How can a web filter add proactive security?

It is often recommended that administrators deploy several layers of security across their systems. This is in order to maximise the chances of being able to prevent a threat from entering and executing in the environment.

In this article I will explain how the outermost layer of defence, the perimeter defence, can be enhanced.

The layers of protection can be separated into five levels within the IT environment, starting from the outside and moving inwards:

In simple terms, client anti-virus solutions work with signatures and generic detection techniques to stop new and unknown threats.

New threats are becoming increasingly difficult to detect – and these days the threats we see are not only viruses and worms, but also Trojans, backdoors, spyware and other malware that is seeded through email, instant messenger and websites. Every sample can be unique, making detection harder for conventional anti-virus solutions.

Personal firewalls combined with host intrusion prevention systems provide additional proactive protection. However, the client protection is the third layer of defence and it is preferable to block threats as early as possible – ideally before they reach the workstation.

Email gateway solutions have become quite effective in blocking new and unknown threats. This is achieved by spam filtering, the use of blacklists and by blocking potentially harmful email attachments. The same protection can be applied to web communication by using a gateway scanner to scan HTTP and FTP traffic for malware.

The perimeter is the first point of defence. Solutions deployed at this level include firewalls, VPN connectors and gateway scanners for FTP, HTTP and SMTP.

URL filters and web filtering applications are often overlooked as perimeter defence solutions because they tend to be thought of as solutions for enhancing productivity, rather than security. However, the use of these applications can be a powerful defence against malware since they enable administrators to understand, monitor and control outbound web access. This level of control allows administrators to keep their users away from the 'bad neighbourhoods' on the Internet and prevent them from visiting sites that are known to contain threats.

The majority of threats on the Internet are located at websites that would not generally be classed as business-related. Sites that contain pornography, illegal music, movies, games and software, gambling, P2P/file sharing, hacking and other inappropriate content are notorious for playing host to spyware and other malware.

A web filter can be used to prevent access to such sites, which in a business environment will increase both productivity and available bandwidth. In addition to this, there are security benefits to blocking access to these sites, as both known threats and – more importantly – new, unknown threats (that would not be detected by anti-virus software) are prevented from entering the computing environment.

As well as blocking both known and new malware, the web filter can also be used to identify systems that are already infected. This can be achieved by monitoring web activity – infected systems will display unusual levels of activity.

When implementing web filter solutions one must consider the trade off between improving security and restricting access to the Internet. It is important that, while preventing the damage that can result from visiting unauthorized websites, the web access policy does not cause too many problems for the users.

The web filter should be configured in monitoring mode to begin with. After a period of time and regular reviews of the filter reports the configuration can be changed to 'advisory mode', where the user must confirm access to non business-related sites.

The technical solution must be supported by a prudent web access policy that is defined and supported by upper management. As well as a policy for web access, procedures for handling blacklisting and whitelisting need to be implemented and communicated to the end users.

A web filter can enforce a very strict policy which allows access only to whitelisted sites. However, this might not be very practical in the real world.

Another solution would be to create a list of non-categorized sites that are visited. This list can be reviewed regularly and approved sites added to the whitelist. All non-categorized sites remain blocked until the sites are whitelisted in the web filter or categorized by the vendor of the web filter database.

An important point to bear in mind is that a web filter is not an 'install and forget' solution. Even with the best filtering database a web filter alone cannot provide full protection. The administration and handling of the web filter are very important parts of the solution and resources must be allocated for this. New sites pop up, sites can change content and sites can be categorized wrongly.

A web filter will certainly reduce security problems and provide information about where some of the breaches originate. In combination with the web filter, the firewall configuration and monitoring of the firewall log is also a key to solid perimeter defence.

It can be useful to review what has happened in the past and use the experience to make changes that will improve security. By monitoring and logging web activity we can collect information that will be useful for enhancing perimeter security.

For example, we can use the logs to determine which Internet sites are visited most frequently by users, and the category to which those sites belong.

We can also find out more specific information, such as which internal user/system generates the most web communication to non-categorized sites, which non business-related sites are the most visited and which non-categorized sites are the most visited. This information may highlight new and unknown sites which could be the cause of security problems either now or in the future. It can also pinpoint particular users whose Internet activity might raise security concerns. Detective work like this should be included in an ongoing procedure to improve the web filter and the level of security it can provide.

A report combining local anti-virus alerts and web filter log information can also reveal important details. For example, if virus alerts are generated on a particular user's machine and the location of the infected file is always in the browser cache directory, this is an indication that the user is visiting insecure websites. Information about the websites visited at the time of the virus alert can be found in the web filter log file.

Web filters can also control when (and if) a user can access or download specific file types on the Internet (such as .pif, .com, .lnk, .vbs or .exe). This feature is very similar to the email attachment blocking rules which are often implemented on SMTP gateways and mail servers.

The risk of downloading and activating malware can be reduced significantly by blocking access to these specific file types. However, the number of companies using web filters to block the downloading of unwanted file types is still very small compared with the number of companies using email attachment file-blocking rules.

With threats evolving, increasing in volume and becoming more sophisticated, traditional firewall and anti-virus solutions alone are no longer sufficient to protect our systems. We must consider what other solutions can be used to enhance the level of security.

Web filters are often overlooked as security solutions, but by implementing a layered approach and adding proactive solutions at the different levels (perimeter, network, host, application and data) we can create a formidable defence. In addition to increasing security, this can also enhance productivity and bandwidth, and reduce the amount of time spent on handling security incidents.

We can make a change. Instead of spending time on security incidents, administrators should invest time in handling and maintaining the proactive security layers.