Web filtering is problematic at best, but iPrism puts up a solid defense.
| iPrism |
| REDMOND
RATING |
Installaton/Ease
of Use 10% |
10.0 |
Documentation
10% |
10.0 |
Management
Interface 20% |
10.0 |
Hack Resistance
10% |
2.0 |
Value
10% |
7.0 |
Performance
20% |
8.0 |
| Feature
Set 20% |
9.0 |
|
Overall
Rating: |
8.3 |
——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional
|
Who can forget the giddy heyday of Napster? You could download almost any song
or video you wanted. The magic wasn't in the Napster servers, though. It was
in the notion of peer-to-peer (P2P) workstations spread across the globe, sharing
content without any payment changing hands.
Napster was the arbiter of a large group of people rallying against the idea
of paying someone for songs or videos. Great idea, until the music industry
stepped in to shut them down. Smarting from a solid drubbing by big-city lawyers,
Napster is now a toned-down, obedient, pay-for-play music service.
That same P2P notion -- only this time, I fear, one with teeth -- is embodied
in those who seek to banish any form of Web censorship. They don't like to be
blocked from the myriad questionable sites such as pornography, dating/mating,
racial supremacy and other oddities.
| Why
Java? |
The
iPrism runs Java and uses Java software for its management
interface. My only question is: Why? Apart from the fact that
it's a pain to code, there are two reasons why I don't much
care for Java:
• It's a pig. Java has
a tendency to dominate any CPU cycles it can get. In iPrism's
case, I found the box to be robust despite this tendency --
no doubt because Windows wasn't competing for cycles as well.
(Java and Windows together reminds me of two obese people
competing with one another at an all-you-can-eat buffet.)
• It's hard to create an elegant
interface with Java. It ain't Vista or the Mac. You can
spot a Java interface a mile away because they're always ugly.
The font's weird, the buttons have a half-baked shading element
that only partially convinces you they're 3-D and so on.
The Java Web Start (JWS) software required
for you to use your browser to manage your iPrism(s) is, at
a minimum, an annoyance to have to download and install. It
could conceivably be a security risk itself. That being said,
the iPrism is the first Java-centric box I've messed around
with that I really liked. --B.H.
|
|
|
The anti-censorship crowd has weapons in its arsenal against which those in
the security business have no practical offense or defense. You could say that
Web filtering is akin to the U.S. military fighting insurgents. We don't understand
the mentality behind their efforts and have no solid offensive or defensive
mechanisms apart from brute force -- which doesn't always work well. They just
keep coming.
Hope Springs Eternal
All is not lost. Lest I sound like a complete downer, it's important to state
this up front: St. Bernard Software has developed a wonderful product in its
iPrism Web-filtering appliance. I really like this box -- never mind that it
runs Java or that it has a gaping back door.
The iPrism is easy to install, configure and put into production, and the price
is moderate (the iPrism M1200 costs $3,490 for 150 seats -- 23 bucks and change
per seat). The unit actually goes out and updates its URL filtering list on
a routine basis without having to be told to do so.
You can configure the iPrism to work as an edge device or as a proxy (which
is how I used it) that communicates with your edge firewall. There's nothing
complicated about setting it up for either topology. The customer service department
is top notch and the documentation is comprehensive and easy to understand.
You can also configure the iPrism to work with other iPrisms -- a feature I
especially like because of the multiple locations inherent in today's enterprises.
The device is Active Directory-aware and supports Windows authentication. When
the software said it was going to go out and create a machine account for the
iPrism to use, it actually did that with no hassles or disappointments.
I had the device up and running in less than an hour. No sweat. The iPrism
appliance and its accompanying software really work. When a user attempts to
log onto an unauthorized URL, they'll get a message stating that they were blocked.
[Click on image for larger view.] |
| Figure 1. You
can configure multile iPrism systems to coexist and cooperate. |
Setting up the iPrism in proxy mode could be more difficult for a lot of users,
because each user has to have his or her browser's LAN connection setting updated.
You first have to create a rule that lets only your iPrism(s) hit the Web through
port 80 or 443. You redirect your users' browsers to the iPrism's address, port
3128. The documentation helps you make adjustments for Internet Explorer and
Mozilla. Redirection worked fine with Opera 9 as well.
[Click on image for larger view.] |
| Figure 2. iPrism
routinely and automatically updates its Filter List page.. |
Using the iPrism as an edge device is even simpler. It has two ports -- one
for the Web and one for the internal network. Plug-and-play doesn't get any
easier. A quick DHCP configuration change (or some other IP magic trick) and
your users are pointed at the iPrism and blocked (see Figure 3).
[Click on image for larger view.] |
| Figure 3. Busted!
This is the screen users will see when they try to access a blocked site. |
You manage the iPrism in one of two ways. You can install the management software
tool or run it within your browser -- provided you have the Java Web Start (JWS)
software installed. In either case, simply navigate your browser to the internal
iPrism address and the initial entry page prompts you with the links needed
to download and install the software -- very slick.
The left-hand side of the console has configuration element buttons (Users,
Access and so on). Once you've clicked a configuration element, you're presented
with tabs and configuration settings screens for that particular element. Overall,
the interface is intuitive and easy to use.
| Backdoor
Man |
During
my review, I forgot the password to get into the iPrism management
console. I wrote customer service and they quickly and politely
wrote me back with a very simple workaround.
The product ships with a serial cable.
Just plug into the serial port on the back of the iPrism,
set your laptop Hyperterminal session to 9600,N,8,1. You'll
contact a FreeBSD screen that lets you change the password
in just a couple of steps. Here's my problem with that: If
the iPrism is sitting in an open environment where a technologically
savvy and ethically lacking person has access, you may find
the device compromised.
Most rack-mounted devices like this
live in secure data centers. Nevertheless, I was surprised
with the ease with which I could backdoor in and update the
administrator password. Better to have the iPrism be forced
back to factory defaults on a hard reset than to have such
a back door. Isn't this how switches and routers work? In
this case, I suspect St. Bernard went out of its way to make
things easier for the admin. Bravo for that, but it may be
a bit much. --B.H.
|
|
|
So, here's my issue with the iPrism and its Web-filtering cousins: Where there's
a will, there's a way. My users -- a group of technology students with a strong
desire to get around any obstacle -- were happily working around the iPrism
within five or 10 minutes. They contacted PeaceFire and hooked up withan anti-censorship
proxy avoidance site (called a "circumventer site") -- of which there
are hundreds.
Here's how that works. Want to get to MySpace, but the iPrism won't let you?
Just navigate to www.peacefire.org,
set yourself up for a regular e-mail blast of the latest circumventers and then
use the circumventer site as your destination. The site retrieves any pages
you want, disguising them as a URL that shouldn't be blocked so the iPrism (and
competing Web-filter software products) doesn't bother trying to keep you from
your illegal surfing.
The circumventer sites come and go, so they're very difficult to hunt down
and eradicate. Web filters know about some of them, but there are always new
ones. As we've learned from combat, an army of thousands of individuals operating
alone is much harder to defeat than an army of millions working as a single
organization. You're not going to win the circumventer site war by simply blocking
URLs.
Parting Shots
If I were in the market for an enterprise-class Web-filtering product, I would
give the iPrism strong consideration. I like the fact that it's an appliance,
as opposed to being software-only. I don't have to dedicate a server to it,
and I can easily get it up and running without a lot of hassles. Of course,
the fact that it's an appliance means that if it breaks the whole shooting gallery
is down for the count. Nevertheless, I think appliances trump software in the
Web-filtering game.
The iPrism software is well-engineered. It's clearly geared toward a Windows
crowd (never mind that it's Java-based). I especially like that it natively
interfaces with AD and Windows user authentication. The iPrism is a well-crafted
box from both the software and hardware perspective.
The fact that you can have several iPrism boxes play together is very ISA-like
and will go over well in those shops where administrators have a lot of outlying
locations. Unlike an ISA box (which requires add-in Web-filtering software),
the plug-and-play nature of the iPrism makes it an ideal fit for typically unmanned
remote-server locations. Remote management is no big deal with the management
console software or via the Web.
If only I'd been able to plug in this box and not have any users, regardless
of their technical prowess, find a workaround. Until the Web-filtering industry,
including St. Bernard Software, is able to put down a hard foot, I'm afraid
Web filtering as a technology is not everything it should be.