GCN Lab Test: Web-content-filtering appliances can keep your employees away from unwanted sites
- By Greg Crowe
- Nov 15, 2007
A network administrator is sometimes faced with the onerous task of monitoring Web activity and blocking sites the organization deems inappropriate. This can be made even more difficult if the administrator is working with an already-strained budget.
Fortunately, Web-content-filtering systems are common, and they are often integrated with other network security functions, such as firewalls, antivirus programs and even intrusion- detection/prevention programs. This can save an administrator not only money but also precious rack space.
The GCN Lab tested six Web-content-filtering products. The results of the tests'and the Reviewer's Choice award winner'are available below.
Web-content filters use two basic methods. The first, URL-based filtering, is a sure way of blocking specific sites because it categorizes the URL of the page. This type of filter has its drawbacks. It only works if the database of URLs is constantly updated as new domains and Web sites are created. It won't work on sites that aren't in the database yet. Also, because the database must be maintained, most providers charge a nominal subscription fee. On the positive side, this method is fast because it takes relatively little processing time to compare a URL string with those in the database.
The second method ' content filtering or dynamic filtering ' scans the Web page in question for words or word patterns and blocks pages that meet certain criteria. This is a powerful method that works on any Web site regardless of how new it might be, but it has two major drawbacks. First, to scan every page, the appliance must download it. If you have a lot of users, Web browsing can be slow unless you also have a very powerful filtering appliance. Also, if the filter is set to be too aggressive, it will create more false positives than you may consider acceptable.
An ideal filtering solution would use a combination of these methods, primarily relying on the database and only scanning for content when necessary.
We received a variety of security appliances with Web filtering capabilities from six companies: ContentWatch, eSoft, IronPort Systems, Mi5 Networks, St. Bernard and WatchGuard Technologies. The appliances ran the gamut of user capacity and offered a variety of additional features.
All of the appliances were rackmountable and, with one exception, took up 1U of space. Each had, as a bare minimum, two 10/100/1,000 megabits/sec data ports and a serial console port.
To test the Web filtering capabilities of each device, we connected them in turn to our test network. Appliances could be set up in a variety of configurations within the network, but we set them up in-line between the router and the rest of the network. This is almost always the configuration recommended by the manufacturer because it is largely foolproof. Setting them up in sniffer mode, connected to the network alongside everything else, is usually not a good idea. Every client's browser has to be set to use the device as a Web proxy, which can, therefore, be disabled locally. You can prevent this by setting the router/firewall to block all Web traffic from sources other than the Web filter appliance, but setting it up in-line is definitely the preferred method.
We set each appliance's policy to block some of the more common categories of verboten Web sites, such as those featuring adult content or nudity, gambling, games, and illegal drugs. Although each interface was slightly different, we were able to set each one to block the same categories.
We then listed Web sites we felt would be especially challenging, such as those that straddle typical category definitions and others that contain little-used domain extensions, such as .info, .biz and the relatively new .mobi.
We also put in several URLs that could easily result in false positives, such as government drug-use information and university-sponsored sexual-health sites. And we tried to play several online games, including popular ones such as 'Lord of the Rings' and more obscure ones such as a German site that offers casual board games.
Although some came close, none of the filters performed perfectly. Some were fooled by certain domain extensions, and all of them failed to block a page with prohibited material within an otherwise acceptable domain ' for instance, the Gambling tab on the official Las Vegas Web site. Any appliance could be adjusted to near-perfect operation for an organization willing to devote enough time and effort, but we were interested in how the devices' out-of-the-box category definitions fared.
It should be noted that prices of the units in this review include the first year of an annual subscription and/or maintenance fee. This is standard for an appliance using data that is constantly updated.
ContentWatch CP 100Pros:
Near-perfect web blocking.Cons:
Setup wizard not helpful.Performance:
The ContentProtect (CP) 100 from ContentWatch is a combination security appliance that includes bandwidth management, antivirus and spyware applications, and peer-to-peer control in addition to Web filtering. All of this comes in one box that is easy to use and not too hard on the budget.
We found the setup process simple enough ' just connect a computer to the management port and browse the default IP address. There is a wizard that tends to overcomplicate matters, but it can be bypassed, and we suggest doing so. After that, it's just a matter of setting the IP address of the data ports and hooking it up.
We were pleased with the precision with which it handled our tricky Web site list. It was not fooled by any of the potential false positives and managed to stop nearly everything else. It even blocked a Java-based program from connecting to play online board games, which no other appliance in the review managed to do. Other than the previously mentioned Las Vegas Web site issue, there was nothing we could do to stump it.
The CP 100 sells for $2,390 with an annual license subscription for 100 users. That's a good price considering the different kinds of information that are constantly updated. Subscriptions for more users are available at higher prices.Contact
Easy setup, good use of DHCPCons:
Created more false positivies than other appliances in the reviewPerformance:
The ThreatWall 450 from eSoft is a breeze to set up and use. In addition to Web filtering, the ThreatWall is equipped to handle spyware, application attacks and viruses. It can even help protect Web servers in your network from buffer overflows and other attacks.
Once connected to the network, the ThreatWall found our Dynamic Host Configuration
Protocol server, negotiated an IP number and made that its static address. Then we just connected it to the router, and it was ready to go.
The Web-based interface is easy to learn with wizards and a logical layout. Like other eSoft products, this one includes ThreatMap, which is a world map that points out the sources of attacks.
The ThreatWall performed respectably with our list of URLs, but on its basic setting, it failed to block some sites that other filters stopped. It was also the only appliance in this review to produce a false positive when it rejected a university sociology department's sex information Web site. But we were especially
pleased to see a setting that has the ThreatWall enforce Google and Yahoo Safe searches even if clients turn them off.
The price for eSoft's ThreatWall 450 is $4,798 with a government price of $4,318. We feel this is a good price for a midrange appliance with unlimited user licenses.> If
you need more versatility, eSoft also offers separately priced SoftPaks and ThreatPaks that can upgrade your ThreatWall to perform additional functions
including e-mail filtering or network intrusion prevention.Contact
Hot-swappable drives, redundant power suppliesCons:
Special equipment required for transparent mode. Performance:
IronPort Systems' S350 is clearly on the high end of this market. It is an extremely powerful, top-of-the-line appliance ' with strong features that many of the other appliances in this review simply don't have ' for an equally top-of-the-line price.
Its six hot-swappable 146G SAS drives are one of the reasons it takes up 2U of rack space. It also has two redundant, hot-swappable power supplies. In addition to data ports for Web filtering, it has two traffic ports for Layer 4 network traffic monitoring.
As we expected, the setup of the S350 was the most complicated in the review. The setup wizard was reasonably helpful in getting all the IP numbers established. But to use both data ports for a pass-through type of setup, we had to activate the second port through the line command interface, accessible only via Telnet or a terminal program.
Fortunately, the device does have a setting that will allow a remote technician from IronPort to access the S350 directly, which is useful if a setup process goes over your head.
The S350's Web filter did a good job in our tests. It managed to block the sites in our list with only a few exceptions.
It accomplished this not only with traditional methods but also by using what IronPort calls its Web Reputation Filters, which use factors such as how long the domain has existed and its host country along with administrator settings to determine whether to block a site.
This method may be more efficient, and based on our observations, it certainly didn't slow things down.
The S350 is so high-end that it can't be used to its full effectiveness unless the surrounding components are just as sophisticated. We were disappointed that the appliance cannot be put in transparent mode unless connected to a Layer 4 switch or a Web Cache Communication Protocol Version 2 router. We were able to make do for the test with the Web proxy forwarding mode, however.
The S350 has a price tag of $14,478 ' more expensive than we would have expected, even for such a powerful appliance ' mostly because of the specialized equipment required for optimal deployment. The government price of $11,582 is more reasonable. If you are looking for a powerful security appliance for as many as 5,000 users, and you already have appropriate networking equipment, this may be up your alley.Contact:
Good administrative softwareCons:
Low number of user licensesPerformance:
The Iprism M1200 from St. Bernard is easy to set up and use, and it does its job pretty well. The purplish color of the case is unusual, but the appliance itself is all business.
We were impressed with the minimal amount of time the iPrism took to set up. With the Appliance Manager software installed on a client machine, we were able to detect the iPrism before it was assigned an IP number. Then the wizard helps you change the settings, and it's ready to go.
You can then access it through the Appliance Manager or a Web browser.
We found setting up Web usage policies to be intuitive and simple. You generate an access control list of what categories are allowed and blocked then click on the timetable to choose when it's in force. The real-time monitor lets you see the traffic as it comes in.
The iPrism did a decent job in our performance tests. It managed to block most of the URLs but missed a few. It was the only one in the review to allow a blog Web site devoted entirely to adult and sexually explicit subject matter. There were settings to have it enforce safe searching on both Google and Yahoo, though, no matter what the user set them to.
In addition to the Web-filter function, the iPrism also has anti-spyware and peer-to-peer application control. This is all controlled through the same interface and using the same sort of steps as the Web filtering.
The iPrism costs $3,490, which is a little high considering that only covers the subscription licenses for 50 users. But all the functions are covered under the same license, and that convenience makes it an acceptable price.Contact:
Good web filtering, programmable portsCons:
Highly convoluted setup procedurePerformance:
Like all Watchguard appliances, the Firebox x550e is bright, fire-engine red. Also like its brethren, it is built on top of WatchGuard's award-winning firewall technology.
That said, the X550e is more complicated to set up than nearly all of the other devices in this review. First, you have to register online to activate the Firebox. Then the management software and certain firmware ' WatchGuard calls it Fireware ' has to be downloaded and installed. We found this especially challenging because the computer doing the installing needs to be connected alternately to the Internet and directly to the Firebox.
At this point, the Firebox is ready to have its IP addresses set and hooked into the network.
We were pleased to find that the X550e has four programmable network ports, a unique feature among the appliances in this review.
However, the Firebox's primary function as a firewall means that the connection to the router has to be on a different subnet than the rest of the network. This is better security-wise, but it is certainly less convenient than a more transparent appliance.
Once set up, however, the administrator software let us establish a Web usage policy rather quickly. And the system manager software lets you manage all your Firebox products from one console.
In our Web filtering tests, the Firebox X550e performed well.
It didn't fall for any of our potential false-positive URLs and only let one possible gambling site through that most of the others blocked. Other than that, it performed better than nearly all of the other devices in the roundup.
As mentioned before, in addition to Web filtering, the Firebox also functions as a firewall.
And it performs intrusion-prevention, antivirus and anti-spyware functions and even works as a spam blocker.
Considering all it does, the Firebox X550e comes at a great price: $1,999 includes the first year subscription fee for all those functions.
If you need a Web filter that is also a firewall and you don't mind a little extra effort in the set-up process, then the Firebox X550e might be just for you.Contact:
Automatic pass-through mode when shut downCons:
Web filtering sub-parPerformance:
Mi5'S Webgate 005 is a Web security appliance that performs a lot of necessary functions in addition to Web filtering.
Although it is more than a jack at some of those trades, it has not mastered Web filtering.
Setup was fairly easy for a device of this type.
Simply set up the IP address of the port, hook it up in-line, and it is ready to go.
When updating the software, we discovered that the Webgate has a pass-through mode that simply allows all traffic through when it's shut down. This solution definitely will help avoid riots among the staff when an upgrade requires a reboot.
In our URL filter test, the Webgate's performance was at the bottom. It did not seem to want to block any Web site with a .mobi extension, and some Web sites were only partially blocked, showing some of the text but not all the graphics.
It even fell for one of our false-positive tests, the site for the Las Vegas Hilton, which was completely blocked. The Hilton was blocked even though Mandalay Bay, just down the strip, was not.
And considering what hardcore adult sites it let through, especially those with .mobi extensions, we felt that it was an odd choice for the Webgate to beat up on the Hilton. Perhaps Paris has something to do with that? Webgate does have its strong points. In addition to the Web-filtering function, it has antivirus, anti-spyware and a robust anti-botnet system. It also has SpyWash, which is a way to remediate and eliminate spyware on a client's machine remotely through the Webgate.
We found this unique feature to be a potential lifesaver.
Mi5 Networks has set the price of the Webgate 005 at $7,225. This is higher than we had hoped but not too far out of the park considering all the security features it provides.Contact: