In-Depth

Web-Filtering: Deal or No Deal?

It's a Web-savvy world out there, so getting the most out of any solution will require vigilance on your part.

• By Bill Heldman
• 02/01/2007

In a previous life as an enterprise network administrator, I had a vested interest in keeping people away from Web sites they shouldn't be visiting. Web-filtering software was in its infancy in the late 1990s, so it wasn't all that effective.

Surely, it must have gotten better by now, with clever new ways of restricting access based upon policies, AD membership, IP addresses and other novel approaches to segmenting, isolating and categorizing groups. Here, we've tested some of the latest and greatest to check in on the state of the art.

Websense
Web Security Suite
Websense Web Security Suite is first up in our test. The download for this well-known solution was massive. The installation was straightforward but intense. At one point, it issued a stern warning: "Do not hit the Finish button." Heed that installation warning. I jumped the gun and found that it really had not finished. Click the Finish button only after it notifies you it's done installing.

Once Websense was fully installed, the program required another 400MB or so to download the URL filter database. The idea is that you not only filter for specific keywords and patterns, but also for known bad URLs. You'll have to have the URL database updated periodically so that Websense can watch for the latest and greatest set of blocked URLs in place.

Websense gives you a nice, granular view of your filtered groups (called category sets in Websense). Once the filter list was current, I did some cursory testing and left for the day. I felt quite confident that none of my kids would be able to hit any of the sites I had been trying to block.

The next day, I came in to find a bunch of irritated kids. They couldn't get to MySpace or the WOW sites, run their Trillian IM client or even get out to Yahoo mail-just what I was hoping for. I checked back in about an hour later, certain that they'd still be grumpy. There they were, happily working and surfing away.

The following morning we had a little "How we hacked Websense" session. Come to find out, there have been quite a few well-known work-arounds for "Websense censorware." The kids found a convenient tool that let them get back online within 10 minutes of the morning bell.

[Click on image for larger view.]

Figure 1. Websense has an intuitive interface and configuration dashboard through which you can control what it will filter and permit.

A "proxy-avoidance" site called Toonel.org was responsible for helping the kids break through. They simply downloaded the Toonel client component, installed it on their computers and thumbed their noses at Websense. When I notified Websense about the situation, they responded with this:

"Websense Client Policy Manager [CPM] and Websense Web Security Suite - Lockdown Edition are capable of blocking applications like this. We've added this particular program to our application database as proxy avoidance and our application filtering will now pick this up and prevent the launch of the program. Also, before we categorized the application, it could have been blocked if a customer was using CPM or Websense Security Suite - Lockdown Edition to block uncategorized applications. Using CPM or Websense Web Security Suite - Lockdown Edition is part of a layered approach to security that provides protection at the gateway, network and in this case at the endpoint. Alternatively, using our reporting tools, the network administrator could see which machines had gone to the proxy avoidance site and then remove the applications from those users."

When I talked to Websense representatives, I was told that a lot of the hacks Websense finds out about are discovered by kids. No surprise there. It seems like it would make sense for Websense to proactively try to head off potential threats.

For those machines that already had the Toonel client on board, the Websense database update was ineffective. Each machine had to have the client individually removed. Interestingly, Toonel did not work on the Vista machines. Toonel uses the loopback adapter address and port 8080 as a proxy avoidance mechanism.

[Click on image for larger view.]

Figure 2. Websense describes its groups of filtered Web sites as Category sets, and gives you granular control within those sets.

The long and short of it is that I liked Websense for its ease of installation and configuration, and its relatively intuitive administrative interface. There were times when I wanted to specifically lock out one URL but had a hard time determining the category set to which the URL belonged. Also, I modified the block page that shows up when someone tries to hit a blocked Web site, but my modifications never appeared.

Also, it appears that Websense is written primarily, if not entirely, in Java. I'm not a huge Java fan, because I think it's too big of a CPU hog. Websense would be better if it was written in .NET code and we could avoid the baggage Java brings to Windows servers.

It was somewhat alarming for me to see how quickly someone on a mission could get past the filter. This points to how proactive security admins have to be, but also brings to the forefront to the immensity of the problem that Web-filtering software tries to solve. Where there's a will, there's a way.

SurfControl
Web Filter
The SurfControl installation process follows a nicely built wizard. It easily interfaces with Active Directory and gets right to work. The product uses SQL Server for its database and can install the Express Edition if you don't have a copy of SQL running locally.

I ran into problems when I tried to install SurfControl on one box and then point it to SQL Server 2005 running on a different computer. I tried it twice, and in both cases SurfControl got through configuration but then the services refused to start. I've never been a fan of using across-the-net SQL installations anyway, so I bagged the dual-machine installation and went to the computer actually running SQL Server. That installation went fine.

On another machine, I took up SurfControl's offer of installing Express Edition. I expected the software to be residing locally, waiting for installation, but it was natively bundled into the SurfControl installation package.

The filtering database is set to automatically download. This is sweet, fast .NET code that runs swift and well. The progress bar displays behind the SurfControl configuration window, so while you're downloading the filter database you can't really tell what the program is doing. That's just a minor annoyance, though.

SurfControl is easy to install, configure and run. However, I ran into an issue I couldn't easily overcome in my test configurations. While there is a stand-alone Windows version of SurfControl, it needs a downstream enterprise-class firewall to proactively block users. But what if you are just doing a little workgroup blocking and you don't have any local firewalls? What if you are relying on the corporate firewalls to keep you safe?

[Click on image for larger view.]

Figure 3. SurfControl Web filter works with Active Directory, and installs through an easy-to-use wizard.

SurfControl's support staff told me I had to have all of my nodes on a hub, or attached to a switch that was capable of promiscuously loading the ports. Even though my classroom users are behind a workgroup-class "firewall" (the $69 kind that also does DHCP and some poor-man's URL blocking), I could not get SurfControl to work correctly.

In a previous job as a server admin, we ran SurfControl and liked it a lot. It worked well and kept folks out of trouble. I've always been a big fan of the product.

On the other hand, using Surf Control is a moderately expensive proposition -- especially when you consider that you'll also need an ISA box to actually do any Web-filtering. Additionally, I found that the customer support experience could have been better.

[Click on image for larger view.]

Figure 4. SurfControl lets you select the rules by which it will evaluate and filter suspect Web sites.

Overall, I'm impressed with the way the code installs and runs -- now if it would just block a user or two in stand-alone mode.

Secure Computing
SmartFilter
SmartFilter has myriad installation possibilities. Want to run it against a Cisco Pix or on a Sun Java Server? No problem.

SmartFilter very definitely wants to see a firewall as a partner in its operations, though. There's no stand-alone version here.

There are more details on firewall installations and OEM partners that SmartFilter supports on the Secure Computing Web site. I chose to download and evaluate SmartFilter over Internet Security and Acceleration (ISA) Server 2004 -- one of my mistakes in the evaluation process. Even though I created a valid "Allow All" firewall policy, try as I might, I could not hit the Internet using the ISA box as a proxy.

I went through the standard Microsoft TechNet "To fix this problem download and install ISA 2004 SP1" stuff on the TechNet Web site. This did nothing to fix the problem. The SmartFilter software itself installed just fine, making itself an add-in to ISA. The trouble was with ISA.

I was very impressed with the product's download and installation, though I would have preferred a stand-alone version instead of having to fight ISA. Why can't someone invent a practical Web-filtering program that doesn't require the extra time and brain-cycles of a production-class firewall? I don't get it. Let me make my DHCP configuration option adjustments to point them to the box, let it use NAT, whatever.

[Click on image for larger view.]

Figure 5. Secure Computing's SmartFilter runs as a plug-in to Microsoft's Internet Security and Acceleration Server 2004, but not as a stand-alone filter.

We use the SmartFilter BESS edition -- a Children's Internet Protection Act (CIPA)-compliant version of SmartFilter specifically developed for schools -- in my school district. The kids were quick to tell me that they could easily get past BESS, but it turned out that they were using a password which had been given to them by someone who must have gotten tired of them complaining about not being able to hit their Gmail and MySpace sites.

[Click on image for larger view.]

Figure 6. Make sure you have ISA Server running and properly configured before you try to install SmartFilter to run alongside.

From a cost standpoint, SmartFilter is much more reasonable than Websense or SurfControl. Also, the customer support from Secure Computing was excellent. One of the cooler features of filtering products that SmartFilter provides is to let you grant temporary access so people can bypass filtering while they quickly view a site.

Parting Notes
These days, creating and updating new URL filter lists on a regular basis is no longer an effective model. There are just too many Web sites out there and too many variables to lend serious credibility to that methodology.

What if I forget to download the file? What if my server can't connect to the Internet at file-retrieval time? What if there are all sorts of different ways to get at the content without the filter server knowing about it? Where there's a will -- there's a way. If someone wants to hack the filter badly enough and has the right technological skills, they're going to get it done.

If you're seriously considering Web-filtering software, recognize that you'll have to make a big investment in the architecture and be extremely proactive about testing and reporting workarounds. Ultimately, you'll need to be prepared to block everyone from the casual Web surfers in marketing to the hard core propeller-heads in programming.