Filtering the content of email messages coming into and out of your organization, Web sites being accessed by your company computers, IM conversations and other data that travels on your network makes business sense because it can save money that might be lost to lawsuits or reduced employee productivity.
Regardless of the size and nature of your business, keeping inappropriate material out of your network and keeping sensitive business information from going out of your network have to be top priorities in today's business climate. Lawsuits can happen at the drop of a hat, and good intentions aren’t enough to protect you. Let an employee glimpse a sexually provocative photo on a co-worker’s computer and you could find yourself sued for creating a "hostile workplace." Have an employee who inadvertently lets slip personal information about one of your customers and you could find yourself in violation of privacy laws. And even if you escape litigation, having the wrong content come in or go out can result in reduced productivity or loss of your competitive edge. That’s why it makes sense to get a content filtering strategy in place as early as possible -- and it makes even more sense to choose solutions that can grow with your company.
Beyond packet filtering
You may think you have all the protection you need because your network is behind a firewall. After all, that’s what a firewall does: it sits between the Internet and your internal network and filters inbound and outbound traffic. Unfortunately, traditional firewalls filter at the packet level; that is, they filter data packets based on IP addresses and port numbers, the information that’s added in headers at the network and transport levels of the OSI model.
The good news is that most modern firewalls go beyond packet filtering and add some degree of application layer filtering. With ALF, a firewall can analyze higher layer information and recognize the protocols used by specific services, and validate that the data inside the packet is valid. Content filtering is a form of application layer filtering, in which the actual data itself is examined and can be compared against a database of text strings, for example, that is prohibited.
Some ALF firewalls, such as ISA Server 2004, can perform this rudimentary form of content filtering "out of the box." However, an effective content filtering strategy generally requires more sophisticated filtering than can be done with an ALF firewall alone. Better content filtering programs go beyond lists of keywords to block, and can use heuristics and other methods to analyze the context in which words are used to determine whether the content should be blocked.
Content filtering solutions for small to large businesses
The smallest businesses may not even have business-class firewalls in place, since such firewalls tend to be costly. For example, ISA Server 2004 Standard Edition costs $1499 (per processor). Firewalls from Cisco, CheckPoint and other vendors that have ALF functionality often cost even more. Many small businesses rely on inexpensive firewall appliances designed for telecommuters or SOHO (Small Office Home Office) models such as those made by SonicWall and Watchguard for under $500. Others can’t afford to spend extra on a firewall at all; they may use open source firewalls on Linux boxes at the network edge, or rely on the Windows firewall built into XP/Server 2003.
Those without ALF firewalls will need to use a third party solution for content filtering. If you’re on a tight budget and you only have a few computers to protect, you might be tempted to use a consumer level content filtering program. The most basic content filtering packages are those intended primarily for parental control of children’s Internet activities, such as NetNanny or CyberPatrol. Many of these programs are available for under $50.
Drawbacks to consumer-level solutions
Although the low price looks attractive, there are some drawbacks to going this route. These are client-side programs. Since you’ll need to install the software on every computer, as you add more systems, you’ll have to buy more copies of the content filtering program, creating a hidden cost as your company grows. At the same time, you have no centralized control or centralized reporting--which become more important as your network gets bigger and more complex. Finally, these consumer-level packages don’t offer the same degree of sophistication as content filtering packages that are designed for businesses, and may either allow harmful content to get through or, more likely, block more than you intend to and thus hamper workers’ ability to use the Internet to get their jobs done.
Small business solutions
Some of the companies that make consumer level solutions also offer business versions. However, the most popular small business solutions are those that also offer enterprise level solutions. For example:
- Websense offers a Web Security Suite for small to medium businesses that runs on Windows 2000 Server, Server 2003, Red Hat Linux or Sun Solaris. For more info, see http://www.websense.com/global/en/ProductsServices/WSSecuritySuite/
- SurfControl offers Web and email filtering software for Microsoft Windows that can be deployed in configurations to protect networks of all sizes. For more info, see http://www.surfcontrol.com/
If you have a bit more money to spend, another option is one of many "security appliances" that include firewall functionality with content filtering (some also include anti-virus and other security applications). There are relatively low cost devices that are targeted toward small businesses, such as:
- The Network Engines NS series security appliances that run Microsoft ISA Server 2004 and the Websense Web Security Suite that performs content filtering
- The CelestixSafe@Office model that runs the CheckPoint firewall software and offers a subscription to anti-virus and content filtering services
Other appliances operate separately from your firewall. Some examples include:
- McAfee Secure Internet Gateway, which provides anti-spyware, anti-virus, anti-spam, anti-phishing, along with email and web content filtering for small and medium businesses)
· ContentKeeper SB is designed for sites with up to 50 users, while ContentKeeper SME is more scalable; it can support from 25 to 2500 users
Appliances are attractive because they can be deployed quickly, with no need to install and configure operating systems and application software. However, generally appliances are not as scalable as software solutions because you're locked into the hardware configuration that you purchase. It may be difficult or impossible to upgrade the processor, memory and other hardware components without buying a whole new appliance.
The most scalable solutions are those that can be deployed on a single, low powered computer while your needs are modest, but can be upgraded to support more users as the network grows.