Product Reviews

Right Gun...Wrong Ammo

Web filtering is problematic at best, but iPrism puts up a solid defense.

Who can forget the giddy heyday of Napster? You could download almost any song or video you wanted. The magic wasn't in the Napster servers, though. It was in the notion of peer-to-peer (P2P) workstations spread across the globe, sharing content without any payment changing hands.

Napster was the arbiter of a large group of people rallying against the idea of paying someone for songs or videos. Great idea, until the music industry stepped in to shut them down. Smarting from a solid drubbing by big-city lawyers, Napster is now a toned-down, obedient, pay-for-play music service.

That same P2P notion -- only this time, I fear, one with teeth -- is embodied in those who seek to banish any form of Web censorship. They don't like to be blocked from the myriad questionable sites such as pornography, dating/mating, racial supremacy and other oddities.

iPrism
REDMOND RATING
Installaton/Ease of Use 10%
10.0
Documentation 10%
10.0
Management Interface 20%
10.0
Hack Resistance 10%
2.0
Value 10%
7.0
Performance 20%
8.0
Feature Set 20%
9.0
Overall Rating:
8.3

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

Why Java?

The iPrism runs Java and uses Java software for its management interface. My only question is: Why? Apart from the fact that it's a pain to code, there are two reasons why I don't much care for Java:

• It's a pig. Java has a tendency to dominate any CPU cycles it can get. In iPrism's case, I found the box to be robust despite this tendency -- no doubt because Windows wasn't competing for cycles as well. (Java and Windows together reminds me of two obese people competing with one another at an all-you-can-eat buffet.)

• It's hard to create an elegant interface with Java. It ain't Vista or the Mac. You can spot a Java interface a mile away because they're always ugly. The font's weird, the buttons have a half-baked shading element that only partially convinces you they're 3-D and so on.

The Java Web Start (JWS) software required for you to use your browser to manage your iPrism(s) is, at a minimum, an annoyance to have to download and install. It could conceivably be a security risk itself. That being said, the iPrism is the first Java-centric box I've messed around with that I really liked. --B.H.

The anti-censorship crowd has weapons in its arsenal against which those in the security business have no practical offense or defense. You could say that Web filtering is akin to the U.S. military fighting insurgents. We don't understand the mentality behind their efforts and have no solid offensive or defensive mechanisms apart from brute force -- which doesn't always work well. They just keep coming.

Hope Springs Eternal
All is not lost. Lest I sound like a complete downer, it's important to state this up front: St. Bernard Software has developed a wonderful product in its iPrism Web-filtering appliance. I really like this box -- never mind that it runs Java or that it has a gaping back door.

The iPrism is easy to install, configure and put into production, and the price is moderate (the iPrism M1200 costs $3,490 for 150 seats -- 23 bucks and change per seat). The unit actually goes out and updates its URL filtering list on a routine basis without having to be told to do so.

You can configure the iPrism to work as an edge device or as a proxy (which is how I used it) that communicates with your edge firewall. There's nothing complicated about setting it up for either topology. The customer service department is top notch and the documentation is comprehensive and easy to understand. You can also configure the iPrism to work with other iPrisms -- a feature I especially like because of the multiple locations inherent in today's enterprises.

The device is Active Directory-aware and supports Windows authentication. When the software said it was going to go out and create a machine account for the iPrism to use, it actually did that with no hassles or disappointments.

I had the device up and running in less than an hour. No sweat. The iPrism appliance and its accompanying software really work. When a user attempts to log onto an unauthorized URL, they'll get a message stating that they were blocked.

Figure 1
[Click on image for larger view.]
Figure 1. You can configure multile iPrism systems to coexist and cooperate.

Setting up the iPrism in proxy mode could be more difficult for a lot of users, because each user has to have his or her browser's LAN connection setting updated. You first have to create a rule that lets only your iPrism(s) hit the Web through port 80 or 443. You redirect your users' browsers to the iPrism's address, port 3128. The documentation helps you make adjustments for Internet Explorer and Mozilla. Redirection worked fine with Opera 9 as well.

Figure 2
[Click on image for larger view.]
Figure 2. iPrism routinely and automatically updates its Filter List page..

Using the iPrism as an edge device is even simpler. It has two ports -- one for the Web and one for the internal network. Plug-and-play doesn't get any easier. A quick DHCP configuration change (or some other IP magic trick) and your users are pointed at the iPrism and blocked (see Figure 3).

Figure 3
[Click on image for larger view.]
Figure 3. Busted! This is the screen users will see when they try to access a blocked site.

You manage the iPrism in one of two ways. You can install the management software tool or run it within your browser -- provided you have the Java Web Start (JWS) software installed. In either case, simply navigate your browser to the internal iPrism address and the initial entry page prompts you with the links needed to download and install the software -- very slick.

The left-hand side of the console has configuration element buttons (Users, Access and so on). Once you've clicked a configuration element, you're presented with tabs and configuration settings screens for that particular element. Overall, the interface is intuitive and easy to use.

Backdoor Man

During my review, I forgot the password to get into the iPrism management console. I wrote customer service and they quickly and politely wrote me back with a very simple workaround.

The product ships with a serial cable. Just plug into the serial port on the back of the iPrism, set your laptop Hyperterminal session to 9600,N,8,1. You'll contact a FreeBSD screen that lets you change the password in just a couple of steps. Here's my problem with that: If the iPrism is sitting in an open environment where a technologically savvy and ethically lacking person has access, you may find the device compromised.

Most rack-mounted devices like this live in secure data centers. Nevertheless, I was surprised with the ease with which I could backdoor in and update the administrator password. Better to have the iPrism be forced back to factory defaults on a hard reset than to have such a back door. Isn't this how switches and routers work? In this case, I suspect St. Bernard went out of its way to make things easier for the admin. Bravo for that, but it may be a bit much. --B.H.

So, here's my issue with the iPrism and its Web-filtering cousins: Where there's a will, there's a way. My users -- a group of technology students with a strong desire to get around any obstacle -- were happily working around the iPrism within five or 10 minutes. They contacted PeaceFire and hooked up withan anti-censorship proxy avoidance site (called a "circumventer site") -- of which there are hundreds.

Here's how that works. Want to get to MySpace, but the iPrism won't let you? Just navigate to www.peacefire.org, set yourself up for a regular e-mail blast of the latest circumventers and then use the circumventer site as your destination. The site retrieves any pages you want, disguising them as a URL that shouldn't be blocked so the iPrism (and competing Web-filter software products) doesn't bother trying to keep you from your illegal surfing.

The circumventer sites come and go, so they're very difficult to hunt down and eradicate. Web filters know about some of them, but there are always new ones. As we've learned from combat, an army of thousands of individuals operating alone is much harder to defeat than an army of millions working as a single organization. You're not going to win the circumventer site war by simply blocking URLs.

Parting Shots
If I were in the market for an enterprise-class Web-filtering product, I would give the iPrism strong consideration. I like the fact that it's an appliance, as opposed to being software-only. I don't have to dedicate a server to it, and I can easily get it up and running without a lot of hassles. Of course, the fact that it's an appliance means that if it breaks the whole shooting gallery is down for the count. Nevertheless, I think appliances trump software in the Web-filtering game.

The iPrism software is well-engineered. It's clearly geared toward a Windows crowd (never mind that it's Java-based). I especially like that it natively interfaces with AD and Windows user authentication. The iPrism is a well-crafted box from both the software and hardware perspective.

The fact that you can have several iPrism boxes play together is very ISA-like and will go over well in those shops where administrators have a lot of outlying locations. Unlike an ISA box (which requires add-in Web-filtering software), the plug-and-play nature of the iPrism makes it an ideal fit for typically unmanned remote-server locations. Remote management is no big deal with the management console software or via the Web.

If only I'd been able to plug in this box and not have any users, regardless of their technical prowess, find a workaround. Until the Web-filtering industry, including St. Bernard Software, is able to put down a hard foot, I'm afraid Web filtering as a technology is not everything it should be.

About the Author

Bill Heldman www.billheldman.com is an instructor at Warren Tech, a career and technical education high-school in Lakewood, Colorado. He is a contributor to Redmond, MCP Magazine and several other Windows magazines, plus several books for Sybex, including CompTIA IT Project+ Study Guide.

comments powered by Disqus

Reader Comments:

Wed, Oct 7, 2009

This is one of the many reasons kids hate school.

Fri, Mar 20, 2009 Anonymous Anonymous

yeah screw you guys, give the kids freedom

Tue, Feb 19, 2008 Anonymous Anonymous

why do you people bother trying to block websites?
i know some arent very school appropriate but let students have freedom to

Thu, Jan 3, 2008 Anonymous Anonymous

Mr. Heldman, you stated that your users within five or 10 minutes went to www.peacefire.org to bypass the iPrism. If you had blocked the anonymizer category, this site would not have been accessible. This does not stop users from going home and accessing the web site, but they should not have been able to do it from behind iPrism.

Tue, May 8, 2007 Anonymous Anonymous

Bill,
I must disagree. Physical access to a device conveys total control of that device. Simplifying the ability to reset the password is a good thing. I can reset the password of any Cisco device to which I have physical access, though in so doing I introduce a service outage, but after powering back up, I do not return to factory default. Any company with the resources to purchase any proxy should have at best a secured data center, and at worst, a locking rack, for any infrastructure. If they do not, then the 'technologically savvy and ethically lacking person' could just plug in in front of the proxyfirewall and do as they wish.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.