To web filter or not to web filter?

December 19, 2011 by Leave a Comment

Restricting Internet access is always a contentious issue.  During my working life I’ve sat both sides of the fence, as a frustrated user and more recently as an administrator of multiple filtering solutions who has been on the receiving end of end user complaints because sites were blocked.

When working for a previous employer they tried to restrict the amount of time staff could spend on the Internet for personal usage while still allowing unlimited Internet access for work related activities.  From a users point of view it was a disaster, with it being easy to use up your “personal” browsing time accessing work related websites.  Needless to say the policy didn’t last long.

I’ve also had to explain why some apparently legitimate sites which used to work suddenly stop or why sites which users believe to be legitimate are blocked.  I do though find that the majority of users are understanding once you’ve explained a site has been hacked or the reason the site is blocked.  You of course do get the odd exception.

Regardless of whether you do decide to put a filtering policy in place or not it is important to make sure that you implement an Acceptable Internet Use policy so that staff:

  • Understand why controls are in place (if imposed) and the benefits to the organisation
  • Are fully aware of what acceptable usage means and what is not allowed
  • Know what to do if they think they have downloaded or accessed something they shouldn’t have
  • Understand how you intend to monitor and record Internet usage and how the information will be used
  • What the implications are if the policy is broken (these need to be clearly defined)
  • Acknowledge the policy by signing the agreement

Why filter?

The Internet is a fantastic resource of information, marketing, interacting with new and existing customers, making sales and keeping up with the sports news.  Unfortunately it is also full of content that can be deemed illegal in many countries, distasteful, offensive or obscene.

Most companies will not want to deprive staff from web browsing on lunch breaks or outside the normal working day, but excessive non-productive web surfing of the internet uses valuable bandwidth and inappropriate use could be potentially damaging to a company’s reputation.  There are also data leakage issues to consider such as the ability to access personal email, social networking sites etc. While these restrictions might annoy staff they could be required to maintain business confidentiality.

Add to the issue the increasingly number of sites on the Internet (knowingly and unknowingly) hosting malicious code with the intention of exploiting or compromising the visiting machine.  One of the key features of web filtering solutions to help protect against these kinds of threats.

Why not just allow unrestricted Internet access?

You trust your staff to abide by your acceptable usage policy and that they will not be tricked into downloading malicious content.  You are also confident that all your systems are fully patched as soon as patches are released and your systems are tightly locked down.  You also use the latest browser and do not run plug-ins such as Flash.

Possible solutions to control Internet access?

Internet access can be typically blocked in a number of ways.  Typically websites are categorised into a number categories.  There is no industry standard for this approach so the number of categories varies greatly.  Websites are categorised in a number of different ways depending on the solution chosen.  Another method is by looking for key words.  This solution is less poplar these days as perfectly legitimate sites could be blocked because they contained words, such as Sussex, which was interpreted as being offensive.  Finally a common technique is to block downloads on certain file types such as executable files, music and video files etc.

  • DNS.  There are some DNS based solutions available which block requests based on DNS lookups made by client machines.  The solution requires that either the users’ machines are configured to use the DNS servers of the solution provider rather than the ones provides by your ISP or if you have an internal DNS server then this needs to be configured to forward DNS queries to the solution providers DNS servers.  All other DNS server access will need to be blocked on your firewall otherwise these restrictions could be bypassed by changing the DNS settings on the computer.  Sign up to your chosen solution, select the categories you want to allow and deny and you are ready to go.  This solution does rely on you having a static Internet IP address or address range otherwise the solution cannot apply your chosen settings.  This is ideal for small businesses but lacks any granular control and limited customisation, they also cannot block on key words or file types.  Additional features and configuration are possible but this is usually a chargeable extra.  Reporting capability is limited and reports cannot be created based on individual users.  This type of solution doesn’t offer anti-virus protection on content which is allowed to be accessed.
  • UTM Firewall.  This adds an additional layer of protection to standard firewalls rules.  In addition to opening the standard ports for Internet access, all requests are run through the filtering policy.  This can offer you more control on controlling browsing policies than compared to a DNS solution as rules can be created based on internal IP addressing.  Unless you have a product which can force user authentication then this solution still offers only limited reporting capabilities to identify people continually trying to access blocked sites.  This solution also provides the ability to perform anti-virus scanning on Internet content downloaded to the network.
  • Proxy Server. This is a server or appliance based solution within your network which maybe an all in one proxy and filtering solution or proxy server with additional software installed for filtering.  Browsers on client machines are configured to point at the proxy server.  These devices are easy to integrate into existing directory services such as Active Directory.  This gives you the ability to build very granular access policies based on group membership.  When integrated to a directory service then they usually offer very comprehensive reporting capabilities.
  • Cloud Based Solution.  Similar to the proxy server solution above, except there is no solution within your own network.  Instead the users’ browsers are configured to use a proxy server hosted in the cloud.  Ideal if you prefer a scalable solution or you have a very mobile workforce where you want to be able to control Internet access when they are away from the office.

It’s a fine line between restricting non-business related activities and imposing counterproductive restrictions which impede a business.

Useful Resources

Sample acceptable Internet usage policy from Business Link – http://www.businesslink.gov.uk/Growth_and_Innovation_files/Sample__Internet_acceptable_use_policy4.doc

Filed under Web Filtering Tagged with , , ,

Comments are closed.

Follow

Get every new post delivered to your Inbox.