Filtering Technology Looks Beyond Content
Companies are increasingly deploying filtering technology to address a number of information security threats, ranging from in-bound spyware to unapproved use of VoIP.
- By Mathew Schwartz
- August 1, 2006
Are your employees’ Internet-browsing habits creating a security risk?
According to one study of over 10,000 employees’ Internet-usage habits, almost 80 percent of users access the Internet at work for their personal use or entertainment. Such activity accounts for 20 percent of all corporate pages viewed.
While these results are hardly shocking, the study, conducted by Burstek, an Internet filtering and monitoring software vendor, also found 20 percent of employees’ personal Internet use creates security problems, including accessing types of sites known to harbor malware, or which facilitate file sharing. Eight percent of personal use also creates potential legal-liability problems, since users are accessing pornography, gambling, hate speech, or other undesirable types of sites.
Such results help explain a new trend: using filtering technology not just to block inappropriate sites, but also for explicit information-security purposes, including stopping unauthorized use of voice over IP (VoIP) technology and Web proxies, and blocking in-bound malware.
“The trend over the last 18 months is [that] companies are increasingly concerned about the security of their networks,” notes Paul Myer, president and chief operating officer of 8e6 Technologies, which sells URL filtering and monitoring software. Special enterprise fears, he says, include spyware, keyloggers, and other Trojan software.
It turns out blocking employee access to inappropriate content also screens the sites most likely to harbor bad code. Recent research backs this up: University of Washington computer science and engineering researchers found spyware and drive-by downloads exist disproportionately at online adult, celebrity, games, pirate software, and wallpaper sites. With this in mind, more organizations now filter URLs “as a first line of defense, by blocking access to Web sites that spread spyware and other forms of malware,” notes Lawrence Orans, a Gartner Group research director.
Beyond blocking access to sites known to be “bad,” filtering tools can also watch for inappropriate software that relies on URLs. For example, many companies want to block the use of voice over IP (VoIP) telephony services on PCs. Here, the problem isn’t people making low-priced phone calls, but the resulting security implications. VoIP services “essentially open up holes in your network which are user-initiated,” says Myer.
Various instant messaging (IM) programs now offer VoIP capabilities, plus there’s Google Talk. Perhaps the best-known VoIP client today is eBay-owned Skype, which is free. As Myer notes, “it’s like IM or peer-to-peer, except that it’s a little more complicated, since once you’re logged in, and up and running, the traffic gets encrypted, which makes it more difficult to find and stop.” Before that happens, however, when users try to establish a VoIP session, URL filtering and monitoring software can intercept the related URL request and drop the packets, effectively blocking VoIP.
The same goes for open source Web proxies such as the PHP Web Proxy project. Users can utilize such proxies to disguise which sites they’re actually visiting, to evade URL filtering controls. Here, the solution also involves not letting employees onto the proxy in the first place, and “we’ve built those signatures into our database, so we can block them before the IP gets enabled,” says Myer. Otherwise, once they’re on the proxy, “no filtering solution out there, that we’re aware of, can block it.”
While security concerns are increasingly driving companies to use filtering technology, according to David Smith, chief technology officer of Burstek, content is still king. Companies’ second-highest concern is productivity: all the non-work sites employees access during working hours. “They’re things the average employee might consider harmless, but it’s just hours and hours of time lost.”
Companies also worry about the financial repercussions of inappropriate network use, especially as the cost of connectivity has soared. “A couple of years ago, bandwidth was looked upon as free, because the carriers had so over-provisioned in this country,” notes Eric Lundbohm, vice president of marketing for 8e6 Technologies. In effect, companies could play one off against the other and obtain excellent discounts—“one of my customers told me he doubled or tripled his bandwidth by moving carriers” almost two years ago, without paying anything extra. No longer.
Balancing Security and Access
Yet while organizations may leap to lock down their employees’ Internet use—whether for security, productivity, or liability reasons—a light touch often helps. For example, most large companies, at least, aren’t setting bandwidth quotas. “They don’t want their phones ringing off the hook with people who can’t get access to the Internet,” says Matt Green, director of technical services for Burstek.
What should companies do? “You can over-think this and try to make it so precise that you can really meet yourself coming back around,” says Smith.
For an example of a more realistic approach, witness how some companies dealt with streaming media during such events as the recent soccer World Cup or the March Madness college basketball tournament. For the latter, “CBS made available for the first time three games, during the workday, for free downloading and streaming, and actually targeted the workplace,” says Myer. “It even had had a built-in ‘boss button’ that you could hit and it would pop up a spreadsheet, so it would look like you were working. It was really a direct shot at corporate America.”
How should companies respond? Here’s one possibility: “One of our largest telecommunications customers doesn’t actually block all streaming video, but during March Madness informed users it would be shut off all week, and why it was shut off,” says Myer. Beyond productivity questions, there was also the issue of bandwidth costs relating to streaming so much media. “It really forces a company to take some kind of stand.”
Regardless of what stand your company takes on streaming, companies can sometimes deploy “low-tech” alternatives to keep employees happy. At 8e6 Technologies, for example, “we brought in some plasma screens and put them in break areas,” says Myer. Employees could pop in and check on a game, but thanks to peer pressure, “rarely would they stay for more than five minutes.”
Many of Burstek’s customers take a similar approach, he notes. “If they want to be the employer of choice, and keep employees happy and productive,” then they need “to be reasonable.”