View this page in English

Censornet - internet filtering on your terms

BECTA Accredited products VMWare Certified Virtual Appliance Members of the Internet Watch Foundation Shortlisted for the BETT 2008 Awards Computer Security Awards finalist
Call +44 (0)845 230 9590 or click chat now at the bottom of any page

Company blog

Home » Company blog » Our approach to web filtering is hybrid

Our approach to web filtering is hybrid

Published in General information & Hosted Web Security on July 10, 2012 by Administrator

Not many people realise but we have been providing web filtering solutions since 2002 - that is over ten years. During that time we have learnt a lot about the pitfalls and limitations of traditional web proxying, not just from a technical point of view but also from a customer and end-user perspective. This enormous amount of information has played a big part in the development of our new solution which we are calling a hybrid web filtering service.


Not many people realise but we have been providing web filtering solutions since 2002 - that is over ten years. During that time we have learnt a lot about the pitfalls and limitations of traditional web proxying, not just from a technical point of view but also from a customer and end-user perspective. This enormous amount of information has played a big part in the development of our new solution which we are referring to as a hybrid web filtering service.

 

Why hybrid? We believe that both a traditional on-site proxy and a purely cloud based proxy have their own advantages but choosing either one or the other comes with numerous disadvantages depending on the type of business you are operating. Our approach is to bring together both styles of solution, improve on them and then give you the best of both worlds.

hybrid.png

First of all let's look at the traditional systems and their disadvantages.

 

On-premise solution

 

This involves having a physical server or virtual server running on your network acting as a HTTP proxy. This has been the de-facto for many years before the cloud revolution started. Some organisations still favour this model because control remains with them, it provides for better integration with the network and browsing data stays on their own network. Having said that, there are still some key problems with this approach, as I have outlined below:

 

  • You have to maintain the hardware that is running the proxy software. Whether this is a dedicated physical server or a virtual server - the underlying hardware is using up resource and requires a warranty in case of failure. In some cases, you need double the equipment to have a high availability solution. Depending on your budget, this can also become a single point of failure for web access.
  • You have decentralised management in most cases. If you have multiple branch offices then you generally need to use VPN's to route traffic back to the central server. This is costly both in bandwidth and infrastructure. The alternative is to deploy a server at each branch office but this may mean managing each one independently, extra cost for hardware, more single points of failure and it simply may not be viable if there are only one or two workers at that location.
  • If your workforce consists of mobile workers; staff members with laptops, netbooks or mobile devices, then ensuring they are also filtered whilst on the move can be problematic (the Bring Your Own Device - BYOD - problem). It may be possible to VPN them back in to the head office but again that is costly in terms of bandwidth and depending on where they are connecting they may not be able to establish a link via VPN. This can lead to frustration for them as much as it does for you as the IT manager.
  • On-premise solutions are difficult to scale because generally they were only designed to manage a single network. With the advent of VLAN, VPN and remote working, there are far more potential users of the system and there is of course a hard limit of how many transactions, concurrent users, bandwidth, etc that a physical server can handle.

 

Pure cloud based proxy service

 

The cloud computing revolution has paved the way for numerous web filtering services to be offered "in the cloud". This generally involves pointing your web browsers at a proxy address or redirecting traffic at the router or firewall directly to the proxy in the cloud. The main advantage is that you no longer have to worry about maintaining pieces of hardware on your network, you can more easily cater for mobile users and everything is managed from a central dashboard. Sounds ideal, but of course there are trade-offs when you move a proxy from the local network to a remote network and I have outlined some of the main ones below:

 

  • The most obvious issue relates to the speed of browsing. You will need to ensure that your cloud service provider has its servers in well-connected and geographically close data centres otherwise there is the potential for below-par browsing experience for your users. Now that the proxy server is in the cloud, the request from the browser has to go all the way there, await for a decision, and then receive the response before anything appears in the web browser. Slow connection can mean unhappy users.
  • Hot on the back of the above point is the additional use of bandwidth to proxy all the data outside your own network and receive it back again. If you have precious little bandwidth or you are working from VPN links or 3G connections then this is going to add substantial overhead and possibly incur additional bandwidth costs from your ISP.
  • If you are relying on the web browser being configured to point to a proxy server then you need to ensure that you can lock down the operating system such that the user can't simply turn off the proxy settings. Enforcing use can be a problem, depending on how your network is managed.
  • Once the proxy server is in the cloud it becomes harder to provide seamless authentication with Active Directory. Often users are required to log in first before they can browse the web. This means managing separate lists of usernames and passwords, which can lead to extra IT administration and confusion for users.
  • Depending on the type of organisation, it may not be feasible to send your web browsing data (either plain or secure) to a remote proxy server. There may be compliance reasons which prevent the content leaving your network, for example Sarbanes Oxley.
  • An often overlooked problem with proxying is that you will appear to be browsing the web from that proxy servers' IP address. A lot of web sites now use IP addresses to look up your location to provide location specific content. Consider when you go to http://www.google.com it automatically detects you are in the UK and redirects you to google.co.uk or if you're in Paris it will take you to http://www.google.fr If yo.u are in England, but the proxy server is in a data centre in Ireland, chances are you're going to be sent to google.ie. It may seem trivial but when credit card payment systems are using the same technique and you're having problems ordering because they think you are overseas, it can cause a headache.

 

Back to Hybrid

 

Okay so I touched on some of the key issues with both approaches above and I'm sure you can relate to one or two of them. The thought process behind our hybrid service is that there should be a way to get the advantages of both services whilst at the same time alleviating as many of the disadvantages as possible.

 

In a nutshell, here's how we have done it.

 

  • Reduced bandwidth wastage by removing the need to proxy web requests between your network and the cloud service. We do this by using a special protocol which only sends a snapshot of each request to our cloud using whatever Internet connection is available. It's perfect for roaming users.
  • Your web browsing data remains on your network. Unlike proxy based solutions, we do not require the entire content to be sent to our servers. If you are concerned about sensitive data leaving the network then don't be.
  • Deploy intelligent client software or a gateway device which handles Active Directory authentication and web traffic interception. No need to rely on the web browser being configured correctly or the risk of the user tampering with the settings.
  • Handle Bring Your Own Device (BYOD) scenarios with a captive portal that can easily be deployed from the gateway device. Ensure that guest devices are filtered with zero configuration required.
  • Central management of your entire network; users, policies, reports, etc from a simple to use web dashboard.
  • We do not mask your real IP address. You will always connect from your own Internet connection, whether its wired, wireless, 3G, etc.
  • Support for smartphones and tablets is on the way with native apps for Android, Windows Phone and iOS.
  • For developers there is a full RESTful API that allows for complete integration of the system with an existing service.
  • For channel partners we offer a multi-tennanted service so they can log in and manage their own resellers and customers. We also provide full white labelling of the service.

 

If you are interested please view the product information and feel free to request a trial to try it out yourself.

 

 

 



Last modified on Wed, July 11, 2012 « Back