User supervision

 

Connecting state and local government leaders

GCN Lab Review: Web-content-filtering appliances can keep your employees away from unwanted sites.

Web-content filters use two basic methods. The first, URL-based filtering, is a sure way of blocking specific sites because it categorizes the URL of the page. This type of filter has its drawbacks. It only works if the database of URLs is constantly updated as new domains and Web sites are created. It won't work on sites that aren't in the database yet. Also, because the database must be maintained, most providers charge a nominal subscription fee. On the positive side, this method is fast because it takes relatively little processing time to compare a URL string with those in the database.The second method ' content filtering or dynamic filtering ' scans the Web page in question for words or word patterns and blocks pages that meet certain criteria. This is a powerful method that works on any Web site regardless of how new it might be, but it has two major drawbacks. First, to scan every page, the appliance must download it. If you have a lot of users, Web browsing can be slow unless you also have a very powerful filtering appliance. Also, if the filter is set to be too aggressive, it will create more false positives than you may consider acceptable.An ideal filtering solution would use a combination of these methods, primarily relying on the database and only scanning for content when necessary.We received a variety of security appliances with Web filtering capabilities from six companies: ContentWatch, eSoft, IronPort Systems, Mi5 Networks, St. Bernard and WatchGuard Technologies. The appliances ran the gamut of user capacity and offered a variety of additional features.All of the appliances were rackmountable and, with one exception, took up 1U of space. Each had, as a bare minimum, two 10/100/1,000 megabits/sec data ports and a serial console port.To test the Web filtering capabilities of each device, we connected them in turn to our test network. Appliances could be set up in a variety of configurations within the network, but we set them up in-line between the router and the rest of the network. This is almost always the configuration recommended by the manufacturer because it is largely foolproof. Setting them up in sniffer mode, connected to the network alongside everything else, is usually not a good idea. Every client's browser has to be set to use the device as a Web proxy, which can, therefore, be disabled locally. You can prevent this by setting the router/firewall to block all Web traffic from sources other than the Web filter appliance, but setting it up in-line is definitely the preferred method.We set each appliance's policy to block some of the more common categories of verboten Web sites, such as those featuring adult content or nudity, gambling, games, and illegal drugs. Although each interface was slightly different, we were able to set each one to block the same categories.We then listed Web sites we felt would be especially challenging, such as those that straddle typical category definitions and others that contain little-used domain extensions, such as .info, .biz and the relatively new .mobi.We also put in several URLs that could easily result in false positives, such as government drug-use information and university-sponsored sexual-health sites. And we tried to play several online games, including popular ones such as 'Lord of the Rings' and more obscure ones such as a German site that offers casual board games.Although some came close, none of the filters performed perfectly. Some were fooled by certain domain extensions, and all of them failed to block a page with prohibited material within an otherwise acceptable domain ' for instance, the Gambling tab on the official Las Vegas Web site. Any appliance could be adjusted to near-perfect operation for an organization willing to devote enough time and effort, but we were interested in how the devices' out-of-the-box category definitions fared.It should be noted that prices of the units in this review include the first year of an annual subscription and/or maintenance fee. This is standard for an appliance using data that is constantly updated. Near-perfect web blocking. Setup wizard not helpful. A+ A A B+The ContentProtect (CP) 100 from ContentWatch is a combination security appliance that includes bandwidth management, antivirus and spyware applications, and peer-to-peer control in addition to Web filtering. All of this comes in one box that is easy to use and not too hard on the budget.We found the setup process simple enough ' just connect a computer to the management port and browse the default IP address. There is a wizard that tends to overcomplicate matters, but it can be bypassed, and we suggest doing so. After that, it's just a matter of setting the IP address of the data ports and hooking it up.We were pleased with the precision with which it handled our tricky Web site list. It was not fooled by any of the potential false positives and managed to stop nearly everything else. It even blocked a Java-based program from connecting to play online board games, which no other appliance in the review managed to do. Other than the previously mentioned Las Vegas Web site issue, there was nothing we could do to stump it.The CP 100 sells for $2,390 with an annual license subscription for 100 users. That's a good price considering the different kinds of information that are constantly updated. Subscriptions for more users are available at higher prices.ContentWatch(866) 765-7233www.contentwatch.com Easy setup, good use of DHCP Created more false positivies than other appliances in the review A B+ A B+The ThreatWall 450 from eSoft is a breeze to set up and use. In addition to Web filtering, the ThreatWall is equipped to handle spyware, application attacks and viruses. It can even help protect Web servers in your network from buffer overflows and other attacks.Once connected to the network, the ThreatWall found our Dynamic Host ConfigurationProtocol server, negotiated an IP number and made that its static address. Then we just connected it to the router, and it was ready to go.The Web-based interface is easy to learn with wizards and a logical layout. Like other eSoft products, this one includes ThreatMap, which is a world map that points out the sources of attacks.The ThreatWall performed respectably with our list of URLs, but on its basic setting, it failed to block some sites that other filters stopped. It was also the only appliance in this review to produce a false positive when it rejected a university sociology department's sex information Web site. But we were especiallypleased to see a setting that has the ThreatWall enforce Google and Yahoo Safe searches even if clients turn them off.The price for eSoft's ThreatWall 450 is $4,798 with a government price of $4,318. We feel this is a good price for a midrange appliance with unlimited user licenses.> Ifyou need more versatility, eSoft also offers separately priced SoftPaks and ThreatPaks that can upgrade your ThreatWall to perform additional functionsincluding e-mail filtering or network intrusion prevention.eSoft(888) 903-7638www.esoft.com Hot-swappable drives, redundant power supplies Special equipment required for transparent mode. A A+ B BIronPort Systems' S350 is clearly on the high end of this market. It is an extremely powerful, top-of-the-line appliance ' with strong features that many of the other appliances in this review simply don't have ' for an equally top-of-the-line price.Its six hot-swappable 146G SAS drives are one of the reasons it takes up 2U of rack space. It also has two redundant, hot-swappable power supplies. In addition to data ports for Web filtering, it has two traffic ports for Layer 4 network traffic monitoring.As we expected, the setup of the S350 was the most complicated in the review. The setup wizard was reasonably helpful in getting all the IP numbers established. But to use both data ports for a pass-through type of setup, we had to activate the second port through the line command interface, accessible only via Telnet or a terminal program.Fortunately, the device does have a setting that will allow a remote technician from IronPort to access the S350 directly, which is useful if a setup process goes over your head.The S350's Web filter did a good job in our tests. It managed to block the sites in our list with only a few exceptions.It accomplished this not only with traditional methods but also by using what IronPort calls its Web Reputation Filters, which use factors such as how long the domain has existed and its host country along with administrator settings to determine whether to block a site.This method may be more efficient, and based on our observations, it certainly didn't slow things down.The S350 is so high-end that it can't be used to its full effectiveness unless the surrounding components are just as sophisticated. We were disappointed that the appliance cannot be put in transparent mode unless connected to a Layer 4 switch or a Web Cache Communication Protocol Version 2 router. We were able to make do for the test with the Web proxy forwarding mode, however.The S350 has a price tag of $14,478 ' more expensive than we would have expected, even for such a powerful appliance ' mostly because of the specialized equipment required for optimal deployment. The government price of $11,582 is more reasonable. If you are looking for a powerful security appliance for as many as 5,000 users, and you already have appropriate networking equipment, this may be up your alley. IronPort Systems(650) 989-6530www.ironport.com Good administrative software Low number of user licenses B+ B A B+ The Iprism M1200 from St. Bernard is easy to set up and use, and it does its job pretty well. The purplish color of the case is unusual, but the appliance itself is all business.We were impressed with the minimal amount of time the iPrism took to set up. With the Appliance Manager software installed on a client machine, we were able to detect the iPrism before it was assigned an IP number. Then the wizard helps you change the settings, and it's ready to go.You can then access it through the Appliance Manager or a Web browser.We found setting up Web usage policies to be intuitive and simple. You generate an access control list of what categories are allowed and blocked then click on the timetable to choose when it's in force. The real-time monitor lets you see the traffic as it comes in.The iPrism did a decent job in our performance tests. It managed to block most of the URLs but missed a few. It was the only one in the review to allow a blog Web site devoted entirely to adult and sexually explicit subject matter. There were settings to have it enforce safe searching on both Google and Yahoo, though, no matter what the user set them to.In addition to the Web-filter function, the iPrism also has anti-spyware and peer-to-peer application control. This is all controlled through the same interface and using the same sort of steps as the Web filtering.The iPrism costs $3,490, which is a little high considering that only covers the subscription licenses for 50 users. But all the functions are covered under the same license, and that convenience makes it an acceptable price. St. Bernard(800) 782-3762www.stbernard.com Good web filtering, programmable ports Highly convoluted setup procedure A A B A Like all Watchguard appliances, the Firebox x550e is bright, fire-engine red. Also like its brethren, it is built on top of WatchGuard's award-winning firewall technology.That said, the X550e is more complicated to set up than nearly all of the other devices in this review. First, you have to register online to activate the Firebox. Then the management software and certain firmware ' WatchGuard calls it Fireware ' has to be downloaded and installed. We found this especially challenging because the computer doing the installing needs to be connected alternately to the Internet and directly to the Firebox.At this point, the Firebox is ready to have its IP addresses set and hooked into the network.We were pleased to find that the X550e has four programmable network ports, a unique feature among the appliances in this review.However, the Firebox's primary function as a firewall means that the connection to the router has to be on a different subnet than the rest of the network. This is better security-wise, but it is certainly less convenient than a more transparent appliance.Once set up, however, the administrator software let us establish a Web usage policy rather quickly. And the system manager software lets you manage all your Firebox products from one console.In our Web filtering tests, the Firebox X550e performed well.It didn't fall for any of our potential false-positive URLs and only let one possible gambling site through that most of the others blocked. Other than that, it performed better than nearly all of the other devices in the roundup.As mentioned before, in addition to Web filtering, the Firebox also functions as a firewall.And it performs intrusion-prevention, antivirus and anti-spyware functions and even works as a spam blocker.Considering all it does, the Firebox X550e comes at a great price: $1,999 includes the first year subscription fee for all those functions.If you need a Web filter that is also a firewall and you don't mind a little extra effort in the set-up process, then the Firebox X550e might be just for you. WatchGuard Technologies(651) 436-6604www.watchguard.com Automatic pass-through mode when shut down Web filtering sub-par B A A B Mi5'S Webgate 005 is a Web security appliance that performs a lot of necessary functions in addition to Web filtering.Although it is more than a jack at some of those trades, it has not mastered Web filtering.Setup was fairly easy for a device of this type.Simply set up the IP address of the port, hook it up in-line, and it is ready to go.When updating the software, we discovered that the Webgate has a pass-through mode that simply allows all traffic through when it's shut down. This solution definitely will help avoid riots among the staff when an upgrade requires a reboot.In our URL filter test, the Webgate's performance was at the bottom. It did not seem to want to block any Web site with a .mobi extension, and some Web sites were only partially blocked, showing some of the text but not all the graphics.It even fell for one of our false-positive tests, the site for the Las Vegas Hilton, which was completely blocked. The Hilton was blocked even though Mandalay Bay, just down the strip, was not.And considering what hardcore adult sites it let through, especially those with .mobi extensions, we felt that it was an odd choice for the Webgate to beat up on the Hilton. Perhaps Paris has something to do with that? Webgate does have its strong points. In addition to the Web-filtering function, it has antivirus, anti-spyware and a robust anti-botnet system. It also has SpyWash, which is a way to remediate and eliminate spyware on a client's machine remotely through the Webgate.We found this unique feature to be a potential lifesaver.Mi5 Networks has set the price of the Webgate 005 at $7,225. This is higher than we had hoped but not too far out of the park considering all the security features it provides. Mi5 Networks(408) 745-7443www.mi5networks.com

A network administrator is sometimes faced with the onerous task of monitoring Web activity and blocking sites the organization deems inappropriate. This can be made even more difficult if the administrator is working with an already-strained budget.

Fortunately, Web-content-filtering systems are common, and they are often integrated with other network security functions, such as firewalls, antivirus programs and even intrusion- detection/prevention programs. This can save an administrator not only money but also precious rack space.



The GCN Lab tested six Web-content-filtering products. The results of the tests'and the Reviewer's Choice award winner'are available below.


























ContentWatch CP 100

Pros:

Cons:



Performance:

Features:

Usability:

Value:











Contact








ThreatWall 450


Pros:

Cons:



Performance:

Features:

Usability:

Value:
















Contact








IronPort S350


Pros:

Cons:



Performance:

Features:

Usability:

Value:




















Contact:








iPrism M1200


Pros:

Cons:



Performance:

Features:

Usability:

Value:
















Contact:








Firebox X550E


Pros:

Cons:



Performance:

Features:

Usability:

Value:


























Contact:








Webgate 005


Pros:

Cons:



Performance:

Features:

Usability:

Value:






















Contact:





X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.