19 November 2009
Reference Code: TA001774SECPublication Date: October 2009Author: Richard Edwards, Karthik Balakrishnan, and Somak Roy
ABSTRACT
Guardian Web Filter from SmoothWall is an intelligent Web content filtering solution with anti-spyware, anti-virus, and browser-exploit prevention capabilities, among many others. Aimed at controlling access to inappropriate Web content, Guardian blocks potentially dangerous and productivity-depleting Web sites and resources via a set of granular and flexible policies that can be quickly and easily maintained and deployed. It is offered as a pre-built, hardened appliance; as a self-install software solution; or as a VMWare virtual appliance. Guardian dynamically blocks access to inappropriate content based on patterns and inference rather than a list of pre-defined URLs, although these can be used too. As well as filtering and blocking inappropriate Web pages, the product provides anti-malware capabilities through built-in Anti-Virus and anti-spyware capabilities, a useful addition to any multi-layered security architecture. Guardian protects browser sessions by detecting malicious ‘in-page’ exploits and potentially dangerous applications. It can also reduce bandwidth utilisation by acting as a Web proxy cache, and offers a temporary bypass feature for authorised users. Government agencies and educational establishments account for a significant percentage of Guardian’s installed base, but it is applicable to all small and mid-sized businesses and institutions up to 10,000 users. Guardian Web Filter is a very powerful Web content filtering solution that will be of interest to any organisation that requires a flexible, structured way of controlling Web access with the objective of reducing security and regulatory risks and enhancing productivity.
KEY FINDINGS
LOOK AHEAD
Future developments include content-based Flash filtering, data loss prevention for outbound Web traffic, and support for 64-bit operating systems.
FUNCTIONALITY
A tool as universal and ubiquitous as the Web inevitably poses a number of challenges, including Web-borne malware and content that reduces productivity and could be offensive. The traditional approach to controlling Web access has been to install a solution that monitors outbound requests for Web resources and compares these requests against an enormous and rapidly growing list of URLs that are known to be carriers of offensive, dangerous, or simply inappropriate content. This approach has worked well for a many years, but the Web has moved on from static HTML pages to dynamically generated pages with embedded code and uncontrolled user-generated content. Herein lies the potential for offensive content to reside, even in URLs that are hosted on perfectly legitimate Web sites.
Phishing sites have also become common, stealing user credentials and personal information. With the Web growing at an exponential rate, there is no way that a single database of inappropriate URLs can ever hope to address the issue of Web filtering. Therefore organisations require a solution that is able to dynamically analyse content and context, both from an HTML perspective and also from a page-logic perspective. Understanding the context of a term within the context of a broad and varied Web site is not an easy thing to achieve, and the opportunities for false negatives abound. In addition, the Web poses a number of risks apart from the malware threat. P2P sites, unauthorised downloads, and instant messaging protocols all pose risks to a business or institution. Lost productivity, inadvertent and/or malicious data loss, and malware insertions are the new threats to corporate security. It is therefore essential that Web access and monitoring solutions address these issues, and that businesses, institutions, and IT management monitor and restrict sites and Web content that are deemed inappropriate.
PRODUCT ANALYSIS
Guardian is an intelligent Web filtering solution that enables organisations to prevent Internet misuse and protect users from undesirable Web sites, viruses, and spyware. Guardian utilises Dynamic Content Analysis™, a filtering technique pioneered by SmoothWall, to accurately block all undesirable content, protect against Web-borne viruses, spyware, and other dangerous hidden content, and prevent the use of anonymous proxies. It also allows organisations to monitor Web activity in real time, track network traffic, and generate detailed usage reports so that management can interpret Web usage.
In addition to regular HTTP traffic, Guardian allows monitoring and content-based filtering of HTTPS/SSL encrypted traffic. Moreover, the product can accurately detect the use of anonymous Web proxies, a facility that would otherwise allow users to bypass the organisation’s Web filters and secretly browse banned online content. In addition to Dynamic Content Analysis, Guardian incorporates strong URL blocklists, which include content from the Internet Watch Foundation database. The filtering system checks for updates several times a day and can detect phishing sites and Web sites that carry spyware and other malware. This ability to perform ‘deep-page inspection’ prevents in-page executable code from being downloaded to the end user’s browser.
Guardian also incorporates anti-virus capabilities using either the inbuilt ClamAV engine or any Internet Content Adaption Protocol (ICAP)-compliant anti-virus engine (visit http://www.icap-forum.org). In addition, it helps detect in-page executable codes present in Webpage. Guardian provides a list of trusted sites maintained by the administrator, which when accessed allows users to use these executable codes. The solution, utilising a Web-based GUI, also enables security managers to define and control the filtering policies and all aspects of system administration.
Particularly useful for educational establishments, Guardian supports the configuration of multiple time and ‘room-based’ controls and rules where policies and rule sets can be applied to specific classrooms/departments based on IP addresses or computer names. Using Guardian, administrators can assign access rights and restrictions to specific users or groups of users. The product integrates with common user-authentication systems such as those from Microsoft and Novell. All users are provided with access based on an authenticated identity. Guardian is capable of integrating with existing authentication systems such as Active Directory, LDAP, and RADIUS. The solution facilitates the allocation of different filter policies for different groups while also being capable of configuring temporary bans for specific users that automatically expire after a pre-defined period.
Filtering policies can also be set based on file types and Platform for Internet Content Selection (PICS) codes. It uses 16 different PICS code categories to determine the severity of content within a given Web page, and from this a decision is made to either ‘allow’ or ‘block’ content. Guardian checks every file against its MIME type property rather than just its extension, an approach that helps ensure that audio/video downloads and other executable files from the Web are blocked/allowed in a logical and efficient way.
Guardian can be used to customise “site-blocked” page information. This can include options to unblock the page, either permanently or temporarily depending on the user environment and access rights. By using the product’s ‘Softblock’ option, the page can provide users with a warning message and an option to either load the page or cancel it. This is a useful feature in environments where it is more appropriate to warn users about inappropriate content than to block or filter such material in the first instance.
Other notable capabilities include: support for non-English ASCII character support; a rate-limiter capability that can limit bandwidth usage for specific URLs; Direct Server Return (DSR) load-balancing integration; automatic proxy settings configuration through the Web Proxy Auto-Discovery (WPAD) protocol that detects, downloads, and executes the configuration file of a specific URL to determine its proxy; Proxy Automatic Configuration (PAC) file support; and notifications relating to system health such as checks for patches and system updates, and system resource issues such as low disk space, high memory usage, and high CPU loads. Guardian can also generate network-intrusion alerts.
Overall, Butler Group considers SmoothWall’s Guardian Web Filter to be an effective and reliable solution. The product can be deployed in a variety of ways: as a hardware appliance, software appliance, virtual appliance, firewall, or add-on firewall module. Furthermore, SmoothWall also offers Mobile Guardian for remote laptop filtering where policies are downloaded and updated via a centrally controlled service.
While the strengths of this product are many and varied, it scores less well in the area of change-management capabilities related to policy management. It does not yet support policy version control and is not aided by capabilities such as branching, visual representation, or templates with inheritance. Such capabilities would be useful in environments where there are many administrators and localised requirements exist, and where the frequency of exceptions is high. It is appreciated that the target market for Guardian is small and medium-sized organisations, but Butler Group maintains that such facilities are important and necessary from a compliance and governance perspective.
PRODUCT OPERATION
Guardian utilises integrated Web filtering and some malware detection capabilities to monitor and filter inappropriate Web content from being accessed by employees. Guardian can be configured in a traditional proxy mode or in a bridge mode (the hardware version). It scans the HTTP traffic flow or decrypts it and then scans the HTTPS/SSL-encrypted traffic flow to find patterns that correlate with one of the known areas of objectionable content.
Guardian scans Web pages for words/phrases that form a part of a wide range of objectionable content categories such as pornography, drugs, and gambling. A Web page that is rated unacceptable because of the presence of this type of content gets instantly blocked, irrespective of its source. It takes into account that words/phrases present under these categories could be part of legitimate request items, so it also incorporates a technique that recognises the context in which the particular word/phrase is being used. In addition, Guardian allows organisations to enable domain-specific filtering, which while allowing access to certain sites, ensures that all inappropriate content within the site gets blocked. Dynamic search-term or search-string monitoring and blocking provides an extra layer of context-based filtering, as well as helping organisations to identify Web trends and analyse the browsing patterns of individual users.
Guardian’s filtering technology is strongly backed by its ability to block Web pages based on a pre-defined list of undesirable URLs. Guardian’s proprietary block list contains: regularly revised and updated dynamic content rules on which the Web content gets scanned; regularly updated malicious code signatures, which enable the detection of malicious in-page executable codes that are often undetected by anti-virus software; and detection and blocking of files based on a file’s MIME type property. These block lists incorporate content from the Internet Watch Foundation database and are updated on a daily basis. The URL block list contains lists of known objectionable sites categorised based on URLs, domain, as well as IP address through which users can access the restricted sites.
Guardian is capable of performing deep URL analysis, which can be applied to block images selectively on a Google or any other image search page. Moreover, Guardian can be configured to ensure that the ‘safe mode’ of popular search engines is used. In addition to scanning for objectionable Web content and malware in Web pages, Guardian can also scan Web proxy avoidance signatures on Web sites to check if they are restricted under a pre-defined category of the regularly updated block lists.
Guardian has a built-in AV scanning option that automatically scans content and downloads for viruses from Web pages using its ClamAV engine or any ICAP-compliant AV solution. It can control and monitor instant messaging applications such as MSN, Yahoo, AOL, and ICQ. It is capable of monitoring, logging, and blocking normal/encrypted IM conversations using phrase-based analysis and can also block IM file transfers according to MIME type and extension with user notifications.
Guardian’s reporting and logging capability enables the recording of all Web browsing activity to an SQL database that can be accessed directly via reports or exported to other formats for further analysis. Reports can be produced in a range of formats including PDF, HTML, Excel, and Crystal Reports. Organisations can create their own report templates as well as utilise a range of pre-defined report templates. These include templates for options such as ‘most visited domains’, user bandwidth utilisation, and a list of users who frequently request pages that fall under Guardian’s URL blocklists category. Guardian also provides options that allow organisations to view reports that are site-specific (for sites like Wikipedia, YouTube, Facebook, etc), and its IM reporting capability provides details including the time spent by every user on IM applications.
Reports can include user names together with IP address, and individual browsing patterns can also be recorded. Organisations must ensure that any monitoring they perform does not contravene local privacy laws and regulations. Guardian can be used to impose restrictions on specific users or groups for a given period of time based on reports and log analysis. It supports real-time activity monitoring through AJAX logs and traffic graphs, based on user name or user group, IP address, and Web site categories. These user-specific reports can also be automatically scheduled and archived, mailed to specific users, and exported to a range of formats. For instances that require immediate attention, Guardian is able to generate an alert that can be sent via e-mail or SMS text message.
PRODUCT EMPHASIS
SmoothWall continues to develop Guardian as a dynamic Web content filtering solution with superior content and context-based technology enabled by flexible policy-management capabilities. Guardian provides small and medium-sized organisations with a comprehensive, one-stop solution for Web security. To round out its secure Web usage capabilities, SmoothWall is also developing Data Loss Prevention (DLP) capabilities for the product.
Guardian’s dynamic content analysis-based approach is a clear differentiator within the Web filtering market, and the product’s range of add-ons and impressive installed base leads Butler Group to believe that the solution is clearly capable of meeting broad requirements outside of its established position in the education market.
DEPLOYMENT
According to SmoothWall, a typical pilot deployment in ‘transparent proxy mode’ can take less than half a day to complete, while departmental deployments can take a full day. Enterprise-wide deployments take longer, but three days is sufficient in most scenarios. Each Guardian appliance is shipped with a pre-configured set of policies that can be adjusted by an administrator to meet specific organisational requirements. The solution can also be installed in a default ‘safe mode’ that ensures filtering a standard range of non-permissible content. The implementation skills needed to complete the exercise include basic networking and load-balancing abilities.
Four primary deployment options exist for SmoothWall Guardian:
Guardian can be installed in a ‘stealth mode’, which filters and logs all Web pages based on pre-defined policies, but does not block them, allowing administrators to monitor every user activity at the background. This is particularly useful when organisations are testing new installations and filtering policies because it enables them to assess the performance of policies and fine-tune them if needed before implementing them in the actual environment.
SmoothWall initially provides free 30-day phone and e-mail support along with access to its online knowledgebase. Following the 30-day period customers can either select the bronze support contract (10% of the licensing cost) or the silver support contract (15% of the licensing cost).
PRODUCT STRATEGY
Although SmoothWall has developed a specialism in the education and government sectors, the function and features of Guardian are equally applicable to commercial organisations. In terms of scale of operations, SmoothWall targets small and medium-sized organisations whose user population is in the range of 100 to 10,000. Guardian’s success in the education sector, which contributes to nearly 30% of annual turnover, made the company establish a wholly owned US subsidiary, SmoothWall Inc, to focus solely on the US education market.
Guardian appliances are licensed on a per-year, per-PC basis, and not, as if often the case with competing products, on a per-user basis. This approach is particularly suited to organisations such as education and healthcare institutions where multiple users access the Web via the same PC. The renewal prices from the second year are approximately 65% of the first year price. According to SmoothWall, a typical entry-level deployment (10 client PCs) will cost around UK£400 (100% license cost). A typical deployment protecting 350 PCs will cost around UK£3,300 (85% license cost, and 15% service cost). An enterprise deployment (25,000 user PCs) is likely to cost in the region of UK£50,000 (75% license cost, and 25% service cost).
SmoothWall’s major releases are generally every two years, with regular updates called feature packs released in the interim. SmoothWall’s next feature pack will include Flash filtering, which will allow access to legitimate flash files while blocking undesirable games/videos, and Egress filtering, which will support data loss prevention by being able to monitor and log outbound Web traffic while ensuring that sensitive/inappropriate contents get censored/blocked.
COMPANY PROFILE
SmoothWall was founded in 2001 to produce commercially supported firewalls and Web filters based on its SmoothWall Express and DansGuardian open source offerings. SmoothWall’s product suite now encompasses: Web content filters (Guardian), firewalls, UTM appliances, e-mail security, and bandwidth management solutions. SmoothWall is privately owned by its founders and directors. The company is headquartered in the United Kingdom, with offices in Leeds and Southampton. It also has a US office in Charlotte, North Carolina that delivers security solutions through a worldwide support network spanning more than 60 countries across the Americas, EMEA, and APAC. The company employs 51 people across all three offices where staff levels have increased by over 70% in the past 18 months. SmoothWall is operating in profit and has maintained a record of strong growth throughout the last five years.
SUMMARY
SmoothWall’s Guardian Web filtering appliance competes in an IT security market dominated by a small number of gateway security vendors and Web content filtering specialists, yet this relatively small company continues to win business in its chosen markets and geographies. This is due in no small part to the dynamic content analysis and filtering capabilities of its Web filtering product combined with multiple deployment options and reporting features. SmoothWall has established a strong position in the niche, mid-sized educational market. It also has a presence in the government sector, and is now expanding the scope of its business to include new and upcoming areas with potentially large markets. Overall, Guardian is an impressive solution that merits closer inspection by small and mid-sized organisations that have specific requirements relating to intelligent Web filtering.
Read the review online
