InternetSecuritySystem Administration

How do Web Content Filters Work?

We sometimes get support requests from frustrated clients who are in some way prevented from accomplishing a task because of system security policies. Unfortunately, they sometimes think that we have done this deliberately to make their job difficult. One of my jobs as a security professional is to explain to my clients just what security measures we take to protect them, and why. Today, I’ll try to explain how web content filters do their job and why they are important. How Content Filters Work

A common misconception among users is that we, the “IT guys,” sit in the server room, monitoring every web site visited and email sent, just waiting for an excuse to block the user. Thankfully, almost every information technology-based security mechanism is far more automated than this.

Web content filters generally work in a few different ways.

Blacklists

Content filters subscribe to blacklists of “known” “bad” categories. Here, “bad” can just mean “stuff we don’t want you looking at on our corporate system,” but it won’t actually hurt your computer. Some examples are

  • Playboy.com (We don’t want to pay you to look at pornography at work)
  • Miniclip.com (We don’t want to pay you to play games at work)
  • Facebook.com (We don’t want to pay you to chat with your friends at work)
  • Monster.com (We don’t want to pay you to job huntat work).

A blacklist can be a service which your content filter subscribes to, or something manually configured by your administrator. Sometimes websites can be miscategorized, either by your system administrator or by a list that your organization subscribes to.

When this happens, your system administrator can usually adjust accordingly to grant access to allowed websites. For example, one of the content filters we use recently had rustoleum.com classified as Real Estate. Since the company did not want employees surfing for real estate purchases on company time, this site was blocked by the content filter. A quick report to the filtering service reclassified this site and the client was able to access it properly.

Content Inspection

Content filters examine the content of the site for banned or suspicious activities. For instance, there have been several instances where our clients security gateways identified a perfectly valid web site as hostile, because it had been compromised by hackers who installed malware on the site. Rather than allowing our clients’ systems to access the site, and infect themselves with malware, they were blocked.

We had a client trying to access a GE website a few months ago, and they were blocked. Reviewing the error message informed us that the site was infected with malware, and it was trying to infect client browsers! In this case, I had to inform the client that there was nothing to be done other than inform GE that their site was infected, which we did. They eventually fixed this problem. My client was a little frustrated, but I likened this to them wanting permission to wander into a quarantine zone where a serious disease was rapidly spreading, and they had no protection against it.

Extension Blocking

Content filters can block downloading of files by extension. For instance, you may not be allowed to download executable files (EXE, COM, BAT, VBS) files because these are actually programs which can do bad things on your machine, especially if you have administrative rights over it. Sometimes, web content filters will also stop you from downloading common Microsoft Office file formats (DOC, XLS, etc.) as well. Why? Because Microsoft Office supports a powerful macro language, which essentially can turn any document into a program which, you guessed it, can do bad things to your system. Content filters can also block access to streaming media (videos and music) and other content that just isn’t required and only slows things (like employee productivity) down.

Asking for Help or Clarification

Generally, you can find out why you were blocked from a specific website by reading the error message you receive. All good content filters we use and resell have descriptive error reports, telling the user why the site they were trying to access was blocked. Unfortunately, many users don’t use them, and just say “I was blocked! Fix it!” Reading the error message is the first step in understanding what happened. Also, this helps your system administrator understand what happened to more quickly resolve the issue.

Another important thing to is think for a minute why the site might have been blocked. Could there be something wrong with the content filter? Could the site you’re trying to access actually be infected with bad software which could hurt your computer? Could the site you’re trying to reach simply be offline?

Finally, remember is that the people running your content filter are trying to keep the system safe, secure, and stable. They are not going out of their way to make your job difficult. However, we frequently get emails from clients who take that stance from the get-go.  This is not a good way to start off a dialog, as it immediately puts your IT staff on the defensive. Remember why this filter was deployed in the first place, and understand that it’s just doing what it was told, and it can be fixed.

Comments are closed.