Web filtering tools handle ever-larger jobs

From the time the World Wide Web took off in the mid-90s, companies began looking for ways to filter out access to its more lurid displays, but IT managers who use filters today say they're good for much more than blocking access to porn.

Because keeping company resources safe from spyware, adware and phishing is of growing importance, Web filter technologies are keeping up by blocking sites known to be engaged in those types of threats. Filters have expanded to block peer-to-peer file sharing sites, which pose copyright concerns and often spread adware. Companies using Web filters expect them to play an ever-larger role in enterprise protection.

"Some sites are offensive to employees, such as pornography or gambling, others are time-wasters, such as sports," says Jeff Smestuen, network manager at ice-cream maker Blue Bell Creameries, which has 750 employees at its manufacturing facilities and branch offices. "And Internet radio and TV sites are bandwidth hogs."

But these days, Web sites also might be just plain dangerous, pushing key-loggers out to steal personal information or trying to trick people into entering sensitive data.

"The phishing fraud we've seen firsthand," Smestuen says. "The Web sites are so professional looking and sometimes employees panic and ask IT for help."

Blue Bell uses Websense Enterprise as its filtering gateway to the Internet. Over the past year, Websense added a way to automatically block phishing and other fraud-connected Web sites as soon as they were identified.

"It does a pretty good job of blocking these sites," Smestuen says. "Nothing is going to get it all, but this helps."

Web filters are also expected to be flexible so that network managers can cut employees some slack even while stopping them from whiling away the day on the Web. Blue Bell, for instance, can set a "limit by quota" on the number of times an employee is allowed to go to some sites, such as those for weather or news.

"It can get to be a morale issue if you crank it down too much," Smestuen says about using a Web filter to police an employee's Web use.

The Web-filtering market

According to research firm Frost & Sullivan, industry veteran Websense still holds almost half of the Web-filtering market along with rival SurfControl.

But since the early days of the Web, competition has grown, with Secure Computing, Symantec and McAfee also scoring gains in a growing field of contenders.

This month Websense pointed out how times have changed by detailing the sharp increase of entries in its master database of monitored sites. When it first started in 1996, its filtering database consisted of 26 categories with roughly 25,000 Web sites. Today, the Websense Master Database stands at 10 million Web sites and more than 90 categories as it tracks shopping, gambling, games, entertainment and MP3 sites.

Several other Web-filtering vendors, including Lightspeed Systems, also claim to be well past the 10 million mark.

During the first quarter alone, Websense says it categorized more than 13,000 Web sites engaged in spyware, phishing and other frauds in order to reduce customers' exposure. According to Websense, spyware-related sites have grown from 37,800 to more than 89,000 sites over the last year.

Tom Trumble, network administrator for a local government facility, says spyware has become a signigicant threat to desktop security and privacy. "We've seen a serious increase in spyware drive-by installs," says Trumble, describing how unwanted code is dropped from the Web site onto the Web surfer's machines without his knowledge.

Trumble's organization recently acquired the Blue Coat appliance Interceptor, which combines URL filtering with blocking spyware downloads. Because monitoring and blocking access to Web sites is a sensitive subject that affects an entire organization, Trumble says he's presenting his Web policy ideas to the board of commissioners to get the government equivalent of management buy-in before monitoring or blocking access for agency employees.

"We'd prefer to hear the objections in advance rather than later," Trumble says. "We don't want to be seen as Big Brother."

When governments anywhere in the world set policies for Web filtering on a national scale, it naturally draws attention from free-speech advocates concerned such policies might involve political or religious suppression.

A research group called the OpenNet Initiative, a partnership between the University of Toronto, Harvard Law School and Cambridge University, has issued several reports over the past few years detailing how China, Iran and Saudi Arabia, among others, make use of Web filtering to achieve political ends.

A study published last month, titled Internet filtering in China in 2004-2005: A Country Study, says the Chinese government's ability to block access to political, religious and news information makes it "the most sophisticated effort of its kind in the world".

Acceptable use, Western-style

When filtering access to the Web, corporations, government agencies and schools often require network users to agree to Internet acceptable-use policies by signing a form stipulating off-limits activities.

But that doesn't mean Web monitoring is easy for school IT administrators who manage the high-speed networks that are increasingly common in public schools. Some schools don't just have forbidden Web sites -- they have a list of forbidden search words and if a Web filter catches one being used, IT administrators are compelled to bring that to the attention of school management.

There's the prevailing notion in some quarters that America, the land that gave rise to adult-porn Web sites, is also the country spending the most time and money in making sure employees and students aren't able to get to them.

According to Jose Lopez, senior industry analyst in network security for Frost & Sullivan, which is based in London, says two-thirds of Web-filtering product sales are made in the US.

In Europe, the UK and Germany are the only significant markets, Lopez notes, adding the Scandinavian countries seem to have little interest in blocking porn.

Danny McCampbell, senior network analyst at spare parts manufacturer Mahle, says it's easy to get the impression that Europe has a different attitude about risque material.

Mahle uses SurfControl's Web Filter to block sites the filter deemed to be "adult content". But Mahle found employees sometimes couldn't get access to European business sites, such as travel sites to make reservations, because these sites had 'risque' photos posted on them. "The user would call and say, 'I'm trying to get on this site but I can't,'" McCampbell says. "So we created an exception rule for the filter that allows access but blocks the risque advertising."

In Web filtering, exceptions can be the rule.

Although Mahle doesn't generally permit access to gaming and entertainment sites, the company makes an exception for the Nascar racetrack's Web site at Nascar.com.

"We're an automotive manufacturer and we allow it because we manufacture pistons for Nascar," McCampbell says