Network World: Web filtering tools handling ever-larger jobs

Special Focus

INFRASTRUCTURE: Keeping resources secure.

From the time the World Wide Web took off in the mid-90s, corporations began looking for ways to filter out access to its more lurid displays, but IT managers who use filters today say they're good for much more than blocking access to porn.

Because keeping company resources safe from spyware, adware and phishing is of growing importance, Web filter technologies are keeping up by blocking sites known to be engaged in those types of threats. Filters have expanded to block peer-to-peer file sharing sites, which pose copyright concerns and often spread adware. Companies using Web filters expect them to play an ever-larger role in enterprise protection.

"Some sites are offensive to employees, such as pornography or gambling, others are time-wasters, such as sports," says Jeff Smestuen, network manager at ice-cream maker Blue Bell Creameries in Brenham,Texas, which has 750 employees at its manufacturing facilities and branch offices."And Internet radio and TV sites are bandwidth hogs."

But these days,Web sites also might be just plain dangerous, pushing key-loggers out to steal personal information or trying to trick people into entering sensitive data.

"The phishing fraud we've seen firsthand," Smestuen says."The Web sites are so professional looking and sometimes employees panic and ask IT for help."

Blue Bell uses Websense Enterprise as its filtering gateway to the Internet. Over the past year,Websense added a way to automatically block phishing and other fraud-connected Web sites as soon as they were identified.

"It does a pretty good job of blocking these sites," Smestuen says."Nothing is going to get it all, but this helps."

Web filters also are expected to be flexible so that network managers can cut employees some slack even while stopping them from whiling away the day on the Web. Blue Bell, for instance, can set a "limit by quota" on the number of times an employee is allowed to go to some sites, such as those for weather or news.

"It can get to be a morale issue if you crank it down too much," Smestuen says about using a Web filter to police an employee's Web use.

The Web-filtering market

According to research firm Frost & Sullivan, industry veteran Websense still holds almost half of the Web-filtering market along with rival SurfControl (see graphic).

But since the early days of the Web, competition has grown, with secure Computing, Symantec and McAfee also scoring gains in a growing field of contenders.

This month Websense pointed out how times have changed by detailing the sharp increase of entries in its master database of monitored sites.

When it first started in 1996, its filtering database consisted of 26 categories with roughly 25,000 Web sites. Today the Websense Master Database stands at 10 million Web sites and more than 90 categories as it tracks shopping, gambling, games, entertainment and MP3 sites. Several other Web-filtering vendors, including Lightspeed Systems, also claim to be well past the 10 million mark.

During the first quarter alone, Websense says it categorized more than 13,000 Web sites engaged in spyware, phishing and other frauds in order to reduce customer's exposure. According to Websense, spyware-related sites have grown from 37,800 sites to more than 89,000 over the last year.

Tom Trumble, network administrator for Merrimac County in Concord, N.H.,says spyware has become a major threat to desktop security and privacy"We've seen a serious increase in spyware drive-by installs," says Trumble, describing how unwanted code is dropped from the Web site onto the Web surfer's machines without his knowledge.

Merrimac County recently acquired the Blue Coat appliance Interceptor, which combines URL filtering with blocking spyware downloads. Because monitoring and blocking access to Web sites is a sensitive subject that affects an entire organization,Trumble says he's presenting his Web policy ideas before the board of commissioners to get the government equivalent of management buy-in before monitoring or blocking access for agency employees.

"We'd rather hear the objections in advance rather than later"Trumble notes."We don't want to be seen as Big Brother:'

When governments anywhere in the world set policies for Web filtering on a national scale, it naturally draws attention from free-speech advocates concerned it might involve political or religious suppression.

A research group called the OpenNet Initiative, a partnership between the University of Toronto, Harvard Law School and Cambridge University, has issued several reports over the past few years detailing how China, Iran and Saudi Arabia, among others, make use of Web filtering to achieve political ends.

A study published last month,titled "Internet filtering in China in 2004-2005: A Country Study says the Chinese governments ability to block access to political, religious and news information makes it "the most sophisticated effort of its kind in the world."

Acceptable use, American-style

When filtering access to the Web, corporations, government agencies and schools in the U.S. often require network users to agree to Internet acceptable-use policies by signing a form stipulating off-limits activities.

According to the U.S. Department of Education,83% of public schools have students sign such contracts now.

But that doesn't mean Web monitoring is easy for school IT administrators who manage the high-speed networks that are increasingly common in U.S. public schools. Some schools don't just have forbidden Web sites - they have a list of forbidden search words and if a Web filter catches one being used, IT administrators are compelled to bring that to the attention of school management.

This happens from time to time at Bullard Independent School District in Texas, which uses Lightspeed Systems' Trusted Traffic Control appliance to monitor Web access from its high-speed LAN to the Internet.

"High schools have procedures for all this," says Lee Sleeper, Bullard's technology manager. Discipline for student misbehavior might involve the school's deciding to temporarily revoke the student's network privileges.

There's the prevailing notion in some quarters that America, the land that gave rise to adult-porn Web sites, also is the country spending the most time and money in making sure employees and students aren't able to get to them.

According to Jose Lopez, senior industry analyst in network security for Frost & Sullivan, which is based in London, says two-thirds of Web-filtering product sales are made in the U.S.

In Europe, the U.K. and Germany are the only significant markets, Lopez notes, adding the Scandinavian countries seem to have little interest in blocking porn.

Danny McCampbell, senior network analyst at Mahle, the Morristown.Tenn.,subsidiary of German-based automotive part manufacturer Mahle GmbH, says it's easy to get the impression that Europe has a different attitude about risqué material.

Mahle uses SurfControl's Web Filter to block sites the filter deemed to be "adult content." But Mahle found employees sometimes couldn't get access to European business si tes, such as travel sites to make reservations, because these sites had risqué photos posted on them.

"The user would call and sayTm trying to get on this site but I can't,'" McCampbell says."So we created an exception rule for the filter that allows access but blocks the risqué advertising."

In Web filtering, exceptions can be the rule.

Although Mahle doesn't generally permit access to gaming and entertainment sites, the company makes an exception for the Nascar racetrack's Web site at Nascar.com.

"We're an automotive manufacturer and we allow it because we manufacture pistons for Nascar," McCampbell says.