The Pros and Cons Of Content Filtering For The SMB

Content filtering involves allowing or blocking information based on content, rather than the information source. Content filtering is most often used to control information flow from Internet or external sources, but can also be used on internal communications or outgoing content. E-mail, Web (or other types of communication) can be filtered, but these two protocols are most commonly the focus. Content filtering may be implemented at the network perimeter at the firewall(s), router(s), or with a dedicated appliance. Alternately, proxy servers, application servers, or host (user workstation) based solutions are possible. Combining host based and perimeter solutions is a common implementation.

To understand why, we examine the threat, vulnerability, and determine the risk. For some businesses one of these elements may be so low that the risk is negligible, but that's unlikely in modern businesses. In general terms:

• Vulnerability: without filtering inappropriate or damaging content can (and will) likely be accessed by employees.
• Threat: the content is always there, and some users will abuse & violate policy. Since the content could have a payload--a virus, trojan, worm, or other malware--the threat is in some cases "active". Passive threats include pornography, inappropriate language, music, or video content.
• Risk: the content could be malware, such as a virus or worm, and cause damage, costing time, money or risk of legal action by offended parties if the inappropriate content is pornographic. The is also the potential liability for possession and use of pirated software.

The reality is that many adult sites are filled with viruses and malware. If a user violates policy and common sense by surfing file sharing sites, which are also known to have many instances of corrupted applications with trojan horse code embedded in, or replacing the intended application. There's the clear risk of downloading that malware, but also the software piracy crime to contend with.

Internet usage monitoring

Usually part of the solution will include monitoring and logging components for real-time and historical analysis of Internet use.

Most often, a solution will present both the employee user name as well as the computer used. These solutions either reference which user is logged in to the desktop or terminal instance for that session, or require users to log in within the browser application when launching it or on accessing external (Internet) resources. Use of these kinds of systems, requiring login, make providing different users or groups with different levels of access possible.

E-mail content filtering may look for types and content of attachments, look for key words, phrases, and/or use bayesian (statistical) methods for blocking content.

Web content filtering may use heuristic, language filtering (words, phrases, proximity, regular expressions) or filter based on content type.

Any business-class solution will use a combination of these methods.

Other Options

Blocking or allowing access based on the source of the information are called source filtering solutions. Filtering sites without considering content is often integrated in content filtering solutions. Site filtering can also be implemented separately from content filtering. Fitering by URL, DNS name, or IP address precludes any commuication with the remote site or server and therefore does not require examination of content. Maintaining and updating lists or databases of sources is required, and is a consideration before using source filtering. Is a vendor's automatic updating of sources useful, prompt, and reliable? Is customization required? Do you or your staff have time to spend on it?