Regardless of the size and nature of your business, keeping
inappropriate material out of your network and keeping sensitive business
information from going out of your network have to be top priorities in today’s
business climate. Lawsuits can happen at the drop of a hat, and good intentions
aren’t enough to protect you. Let an employee glimpse a sexually provocative
photo on a co-worker’s computer and you could find yourself sued for creating a
“hostile workplace.” Have an employee who inadvertently lets slip personal
information about one of your customers and you could find yourself in
violation of privacy laws. And even if you escape litigation, having the wrong
content come in or go out can result in reduced productivity or loss of your
competitive edge. That’s why it makes sense to get a content filtering strategy
in place as early as possible — and it makes even more sense to choose
solutions that can grow with your company.

Beyond packet filtering

You may think you have all the protection you need because
your network is behind a firewall. After all, that’s what a firewall does: it
sits between the Internet and your internal network and filters inbound and
outbound traffic. Unfortunately, traditional firewalls filter at the packet
level; that is, they filter data packets based on IP addresses and port
numbers, the information that’s added in headers at the network and transport
levels of the OSI model.

Tips in your inbox

TechRepublic’s free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.

Automatically sign up today!

The good news is that most modern firewalls go beyond packet
filtering and add some degree of application layer filtering. With ALF, a
firewall can analyze higher layer information and recognize the protocols used
by specific services, and validate that the data inside the packet is valid.
Content filtering is a form of application layer filtering, in which the actual
data itself is examined and can be compared against a database of text strings,
for example, that is prohibited.

Some ALF firewalls, such as ISA Server 2004, can perform
this rudimentary form of content filtering “out of the box.” However, an
effective content filtering strategy generally requires more sophisticated
filtering than can be done with an ALF firewall alone. Better content filtering
programs go beyond lists of keywords to block, and can use heuristics and other
methods to analyze the context in which words are used to determine whether the
content should be blocked.

Content filtering solutions for small to large businesses

The smallest businesses may not even have business-class
firewalls in place, since such firewalls tend to be costly. For example, ISA
Server 2004 Standard Edition costs $1499 (per processor). Firewalls from Cisco,
CheckPoint and other vendors that have ALF
functionality often cost even more. Many small businesses rely on inexpensive
firewall appliances designed for telecommuters or SOHO (Small Office Home
Office) models such as those made by SonicWall and Watchguard for under $500. Others can’t afford to spend
extra on a firewall at all; they may use open source firewalls on Linux boxes
at the network edge, or rely on the Windows firewall built into XP/Server 2003.

Those without ALF firewalls will need to use a third party
solution for content filtering. If you’re on a tight budget and you only have a
few computers to protect, you might be tempted to use a consumer level content
filtering program. The most basic content filtering packages are those intended
primarily for parental control of children’s Internet activities, such as NetNanny or CyberPatrol. Many of
these programs are available for under $50.

Drawbacks to consumer-level solutions

Although the low price looks attractive, there are some
drawbacks to going this route. These are client-side programs. Since you’ll
need to install the software on every computer, as you add more systems, you’ll
have to buy more copies of the content filtering program, creating a hidden
cost as your company grows. At the same time, you have no centralized control
or centralized reporting–which become more important as your network gets
bigger and more complex. Finally, these consumer-level packages don’t offer the
same degree of sophistication as content filtering packages that are designed
for businesses, and may either allow harmful content to get through or, more
likely, block more than you intend to and thus hamper workers’ ability to use
the Internet to get their jobs done.

Small business solutions

Some of the companies that make consumer level solutions
also offer business versions. However, the most popular small business
solutions are those that also offer enterprise level solutions. For example:

Turn-key appliances

If you have a bit more money to spend, another option is one
of many “security appliances” that include firewall functionality
with content filtering (some also include anti-virus and other security applications).
There are relatively low cost devices that are targeted toward small
businesses, such as:

Other appliances operate separately from your firewall. Some
examples include:

  • McAfee
    Secure Internet Gateway
    , which provides anti-spyware,
    anti-virus, anti-spam, anti-phishing, along with
    email and web content filtering for small and medium businesses)

ContentKeeper SB is designed for sites with up to 50
users, while ContentKeeper SME is more scalable; it
can support from 25 to 2500 users

Scalability considerations

Appliances are attractive because they can be deployed
quickly, with no need to install and configure operating systems and
application software. However, generally appliances are not as scalable as
software solutions because you’re locked into the hardware configuration that
you purchase. It may be difficult or impossible to upgrade the processor,
memory and other hardware components without buying a whole new appliance.

The most scalable solutions are those that can be deployed
on a single, low powered computer while your needs are modest, but can be
upgraded to support more users as the network grows.