Embedded Filtering Tips for Unified Threat Management (UTM) Solutions

By: Ouri Azoulay, General Manager

Unified Threat Management (UTM) suites and appliances are increasingly popular with users and with good reason. They enable security through a single administrative interface, making management and upgrades easier and lowering the cost of ownership. They can also offer more comprehensive protection, integrating anti-spam, anti-virus and anti-spyware as well as comprehensive content security and firewalling.

With the recent rise of new and emerging threats ranging from phishing scams to identity theft and instant messaging viruses, it makes sense to have a UTM solution that includes Web content filtering in place to protect business and home users from the potential dangers of accessing the web, in order to maintain safety, productivity and continuity.

So, as end-users demand solutions that include filtering, how should UTM vendors select the right content filtering toolkit and filtering approach to embed into their solution, to add the most value?

Let's look at the two main methods for identifying and filtering web content that are available to UTM vendors a URL database approach and dynamic content analysis. We will assess the pros and cons of each in terms of effectiveness, ease of deployment and responsiveness to new and emerging threats.

URL Databases what's the deal?

With this method, the requested URL is compared against a URL database of around 10 million registered sites - the filter can then block or allow access to the site in accordance with the Internet usage policy set up.

However they are compromised by slow recognition and categorization of new content and limits on capacity, because databases are invariably loaded into RAM to ensure the most rapid look-up speeds. All databases are by their very nature always out of date and cannot keep pace with the millions of new sites that appear on the web on a daily basis. Typically, around 30 40,000 sites per week are added to URL databases, compared with the millions of new URLs added monthly to the web.

The Rules of Dynamism

An alternative solution for vendors is to opt for a dynamic filtering approach, which performs on-the-fly content analysis of the web traffic as it enters the internal network. Web data is analyzed and categorized according to the content found in the page and the system determines whether to block the transmission or simply log the activity under a particular category.

So how exactly does this work? Approaches such as PureSight's Active Content Recognition (ACR) categorizes websites on-the-fly in real time, breaking down HTML code in order to categorize each individual website that is accessed. Each page is broken down into hundreds of parameters, including individual words, background color, the color of text, links, banner ads, images and HTML tags embedded on the site.

By feeding these parameters into a series of algorithms, the site's category can be assessed. If it corresponds to objectionable content according to the user's Internet policy, the webpage is not displayed.

It has been contended that dynamic filtering has inherent latency that degrades browsing response time but the latest content analysis engines add negligible latency and have even less effect upon network performance than URL database solutions. What's more, they can distinguish between individual pages on a website that are appropriate and others that are inappropriate instead of blocking the entire site as a database filter would do.

Delivering real value to your UTM solution

The most effective content filtering solution one which will deliver the most value to your UTM solution should ideally combine the best of both worlds. A multi-layered approach combines static filtering and dynamic inspection to provide real accuracy as well as valuable scalability, as the web grows ever more expansive and complex.

A multi-layered approach delivers measurable benefits by using artificial intelligence and ACR technology, vendors can offer real-time filtering and the reassurance that 100% of URLs are being filtered, without blocking legitimate sites and with the advantage of a small footprint and hence no impact on surfing speed.

Known URLs from major commercial websites relating for example to gambling and adult content can be automatically blocked via the database look-up, with all other URLs dynamically filtered and analyzed as they are being accessed, for maximum security and protection from both known and emerging threats.

Unrecognized URL: Carte Blanche or Cut Out?

With the static database approach, the issue of unclassified URLs - those not recognized in the system's database also needs to be addressed. The individual organisation needs to decide whether to give universal access to uncategorized sites or block them entirely. Whilst uncontrolled access poses a major security risk, over-blocking can be just as damaging, denying users, especially in business, access to valuable sources of information and research material.

A method which combines dynamic analysis supported by a database fits the requirement for responsiveness and control across the widest possible range of content. UTM vendors are increasingly favouring this multi-layered approach, which enables every site to be analyzed individually as it is accessed.

A key example is leading anti-virus company F-Secure, which found that using dynamic filtering and active content recognition gave its Internet Security package the right balance between upholding security and giving users flexible and productive access to material on the web.

Putting Family First: Cutting Adult Content with Internet Security 2005

As one of the leading software vendors in the Internet security arena, protecting individuals and businesses against computer viruses and other threats, F-Secure wanted to integrate value-added services including web content filtering and parental controls into its Internet Security suite 2005, for home and family users.

"Our goal was to provide the best parental control solution in our peer group," said Santeri Kangas, Director of Architecture and Technology at F-Secure.

F-Secure built a test bench of URLs to evaluate a number of filtering solutions. Accuracy, Internet filtering speed, size of footprint, and size and cost of product updates were the primary pre-set criteria for success.

Test results revealed that the multi-layered approach and dynamic filtering provided by PureSight's Active Content Recognition technology proved highly accurate when filtering adult content whilst maintaining fast Internet access speed, striking the right balance between functionality and flexibility.

If you found this page useful, bookmark and share it on: