Internet filters almost useless without strong policies

No matter how advanced the technology behind them is, Internet filters are no substitute for diligently followed security policies, according to IT insiders.

“There’s no substitute for policies and ethics. You need to be able to trust your employees,” says Jeff Knechtel, senior technology solutions architect for Exchange Solutions Inc. (ESI), a collaboration technology developer based in Toronto.

Without an appropriate strategic security policy, business will not be able to maximize the advantages offered by filtering or worse the technology can even backfire on the organization said Knechtel, who is also Toronto section president for the Canadian Information Processing Society (CIPS).

“In some organizations, filters can actually hamper production,” he said.

Internet filters essentially limit the access to the Web via inspecting outgoing or incoming traffic and enforcing rules on what sites or transmission are permissible.

There are three main reasons why businesses use Internet filters, according to Andrew Lochart, vice-president of marketing for St. Bernard Software a provider of appliance-based and hosted security products headquartered in San Diego, Calif.

Primarily,organizations want to set up acceptable use policies to prevent non-work related use of the Internet such as surfing gambling or porn sites. These activities can lead to harassment or so-called hostile environment lawsuits against the company, Lochart said. Organizations also want to limit the possibility of employees unwittingly downloading malicious code or viruses from “infected Web sites.”.

Unfettered online access can also over burden a small company’s network with what is known as a tube storm.

“When a large number of workers suddenly access online material, for example a Britney Spears video on YouTube,they create a massive bandwitdh demand on the company’s network that evrything just screeches to a halt,” said Lochart.

There are three primary filtering methods.

The simplest method is keyword filtering where a system scans for specific words within the text page as it is downloaded. A major downfall of this method is that it does not take context into account and as a result often blocks acceptable content. It also cannot block pages containing only images.

More sophisticated systems such as Internet Protocol (IP) filters, employ a database of IP address information of sites that should be blocked or allowed. But in today’s environment where several sites might be hosted at a shared IP address, this method can potentially block all the virtually hosted or none of them.

Uniform Resource Locator (URL)-based filtering can enable blocking down to specific pages in a Web site. For instance, a photo archive containing mostly “acceptable content” with a few pages containing nudity, could be made accessible with only the objectionable pages blocked.

An ideal system would employ a combination of these methods to provide a more rounded protection.

Businesses have several implementation options.

Organizations can either: deploy client-side filtering software on each company PC; use server-based Web filtering; use filtering services that can be added onto firewalls and network devices; or attach dedicated filtering appliances to an existing network.

Client-side filtering is ideal for organizations with a small number of users. Among its drawbacks is that multiple desktop resident databases present updating challenges. Decentralized administration also often result in users reconfiguring the filters themselves and opening the system to threats.

Sever-based filtering provides the security and practicality of a single point of administration. Screening policies are uniform throughout the organization.

However, this method comes with a high support cost. The server presents a potential single point of failure. An intruder attack on the server or a server problem can compromise the whole network.

Firewall add-ons are not typically optimized for large Web site database lookups and can result in scalability issues and bottlenecks.

Filtering appliances are easy to attach to networks and offer the highest performance and scalability, said Lochart.

Businesses that want to deploy a filtering system should look for a vendor that has a large database of pre-categorized Web pages that are continually updated, said Lochart

“This saves the company time in identifying what sites to block and ensures that their blacklist is always up to date.

Companies must also pick a product that is easy to test, install and maintain.

Once an organization has considered the ideal system for its operation, Knechtel said, policies around the use of the filter must be developed.

“Ideally there should be a standardized practice of bypassing the filter,” he said.

Some individuals or teams in the office might need different a filter setting than the rest of the organization. “For example, researchers, engineers, developers, or marketers might actually be hampered if their online access were restricted.”

Equally important, he said, is staff training. “A culture of security must be cultivated within the company so that it’s not only the technology providing protection but the workers’ attitudes as well.”


Share on LinkedIn Share with Google+