Web usage monitoring is big business. According to SurfControl, manufacturer of Web Filter, “the average annual corporate cost per 1,000 employees attributed to non-business browsing exceeds $35 MILLIONeach year.” It’s no wonder, with figures like this being thrown around, that an entire industry has grown up around protecting your company from its own employees. It’s also not a big surprise that many of the players in this industry use a combination of hype and scare tactics to sell their products.

Imagine the following scenario…
It’s 10 A.M. and you’ve just had a call from the CEO stating that she walked by a VP’s office and saw him bidding for a vintage jukebox on eBay instead of working on the presentation for that afternoon’s big board meeting. She’s fuming that you haven’t protected the company against this kind of abuse of Internet usage.

Not good, but neither is the following…
The same CEO has tasked your company’s HR manager with updating the company’s policies on sexual harassment in the workplace. But the HR manager can’t do any online research because “your” overzealous filtering software won’t grant access to any site containing the word “sex.”

Anyone who’s worked with filtering software knows that it’s far from perfect. Even a knowledgeable admin taking the time to craft well-defined policies will undoubtedly run into problems with sites that slip through under the radar and others that shouldn’t be blocked but are. Let’s examine what you should be looking for in your filtering and monitoring package, what you can reasonably expect it to deliver, and a few of the top products in the market.

SurfControl is probably the most recognized name in Internet filtering. It caters to enterprise customers with extensive filtering and monitoring needs, while still maintaining availability to smaller customers. SurfControl’s Web Filter product is available for virtually any platform, including Windows NT/2000, Linux, and several flavors of UNIX, and can be integrated with Microsoft’s Proxy and ISA servers, Check Point’s Firewall-1, and Novell’s BorderManager.

SurfControl has focused on a product that is powerful but particularly easy to use, with features such as automated discovery of users and groups under a variety of directory services, including Active Directory, NDS, and LDAP, user/group-based filtering policies, and a real-time usage monitor. Web Filter also offers a range of deeper features, including over 50 customizable reports, which can be scheduled or run on demand and can output to a number of formats and categorization by site, directory, and page for detailed control of content within a domain.

Like SurfControl, Websense claims to have the largest and most accurate database of Web sites. In addition, Websense Enterprise is focused on providing filtering and monitoring capabilities with minimal impact on your network. Websense software can be installed on a stand-alone server or integrated with existing hardware, including proxy servers and firewalls from Microsoft, Sun, Cisco, 3Com, Check Point, and others. While the list of integrated options is long, a stand-alone server can run only under Windows NT/2000, Solaris 2.6 or later, and Red Hat Linux.

The Websense software is also somewhat more modularized than SurfControl’s Web Filter, with the core application available in four packages: the Enterprise Application, Master Database, Reporter, and WebCatcher. The WebCatcher module is interesting in that it’s used to send new or unrecognized sites to Websense nightly for inclusion in the master database. This is a different approach from SurfControl, whose Virtual Control Agent attempts to dynamically categorize new sites in real time.

Not surprisingly, N2H2 claims to have the “most effective filtering list available” in its Sentian filtering product, though the company does offer several independent tests to attempt to back this claim up. Sentian is available for a somewhat smaller list of hardware devices and servers than either Web Filter or Websense Enterprise and runs under either Windows or Red Hat Linux.

Information on the Sentian software is somewhat harder to come by than either of the other two packages. It’s a filtering product that offers fewer features and a more simplistic approach to blocking and allowing a defined list of sites. This lack of depth is reflected in the product’s price tag, about $1,500, and it may be a good option for smaller organizations.

Beyond the technology
Of course, none of these products is a cure-all for the difficulties of offering useful Internet access to your employees while protecting your network and your company. The basic premise of a database of sites that will include all things offensive, nonproductive, or insecure is fundamentally flawed. There simply is no one piece of technology that can keep up with the growth and dynamic nature of the Internet.

However, if a filtering package is approached as a tool to help support a clearly defined (and often revisited) Internet Usage Policy (IUP), it can certainly go a long way toward offering a significant sense of security. The IT and HR teams need to find common ground regarding the IUP. All parties involved need to work to make sure that employees know what to expect, both from your company and from your filtering and monitoring software. This approach shifts focus away from the software package, meaning that you can consider the overall package, features, price, and your specific needs, rather than just trying to figure out which company to believe regarding the depth and breadth of its URL database.

Include the users
Internet filtering and monitoring software is necessary and can help protect your company from a myriad of woes. However, as generally happens when technology and people interact, the software itself isn’t enough. It must be used as part of a broad and well-thought-out usage policy. In addition, users must be given ample education about the Internet filtering products to know what to realistically expect, particularly while you get your policy in place and your software up and running.