creating, the acceptable use policy. The next stage is to use the rules administrator to put this information to use. Fortunately, it’s a breeze to do this. The rules created are akin to those used in a firewall and are made up of four elements – who, where, when and notify. Who’s who Before rules can be created, these elements need to be completed. For example, the who SurfControl is one of the best pieces of URL filtering software on the market SURFCONTROL standard URL filtering to give more complete protection. SURFCONTROL SUPERSCOUT The guide to acceptable use policies is useful even if you decide not to buy SurfControl SuperScout will fit into many different environments, as it doesn’t necessarily need a third-party proxy server to work. While the usual suspects – Microsoft ISA and Proxy and Checkpoint – are supported, the product will also operate in promiscuous mode. This works by ‘sniffing’ the Lan for web traffic and resetting connections for traffic destined for banned websites. Of course, for this to work properly you need to make sure that the server is located on the main throughway to the internet gateway. This can be achieved by setting up a spanning port on the switch that the gateway is connected to. Fortunately, these points are covered in the installation documentation. Once the software is in place, the obvious thing to do is set up an acceptable use policy. SurfControl provides a free guide to help you achieve this. It’s even useful if you decide that SuperScout isn’t the product for you. Assuming that you know what you want to enforce, there are two main programs used to control operation – rules administrator and monitor. Monitor records all the surfing going on the building and who’s visiting where. As a standalone tool this is very useful. In fact, some companies make a living out just providing this side of the equation. Once the data has been collected there’s a huge amount of reports that can be generated to show exactly what’s happening on the network. For example, you can see who’s doing the most browsing or to how many sites users have been denied Product SuperScout ★★★★ Management ★ ★ ★ ★ ★ Documentation ★ ★ ★ ★ Performance ★ ★ ★ ★ Installation Overall rating ★★★★★ section needs elements to identify a single browser. This can be host name, IP address or user name. Anything monitored is automatically imported by rules administrators. Once you have your list of users or machines, it’s possible to group them together in a who list. This is useful for creating policies based on work groups, such as sales or marketing. A similar process is carried out for the where elements. The noticeable difference is that there’s already a list of categorised websites. These relate to the URL database, which is automatically updated through 1 AUGUST 2001 NETWORK NEWS technology the scheduler software. For the most part it’s easier to work with entire categories, such as ‘Adult/Sexually Explicit’. The when section is used to create time blocks. For example, you could create a time block that represents the working day. Finally, notify sets up who to send e-mail notifications to. Once this is complete, rule creation is laughably easy – drag the elements you want into the rules window and select to allow or deny the rule. So dragging the ‘Sales’ work group, ‘Adult’ category and ‘Work Hours’ time block into the window and selecting deny does exactly what you think it will. This component-based method of rule generation makes it easier to update the acceptable use policy as time goes on. The only thing to be aware of is the order in which the rules execute. Like a firewall, rules operate in list order. No rule further down the list can override a rule further up the list. As a result, a rule designed to block all access to all websites that appears first in the list will deny all users no matter what another rule says. Fortunately, the software automatically warns if such a general rule is created. We’d suggest that the rules at the top of the list should be the very precise ones, while the more general rules should sit at the bottom. Overall, this remains one of the best pieces of software on the market for filtering URLs. A lot of work has gone into making it easy to use, while not losing any of the power behind the product. FUTURESOFT DYNACOMM I:FILTER It’s easy to keep a watchful eye on the network without really having to do a lot The DynaComm i:filter from FutureSoft is similar in opera- tion to SurfControl’s SuperScout. It sits on the local network and ‘sniffs’ web connections. When it finds a request being made to a site that is blacklisted, it resets the TCP connection and sends a denied page to the offending machine. However, this is the only mode that the product can work in. If you have a proxy server in place, then i:filter will not work in conjunction with it. In addition, it’s not as easy to get up and running as other products in the test. After the basic installation – which takes an age – the software is still not ready to run. A promiscuous mode network driver has to be installed so that the product can perform its job. This driver has to be installed manually from the installation directory, which requires another reboot of the machine. There are two main applications that can be used to enforce the acceptable use policy – Bloodhound and the management console. Redundant Bloodhound Bloodhound is designed as a monitoring program to see what’s happening on the Lan. However, it’s not actually that useful. It will only display a list of websites that have been visited since it started. Current state information is lost on closing the application. On top of this, it can’t be used to directly generate any reports. This is performed through the management console, making Bloodhound a mostly redundant tool. Fortunately, things get better with the management console. Visually, it follows the design layout of the Microsoft Management Console (MMC). All of the product features are listed in a tree menu running down the right-hand side of the screen, while options for each feature are displayed in the main window. The first task is to import net- work monitors into the console to be told which policy to enforce. This is a mission in itself. It’s not just a matter of telling it which machines have the software installed. The monitor also needs to be told which network addresses it is to monitor. represents one-hour of the day and each day of the week is represented. The next step is to select which websites a rule applies to, which is helped by the category definitions. These relate to the contents of the URL database – called the destinations i-filter comes with good defaults in place, but is not particularly intuitive This requires typing the network address and its type (A, B or C) as the number of bits that represent its size. For example, a class C network has a 24-bit number representing the number of available nodes on that network. The product is based around rules. Arule states if an action is allowed or denied and who, when and where it applies to. This does require some basic work to populate the software with data relating to the local network. If you want to create rules based on individual machines then you need to input that data. Unfortunately, this doesn’t accept user names as only Netbios, IP or Ethernet addresses are supported. The software does come with some good defaults in place. The setup comes with time-intervals that describe work hours and out of work hours and these can be used inside a rule to let users browse unproductive websites outside of work. Setting up new time intervals is an easy process using a time grid. Each square database internally. There’s a category to describe most activities on the web so it’s easy to enforce the policy that you’ve created. Updates to the database are performed according to the manually-set up scheduler task. The scheduler can also be used to gather logs from multiple network monitors and to generate reports. There are a lot of canned reports available, so it’s no problem keeping a watchful eye on the network without really having to do a lot of work. Overall, the software does do the job properly, but it’s not quite as intuitive as other products. FUTURESOFT Product DynaComm i:filter ★★ ★★★★ Documentation ★ ★ ★ Performance ★ ★ ★ Installation Management Overall rating ★★★ 1 AUGUST 2001 NETWORK NEWS ST. BERNARD IPRISM Easy to set up and the appliance’s profiles are a good way to manage access The iPrism is one of the only appliances for web filtering on the market. The rationale behind this is that it’s easier to set up and manage – and firewalls moved the same way. Updates to the URL database are performed daily. St. Bernard is particularly proud of the method used to search out new URLs, which the company calls I-Guard. Spiders crawl the web and check sites for content, automatically categorising them. On top of this, the human touch is applied with a team of people who check out the URLs as they come in. This ensures that categorisation is correct. The actual product comes as a 1U-high bright-purple box and is similar in appearance to a firewall thanks to the dual network interfaces labelled ‘Internal’ and ‘External’ respectively. The box then acts as a proxy server for all web traffic. However, the physical interfaces don’t have the standard lights to show the link status. This potentially can make it difficult to tell if the device is connected to the network properly. Once connected, the setup is designed to be as quick and easy as possible. The box comes configured with a default IP technology address. The Java-based management software can then connect to this and input a proper configuration. This first connection is basically to get the device visible on the local subnet and how the interfaces will be seen. The easiest option is to go for the bridging option where the device sits between the local network and the firewall. This installation doesn’t require any client-side configuration. Once this basic configuration is applied, the job falls to enforcing the local acceptable use policy. The first step to rule generation is to understand how the box works internally. At the top level are content categories, with sub-categories inside. For example, there is a sex category that has the sub-categories nudity and pornography. Controlling categories The categories are quite broad and cover all ranges of internet use including health, recreation and business. All updates to the URL database, automatically ST BERNARD Product iPrism Installation ★ ★ ★ ★ Management ★★★ ★★★ ★★★★ Documentation Performance Overall rating★ ★ ★ ★ St. Bernard’s iPrism is packed full of options which allow it to be customised retrieved on a daily basis, are downloaded into these categories. Categories are then used inside profiles to determine which sites are blocked and which are allowed. A profile contains an access control list (ACL) that states if each subcategory should be allowed, monitored or denied. A profile can can contain multiple ACLs, which becomes useful when combined with the time override feature. We told the system to block all pornographic sites using one ACL, while we told another to block all shopping sites during the day, but to allow them after work hours. This kind of scheduling has a graphical interface. A grid of squares, each one representing 15 minutes, is used to highlight when the ACLis enforced. Each ACL in a policy is represented by a different colour, which can get confusing when multiple ACLs overlap. Part of the problem lies with the Java interface, which is not very stable running under IE. In fact, St. Bernard ships a copy of Netscape 4.7 on the provided CD along with the Java virtual machine. After a profile has been created it needs to be attached to the physical object. Two choices exist – network or user. If the network option is taken then any device within a given range of IP addresses falls prey to the profile. Alternatively, by creating a list of users, each user can have their own profile that overrides TABLE OF RESULTS Company Website Contact no Price Installation Management Document- Performance Overall ation SURFCONTROL SuperScout www.surfcontrol.com 01260 296150 £955 ★★★★ ★★★★★ ★★★★ ★★★★ ★★★★★ FUTURESOFT Dynacomm i:filter www.futuresoft.com 01260 292222 £1800 ★★ ★★★★ ★★★ ★★★ ★★★ ST. BERNARD iPrism www.stbernard.com 01276 609717 £2000 ★★★★ ★★★ ★★★ ★★★★ ★★★★ WEBSENSE Enterprise 4.3 www.websense.com 0870 4581113 £1645 ★★★ ★★★★ ★★★ ★★★★ ★★★★ 8e6 X-Stop 4.5 www.8e6technologies.com 020 83993111 £885 ★★ ★ ★★★ ★★★ ★★ BALTIMORE WEBsweeper 4 www.baltimore.com £1260 ★★★ ★★★★★ ★★★ ★★★★ ★★★★ 0118 9301300 1 AUGUST 2001 NETWORK NEWS the basic network profile. If this is the case, then the most secure option is to have one network profile that denies all web access and user profiles that map to real profiles. The only thing to watch out with user profiles is that the proxy server setting has to be turned on in each user’s browser for the authentication technology technology there will be cases where certain websites will be missed by the software. If the administrator should discover one, then they can enter this into the software. The only thing difficult to deal with is the denied page, which is displayed every time a user tries to access an unproductive site. The box gives the Microsoft, Netscape and even NetScreen firewalls and CacheFlow products are amongst the choice. However, the software does not have a standalone version and needs one of these products to work. Despite this, there is no direct need for the Websense server to sit on the same machine as the proxy server. It’s Websense’s Enterprise console - and the wa it works - is easy to understand to work. We also had the problem that we couldn’t create user groups, only single users. The only way to get round this restriction is to pass all authentication requests onto an LDAP server instead. Denied page problems The system is packed full of options to allow it to be customised. Even with the I-Guard WEBSENSE Product Enterprise 4.3 Installation ★ ★ ★ Management ★★★★ ★★★ ★★★★ Documentation Performance Overall rating ★ ★ ★ ★ option to put some contact details on the bottom of the default page, or to give the URL of the denied page. We’d have liked this customisation to be available directly on the box. Overall, while the interface gave us some problems, the appliance is easy to set up. The profiles are a good way to manage access, as they’re a customisable method of locking down the box. WEBSENSE IPRISM ‘Intelligent’ software is comprehensive, while remaining easy to use Websense Enterprise has the biggest supported range of third-party servers in this test. quite happy just communicating, although this will obviously generate more network traffic. The choice for position is likely to come down to the size of the network and the number of users than need to be supported. Once installation is complete, a server can be managed anywhere on the network via the Websense manager. The first time the manager connects to a new server it requests that a new password is entered to lock configuration. After this anyone connecting to the server must provide the password. We found the console, and the way it worked, easy to pick up. As with other software in this test, policies are built around components, such as who, when and where. Inside Websense it’s best to start defining who to block, which can be done on four levels – user, group, workstation or network. The user and group level lets the administrator personalise the level of filtering in very fine detail. Users can be imported from either an LDAP or Windows-based server. Groups are a method of tying users together in a logical order. Workstations and Networks are more usefully defined for general rules to pick up the slack where users don’t exist. So if you want to use a network rule to block all sites, this will prevent people without a username and password from surfing the web. Once these entries have been populated, policies to control them need to be put in place. These define the times and days that the policy is in place and which sites to block and allow. This choice comes from picking a category set. The software comes with default sets to allow or deny all sites, but userdefined lists can be created to match the acceptable use policy. This involves choosing from a list of categories to allow or deny. Categories are also split into sub-categories, so rules can either be applied to the toplevel or individually down the list. For example, under ‘Information Technology’, ‘Web Hosting’ could be allowed, while ‘Hacking’ is denied. Multiple category sets can be attached to a policy, triggered to operate at different times. Each user, group, workstation and network needs to have a policy selected from the drop down list. A neat feature of the software comes from entering in user URLs. This kind of entry typically appears in its own category and is then uniformly blocked. Fortunately, this soft- 1 AUGUST 2001 NETWORK NEWS technology X-Stop’s tick boxes can be irritating if you have to create alot of profiles ware is a little more intelligent. Daily updates to the database Any custom URLs are entered into the existing category structure allowing them to immediately take part in existing policies. Of course, you don’t have to do this too often, as Websense updates the URL database daily and the default scheduling will download the new database overnight. While this suits most environments, the schedule can be modified. The same server configuration screens are also used to enter in an e-mail address of an administrator. This is used for notification if the local policy is broken. Overall, the software is comprehensive while remaining easy to use. However, the lack of standalone support means it won’t be suitable for smaller networks without this kind of equipment. 8E6 TECHNOLOGIES X-STOP 4.5 Looks dated and there are no online help files. Pick a different product X-Stop from 8e6 Technologies manages to squeeze all of its functionality into a 1.9MB installation file. The reason for this became painfully obvious when we installed the software and found that there’s not a lot to it. Management revolves around a single application running on the host machine. It looks very dated and doesn’t even have simple functionality, such as online help files. Instead the manual will have to be used on many occasions, as the purpose of some features in the console is not immediately obvious. The application consists of one window with multiple tabs used to set the program’s options. The first tab is used to define default actions for the software should any other profile not match. The default setting will deny requests made to all web pages stored in the local library – not all requests – but can be modified if necessary. The best bet is to leave this section in place and muddle through the more detailed profiles. These profiles can work on a network or domain basis. The network choice is just a list of IP addresses, while the domain basis can drill down to the NT Domain user level. This is probably the better choice as it gives more control over settings. Once the profile has been created, the website categories associated with the profile need to be set. This is through the use of simple tick boxes, which can be irritating if a lot of profiles have to be created. White list websites For each category chosen there are multiple options to choose: blocking, monitoring or white list. After scouring through the manual we found out that white list specifically allows a website. The manual also states that this option can be used to create a white list of acceptable websites – provided you can be bothered to type them all in. Each profile can also have a schedule attached to it, but it’s not easy to do. First, a category profile must be created. This states which categories of site are allowed or denied. Then a colour must be associated with the profile. The manual warns that white is the worst colour to pick, however, this is the default. With the category profile in place, the original network or domain profile has to be edited again. Under the time options tab a grid is brought up, representing the entire week, day and time. Selecting the category profile from a drop-down menu selects the category profile and the grid can be filled in with its associated colour. It’s a long way round doing something that is essentially easy. Unfortunately, easy is not a word we would associate with this software. For example, there are only three types of report that can be generated – showing which sites were visited, blocked or allowed. While the report can be made based on a single user, the administrator has to manually enter in data that relates to that particular user. We also had trouble using the database editor. A dialogue box appears with a text entry box for 8e6 TECHNOLOGIES Product X-Stop Installation ★ ★ Management ★ ★★★ ★★★ Documentation Performance Overall rating ★ ★ the URL, a category selector and an add and remove button. However, when we selected a category and started typing, an error message appeared: ‘Unable to search. Search process failed! Please try again later’. Overall, it’s difficult to rate a product like this when there are so many better choices on the market. It also needs thirdparty software to work so it’s not even suitable for the lower end of the market. Our advice would be to pick one of the other products in this test. BALTIMORE WEBSWEEPER 4 Deals with the threats of the internet, without blindly denying access to all sites WEBsweeper isn’t really about URLfiltering. The product looks at web page content and make decisions based on that. For example, e-mail is a common threat to a company, but webbased e-mail is often ignored. WEBsweeper checks the content of forms as they’re submitted and ensures that company policy is not broken. The only thing it can’t check is the content of SSL sites. However, using proxies such as SafeWeb won’t fool the software (see user tricks box on page 18). WEBsweeper works by sitting between the users and the internet. Before a user can access any web page it is checked for content. Only when a page passes the checks is it passed onto the user. Typically this means that web pages are a few seconds slower in downloading. WEBsweeper has been around for a while, but version 4 is a massive departure from previous incarnations. This will come as a relief to anyone who played with version 3, which was difficult to get working. The main advancement is the way the software works. Previous versions needed a 1 AUGUST 2001 NETWORK NEWS technology WEBsweeper is different to traditional URL filtering but has something to offer third-party proxy server to work, which could be difficult to set up. Version 4 still supports this operating mode, but can also act as a proxy server as well. Another big change is the management console, which drags WEBsweeper into line with MIMEsweeper. Running under MMC it gives access to the rules mechanism of the software, which conceptually follows the other Baltimore products. The concept is simple – web traffic passes through a list of scenarios that classify the traffic according to user-defined clas- sifcations. From here the classification engine springs into action. Each defined classification has a list of rules that specify what should be done. The offending site could be blocked with a custom error page while the administrator is alerted via e-mail. The software has a large range of checks that can be used to classify traffic and it’s not hard to build up a profile to deny all unwanted surfing. Each scenario has three different checks that can be performed – URL list, text search and the Platform for Internet Content Selection (PICS). Trustworthy and legitimate This is a system that categorises sites based on submissions of the web master. For the most part this is an honour system, but as most legitimate pay sites follow the rules it makes sense to check for it. Obviously, not everyone is trustworthy, so simple URL blocking is provided. However, Baltimore does not provide URL list updates and it’s quite difficult to block. The next best option is to use the text search. This option looks for key phrases on a website. Each phrase has a score, which is added to the total for the web page every time that phrase appears. If the final tally exceeds the pre-defined score BALTIMORE Product WEBsweeper Installation ★ ★ ★ ★ Management ★★★★★ ★★★ ★★★★ Documentation Performance Overall rating ★ ★ ★ ★ limit then the web page is blocked. Fine tuning this system takes some time and you might get a lot of false-positives in the meantime. Once all definitions are in place, a schedule is applied. In addition to categorising data, other scenarios exist for protection. Examples include blocking mobile code – Java script, ActiveX – executable files and virus scanning downloads. A major consideration with this software is the size of the machine that it will run on. As analysis is performed on each transaction, the server has to store items in order to virus check them. If the internet connection is particularly busy then this can have a big effect on surfing speed. Overall, the software has a place alongside the traditional URL filtering software on the market. Its strength lies in dealing with the other threats of the internet, not just blindly denying access to all sites. It would be good to see SSL support, but even without that it has something to offer. NN [email protected] CONCLUSION URL filtering has come a long way since we first reviewed it a few years back, which makes picking the winning products difficult. However, we think that two products particularly stood out from the crowd. Our Editor’s choice award goes to SurfControl. Since pushing the technology before it became popular, it has rolled out solidly-performing software. It’s easy to use, but this never gets in the way of functionality. As it doesn’t rely on thirdparty software, it will suit almost any environment. Our Recommended award goes to Websense. Again this is a simple to use piece of software, and very powerful. It doesn’t have standalone support, but does support the largest range of third-party products in this test. This ensures it fits seamlessly into the existing infrastructure. REPRINTED FROM NETWORK NEWS 1ST AUGUST 2001 © VNU BUSINESS PUBLICATIONS 2001 WWW.VNUNET.COM