Internet Defense Technology : Web Proxy / Content Filter / Application Firewalls

The web is a dangerous place so its extremely important to have web proxy / content filter technology protecting users that access it. I had a roommate years ago who purchased a computer and within hours had every virus, malware and what not clogging his new machine. I’m sure he didn’t have the best surfing habits however that doesn’t mean the average user is less likely to be infected. What most people don’t realize about websites is they are like a Paint By Numbers canvas leveraging other websites to fill in the colors. For example, if you see a RealAudio video on a website, guess what … you have surfed both that embedded video’s website and the host website. The same goes when there are hidden links that download malicious malware on what you believe is a safe website.

The standard defense for Internet based threats is a web proxy / content filter solution or similar features imbedded in a firewall, IDS/IPS or SAS offering. The baseline solutions offer Content Filtering meaning the ability to monitor or block web content that violates specified policy. The major players do this well (Bluecoat, Websense, McAfee, Iron Port, etc.) by grouping web content into categories. For example, an administrator can deny all adult websites by blocking the adult category, which is an up-to-date list of the known adult sites. Smaller players work like an access-list manually blacklisting websites, which is a nightmare to manage. In the end, this is a commodity feature for the real players and should come standard for web proxy / content filter solutions with little management to maintain content categories.

Besides denying policy, web security / content filter solutions should have a method to check web traffic for threats. Many vendors offer anti-virus, anti-malware and content scanners that look for malicious traffic inline by redirecting network traffic through a web security / content filter or by endpoint proxy settings forcing endpoint web traffic to the security solution. Some verify content for hidden attack vectors in a closed environment prior to permitting access to the website (also known as sand-boxing). The best web security / content filter solutions offer a mix of signature and behavior sources since no single source can cover the entire gamut of web attacks properly. It’s also important that the web proxy / content filter solution is capable of viewing https IE secure channels or you will miss end user traffic that is encrypted.

Reputation or website “credit scores” is becoming a popular factor utilized by web security / content filter solutions. My blog on this subject explains this HERE. Reputation is key for speeding up the security process since many harmful websites can be denied based on reputation rather than scanning and identifying threat signatures or malicious behavior. I’ve used solutions such as IronPort Web Security Appliance (WSA) and usually 90-95% of the websites denied are identified as malicious based on reputation rather than passing the reputation check and caught by other security defenses.

The final point about securing access to the Internet is to consider email and web as equal targets since they are the most common cyber attack vectors. Web proxy / content filters need the same investment as Email Security and must be designed as a unified solution. I’ve had customers say “we get phishing attacks that send clean emails with links to malicious websites”, which users clicking the links is a Web Security vulnerability … not email. Other investments should be made in post compromised technology such as botnet / malware detection technology (Netwitness, Wireshark, Ironprot WSA botnet scanner, FireEye sandbox technology, etc.), Data Loss Prevention and host based security. No solution is a silver bullet so a layered defense will dramatically reduce risk if the overall design compliments each solution rather than operates individually.