Web Filtering (part 2)

Put simply, web filtering restricts what web content a reader can access with a browser from their computer or mobile device.  However, there is no “one-size-fits-all” approach to web filtering, and a web filtering strategy for a large design and manufacturing company is not necessarily suitable for use at an elementary school or small medical office.

The “How”

The primary content control mechanisms on modern firewalls are Web Filtering and Application Control.  Web filtering allows or prevents web traffic based on categories of content, or that meet explicitly defined exemption criteria.

Application Control allows or prevents traffic to a number of common Internet application services and platforms based on certain identifying characteristics in that traffic and can be used to implement granular controls on some services.  For example, it is possible to permit a user to login to Facebook and browse their feed, but prevent posting, uploading pictures/videos or using the chat feature.

While Application Control is a powerful feature, it is not as widely used, nor as simple to implement and administer as Web Filtering, so the focus for the moment will be on Web Filtering.

Under the hood, a Web Filtering policy is built from a number of components that define:

  • Source – Where the request for a web resource originated.  In its basic form, a source definition can be a single IP address, a range of addresses, a subnet, a DNS name or “Any” source address.  In more advanced environments, it is possible to a leverage a local user database, an Active Directory domain or a RADIUS server to identify individual users or groups that a user is a member of.  This adds a great deal of flexibility, not only to web filtering policies, but also to policies designed to protect sensitive internal resources.
  • Destination – The remote server that the request will be forwarded to.  Destination can be defined using the same basic IP criteria as Source, but not user/group criteria.
  • Web Filter Profile – The filtering rules to be applied to traffic that meets the Source/Destination criteria.  The profile can be considered an extension of the Destination parameter and is typically used with vendor-provided category lists and/or administrator-defined lists of allowed and blocked domains and IP addresses.  Within a Web Filter Profile are a number of methods for defining category-based actions, and exemptions to those rules:
  • Categories – As stated, these are defined and regularly updated by the firewall vendor.  The exact nature of the category definitions varies between vendors, but typically consists of several broad categories that may be further refined with more granular sub-categories.  For example, there may be top-level categories for Adult/Mature Content, Bandwidth Consuming, General Interest, Security Risk, and so forth.  The General Interest category might have a number of subcategories such as General Interest\Social Networking and General Interest\Finance & Banking.
  • Actions – Defines how traffic meeting the selection criteria is to be handled.  For category-based criteria, each category can be treated as a single entity and all sub-categories will be handled based on the parent category action, or individual sub-categories can have different actions.  Some possible Actions are:
  • Allow – Traffic is permitted.
  • Block – Traffic is blocked and redirected to a block message.
  • Monitor – Traffic is permitted, and a log entry is created with information about the session.
  • Warning – Traffic is blocked, and the user is redirected to a warning message indicating the requested content may violate company policy.  Users have the option to proceed to the web site after the warning is presented.
  • Authenticate – Traffic is blocked, and the user is redirected to a login prompt.  Users who enter credentials for a permitted account will be allowed to proceed.
  • Override – In some cases, it may be desirable to allow a user to temporarily override a blocked page.  The user would need to enter credentials for a permitted account to continue browsing and the details of the page and the user would be logged.
  • Quota – Applies a daily limit on access to certain categories.  The limit can be defined in terms of time spent browsing or total traffic volume.  Once the limit is reached, traffic to the affected categories will be blocked until the quota period expires (typically defined as a 24-hour period from the first matching packet).  Different quotas can be defined for different categories, sub-categories, or combinations.
  • Static URL Filters – These define exceptions to category-based rules.  URLs that match the static filter criteria have an action applied that may differ from the action defined for the category/sub-category that the URL belongs to.

What Should I Do About It?

When it comes to protecting your business, you need to be covered on all fronts. Our managed IT services are designed to help you develop and implement the best web filtering practices for your business.