The Web Content Filtering and Security products are already a maturing market. The need for monitoring and controlling user access to the Web is identified as critical for today's businesses
GFI Software is entering this market arena with a solution named GFI WebMonitor. This product is available either as a standalone proxy version that works in most network environments or as a dedicated plug-in for organizations that have deployed Microsoft ISA Server.
The installation is very easy, and the only really critical step that the admin needs to make a decesion in which mode the software will run. GFI WebMonitor can run in the following modes:
- Simple Proxy mode - In this mode, GFI WebMonitor operates on a server with a single NIC and functions as a proxy. In order to use it, block direct access to the Internet from the clients and set their browsers to use the GFI WebMonitor system as a proxy.
- Traffic forwarding mode - In this mode, GFI WebMonitor works 'inline', and acts as a router/proxy. To operate in this mode, you need to install GFI WebMonitor on a server with two NICs and routing ability (like Windows RRAS)
A typical corporate organization will have the following Internet users:
- Standard Internet Users - The generic corporate grunts, people who are not expected to use the Internet during most of their work day. Their Internet access is limited to most basic Internet access, and download of PDF, Word and PPT files of maximum 2 MB size.
- Power Internet users - Power Internet users, requiring access to a lot of Internet locations, and who regularly download documentation (PDF, Office) and media (audio, video, flash) from the Internet. These files can be of a larger size, up to 50 MB.
- Management - The top brass, which although would use the Internet very rarely, they should not feel as if they are much limited
- Exceptions - For research or testing purposes, exceptions of all rules must exist
The typical corporate organization has a Internet access corporate policy. Here is a sample one:
- No access to gaming sites, porn sites, narcotics or alcohol abuse sites, gambling sites, spamming and hate mail, racism and hate sites, job search sites, social media and instant messaging sites, web based e-mail services, virus and malware sites, hacking or exploitation sites, personal financial gain sites.
- No workaround bypass of this policy is permitted
- Rules for Standard Internet Users
- No access to news sites, media sites, file sharing sites
- Download limit set to 5 MB per file
- Permitted files - HTML, Images, XML, PDF, PPT, DOC(X), XLS(X)
- No malware should be downloaded
- Limit bandwidth to a maximum of 10kbps per user
- No access to file sharing sites
- Download limit set to 50 MB per file
- Permitted files - HTML, Images, XML, PDF, PPT, DOC(X), XLS(X), AVI, MP3, MP4, FLV, VSD, Archives containing these types of files
- No malware should be downloaded
- Limit bandwidth to a maximum of 150kbps per user
- Rules for Managers
Internet usage reports must be submitted to Information Security Officer per request and in a Monthly automatic report
- Download limit to 500 MB per file
- Permitted files - PDF, PPT, DOC(X), XLS(X), AVI, MP3, MP4, FLV, VSD, Archives containing these types of files
- No malware should be downloaded
- Limit bandwidth to a maximum of 250kbps per user
GFI WebMonitor Performance against scenario
We have used all functions of WebMonitor to simulate the corporate scenario as close as possible. We have set up groups for web filtering and download access, and tested for normal functionality.
GFI WebMonitor has a simple but useful tactical dashboard for overview
Web Filtering Control
- All restricted areas can be set-up in the web filtering control, and were properly blocked with a restriction message. If default policies are not sufficient, you can include or exclude manually, or you can also suggest categorizing a site GFI's database, so it gets into policy automatically.
- The minor administration issue that we found is that the categories are not explained, and it took us some time to discover that Instant Messaging is defined as Internet Communications. A dynamic description should appear as a category is selected - this will make the admin's life much easier.
- The functional issue that found is that there is no bandwidth control for anyone. GFI might discuss that this is not a function of a content filter, but there are products which provide these functions.
- The download controls can define the file types that can be downloaded
- The integrated proxy can save the already downloaded files, thus reducing internet link load
- There is no file size limit to apply to groups. So corporations cannot limit users to downloading only certain size of files and thus preventing of hogging the Internet link.
- Download restrictions can be bypassed by hiding files within other files (Zipped executable, embedded as an object within a word file)
- Selection of items in download control is a bit difficult, since you need to open each item specifically. This is mostly a cosmetic issue, but it can nag the administrator
Spyware and virus protection
The antivirus protection worked as expected, and it identified the test EICAR virus simulation file
- The antivirus protection worked on the second attempt. The first time EICAR was downloaded and wasn't detected as a virus. We checked the antivirus engines and found that they have remained in Downloading and updating status for the entire 5 days of testing. After we forced the update to finish (required a reboot of the GFI WebMonitor computer and about 1 hour of patience) , the EICAR file was detected as a virus threat. We can't identify the reason for this behavior
- The phishning control is very effective. We tested against a fresh phishing site (at time of test only live for 5 hours) It was properly blocked both by GFI WebMonitor as well as Firefox Phishing protection. The site for testing was selected from PhishTrack
- We tested with Windows Live messanger, and notifications are properly delivered to the administrator.
- This function looks more like a nice idea then a real functionality. It only functions for Microsoft IM Protocols, and is not useful for Skype, XMPP - (Jabber), YMSG (Yahoo), Gadu-Gadu. These protocols will either pass undetected or will not work at all.
- GFI WebMonitor has a brief set of reports integrated within it's engine, and it has a free ReportPack add-on especially for reporting.
GFI WebMonitor is a nice step in the right direction. The product is very easy to install, and the company that starts using it can see it's benefits by the end of the first day of use.
It matched all the basic requirements of our sample scenario, and only failed at the most advanced expectations. We have some reserve about the antivirus, but this is probably due to error in our installation or a bug that will befixed.
In order to evaluate whether GFI WebMonitor meets your requirements, simply note down your corporate scenario, and install the evaluatoion version. You'll be able to evaluate the match to your requirements very fast.
Talkback and comments are most welcome