Content filtering involves allowing or blocking information based on content, rather than the information source. Content filtering is most often used to control information flow from Internet or external sources, but can also be used on internal communications or outgoing content. E-mail, Web (or other types of communication) can be filtered, but these two protocols are most commonly the focus. Content filtering may be implemented at the network perimeter at the firewall(s), router(s), or with a dedicated appliance. Alternately, proxy servers, application servers, or host (user workstation) based solutions are possible. Combining host based and perimeter solutions is a common implementation.
To understand why, we examine the threat, vulnerability, and determine the risk. For some businesses one of these elements may be so low that the risk is negligible, but that’s unlikely in modern businesses. In general terms:
- Vulnerability: without filtering inappropriate or damaging content can (and will) likely be accessed by employees.
- Threat: the content is always there, and some users will abuse & violate policy. Since the content could have a payload–a virus, trojan, worm, or other malware–the threat is in some cases “active”. Passive threats include pornography, inappropriate language, music, or video content.
- Risk: the content could be malware, such as a virus or worm, and cause damage, costing time, money or risk of legal action by offended parties if the inappropriate content is pornographic. The is also the potential liability for possession and use of pirated software.
The reality is that many adult sites are filled with viruses and malware. If a user violates policy and common sense by surfing file sharing sites, which are also known to have many instances of corrupted applications with trojan horse code embedded in, or replacing the intended application. There’s the clear risk of downloading that malware, but also the software piracy crime to contend with.
Internet usage monitoring
Usually part of the solution will include monitoring and logging components for real-time and historical analysis of Internet use.
Most often, a solution will present both the employee user name as well as the computer used. These solutions either reference which user is logged in to the desktop or terminal instance for that session, or require users to log in within the browser application when launching it or on accessing external (Internet) resources. Use of these kinds of systems, requiring login, make providing different users or groups with different levels of access possible.
How is it done?
E-mail content filtering may look for types and content of attachments, look for key words, phrases, and/or use bayesian (statistical) methods for blocking content.
Web content filtering may use heuristic, language filtering (words, phrases, proximity, regular expressions) or filter based on content type.
Any business-class solution will use a combination of these methods.
Blocking or allowing access based on the source of the information are called source filtering solutions. Filtering sites without considering content is often integrated in content filtering solutions. Site filtering can also be implemented separately from content filtering. Fitering by URL, DNS name, or IP address precludes any commuication with the remote site or server and therefore does not require examination of content. Maintaining and updating lists or databases of sources is required, and is a consideration before using source filtering. Is a vendor’s automatic updating of sources useful, prompt, and reliable? Is customization required? Do you or your staff have time to spend on it?
If employees are spending time on social networking sites such as Myspace, Facebook or Twitter, my question is: “Why? Aren’t they supposed to be working?”
I’ve seen multiple instances of virus infection from even brief user interactions with Myspace. In one instance I encounterd an SMB with a clear Internet use policy but no content filtering solution. One employee began using myspace during her free time. The company had a free, but reputable AV software deployed. Within only one or two days spend on myspace, a virus infection from content on that site occurred. The AV software in place on the desktop PC didn’t stop the infection, and there was significant time lost repairing the damage. The user knew the company policy, knew that management was engaged in some monitoring of Internet use, and still broke the rules.
Yes, there may be business cases where some users need access to social networking sites, but I can’t think of many.
Cons of Content Filtering
Some content filtering solutions may be very “aggressive” with the content restricted from use. Often the gradations of restriction possible are coarse, which may at the most restricted level even block news sites and free e-mail sites by default. The next, less restrictive option might not block enough of the problem content to be very protective. Fortunately most any worthwhile solutions allow customization of the categories of categories of content, sites allowed or prohibited, and allow for manual exceptions or additions by administrators.
Grouping of employees by department or job type with various levels of access to content, when available as a feature, can be a significant factor in acceptance and utility of the solution.
For some small businesses, the cost and effort of implementing and maintaining a content filtering solution may not be worth it. It may make sense to rely on detailed training and case-by-case enforcement of company policy. Furthermore, it is important to consider: is there a company policy, is it clear on appropriate use, and have the employees been informed of the policy?
I hope you can see the importance of content filtering for the SMB. As the Internet becomes an ever more vital component of business, the risks increase as well. Filtering company text messaging, remote and home user issues, and an ever expanding list of applications and means of content distribution make content filtering a moving target for anyone, whether in a small business, medium business, or corporate enterprise. Fortunately the core concepts are the same, and lessons learned in one environment help in all.