Web content filtering is critical for protecting networks and users against web-based threats, objectionable internet content, and distracting websites. With all of the options for controlling internet access you may be wondering: what are the best web filtering solutions?
In this article I will overview solutions for web content filtering, describe the different content filtering methods, and emphasize the importance of blocking certain websites.
Web content filtering is the process of preventing employees, students, and other end-users from accessing content on the internet. The most common web content to block are websites that are offensive, inappropriate, or otherwise high-risk. Schools and businesses use tools such as internet filtering software to block these risky sites.
Web content filtering policies are typically combined with web usage monitoring programs. These programs produce web reports that provide an overview of user behavior on an organization’s devices including web browsing, bandwidth usage, attempts to visit adult content, and wasting time at work (such as spending time online shopping).
Web content filtering works by establishing web content filtering policies that set rules for accessing websites. A web filter will block access to specific types of web content based on a variety of factors including pre-defined web content categories, keywords, IP addresses, and URLs/domains.
Web filters typically operate at layer 7 (the application layer) of the Open System Interconnection (OSI) model. This is the layer where specific websites can be uniquely identified by their URL or domain name.
With a web filter you can:
Hardware or software web content filtering solutions are essential for preventing users from accessing websites with malicious web content or inappropriate content such as pornography, malware infected sites, and sites that may be distracting to employees or students.
The Tennessee College of Applied Technology (TCAT) is one of the best technological educational institutions in the Tennessee area. To keep delivering a cutting-edge learning experience, TCAT Crump knew that they needed to integrate online resources into their curriculums and teaching methods.
But allowing internet access into a network is not without its risks. As an information technology instructor, Gabriel Alvarado is adamant that educational institutions need to defend against unauthorized access to personal information belonging to pupils, parents, or staff.
Gabriel knew that restricting internet access with the best internet filtering tools they could find was essential for protecting their students and network against web-based threats.
In addition to improving internet security, BrowseControl provided TCAT students with an optimal educational experience by blocking distracting websites during class hours and preventing bandwidth hogs from impacting the performance of the network.
BrowseControl’s convenient remote installation options and central management console made it the best internet filtering software for TCAT as they could deploy the software during the school term rather than having to wait until the holidays.
Staff and user accounts could be readily distinguished, allowing web filtering policies to be customized to the needs of each group.
Keyword-based web content filtering blocks end-users from accessing websites that have specific keywords in text strings. These keywords are identified using regular expressions (regex) and/or a predefined list of blocked keywords.
The intention of using keywords for web content filtering is to prevent users from accessing inappropriate content, however due to the Scunthorpe problem (keyword filters falsely flagging content) keyword filtering has a high potential to prevent access to legitimate websites. For this reason category-based content filtering programs that include adult-oriented web content categories are typically used instead.
Category web content filtering (URL content filtering) is used to block websites based on content categories such as pornography, violence, hate, and social networking sites. To do this the web content filtering software references a centralized database that associates websites with common web content categories.
These databases need to be constantly updated to keep up with new websites as they are created. For this reason the database is most often provided by the vendor of the web content filtering solutions.
CurrentWare’s web content filtering software BrowseControl includes a category filtering database that provides you with a convenient way to block millions of websites across over 100 URL categories.
When you seek access to a specific webpage, you will type in a Uniform Resource Locator (URL) into your address bar such as CurrentWare.com or CurrentWare.com/blog. URL filtering blocks or allows access to specific websites or web pages based on these URLs.
URL filtering provides more granular and detailed web content filtering than DNS filtering by allowing companies to block individual web pages instead of the whole website at once. To make blocking entire websites easier URL-based web filters may also allow for wildcard filtering, which blocks the entire website unless exceptions are added to an allow list.
For example, a wildcard-supporting URL filter with “Facebook” on its block list and Facebook.com/CompanyPage on its allow list will allow access to Facebook.com/CompanyPage and stop users from accessing any other Facebook link.
With reference to the Open Systems Interconnection model (OSI model), a URL filter blocks websites using the packet information sent during the TCP/UDP protocol (layer 4, the transport layer) or by examining the URL in the address bar of the web browser (layer 7, the application layer).
From an end-user perspective blocking websites using a Domain Name System (DNS) filter is similar to web content filtering using a URL filter. Both solutions allow you to enter a website into the block list of the web content filtering software in order to prevent access to the website.
The key differences are:
To understand how DNS filters work, it’s important to understand how DNS is used when visiting a website. The human-readable URLs that we type into major web browsers are moreso there for our convenience; the process of connecting to a website actually resolves to an IP address that is associated with a web server that hosts the desired domain.
When we seek access to a website, the DNS is used to locate the server where the domain’s website is located. A DNS filter blocks access to websites by intercepting the initial DNS query.
The filter will use its own DNS resolving service to determine whether or not the DNS query will be allowed to continue. If the domain of the desired website is not permitted on the network the website will not be served and the user will be redirected to an alternative page with a warning message.
As these IP addresses are mapped to an entire domain (website), DNS filers do not allow you to selectively block individual pages. For example, if you would like to block access to Facebook while still allowing access to your company’s Facebook page you will not be able to do that.
For a detailed description of the DNS lookup process, check out this explainer from VeriSign.
Browser-based site blockers are browser extensions, applications or add-ons that are specific to each individual browser. Browser extensions are most often used by individuals that would like to block distracting websites on most major web browsers. These internet content filters are rarely used in business settings as they are easy to bypass by using other major web browsers.
Search engines typically include some method of filtering out explicit search results. These web filters allow for search engines to be used in environments where adult-oriented content would be considered inappropriate such as schools, public libraries, and most workplaces.
Only filtering content in this way is often not sufficient to stop inappropriate user behavior, though it does act as a first line of prevention.
Inline web filters are hardware or software appliances (such as an internet gateway) that operate within the network that they are filtering. These solutions are configured as a gateway that directly intercepts all traffic that travels through the network.
As they do not require a software client to be installed on each endpoint they are often used in environments that have guest networks, mixed platform devices, or other circumstances where direct control over devices is not feasible.
While the lack of a software client is advantageous for some deployments, it comes with a few tradeoffs. If access to a specific website is restricted in an inline filter it must remain restricted for all users on the network. These solutions are also not ideal for managing the devices of remote workers as the web content filtering only applies when they are connected to the network.
Endpoint-based web filtering software has a software client that support computer filtering or user filtering, allowing the web content filtering solutions to be customized for each device or student/employee/patron.
The software clients receive web content filtering policy updates from a central server that is managed by the company and retain the policies even when the devices disconnect from the network.
Since a computer software client needs to be installed on each device that will be controlled, organizations with a large number of computers to filter will leverage automated software deployment tools that install the agent on all of their devices simultaneously.
The need for a dedicated computer software agent also means that endpoint-based web content filtering solutions are best used in environments that have in-office or remote workers using company-provided devices. Employees using personal devices for work-related tasks may object to having web content filtering software installed on their devices.
Firewalls are a type of inline web content filter. Firewalls can be hardware appliances or cloud-based/software-based virtual appliances. Rather than restricting specific URLs and domains, firewalls filter network traffic to authorized ports, protocols, and IP addresses.
Traditional packet-filtering firewalls operate at layer 3 (the network layer) of the OSI model to filter ports, protocols, and IP addresses. While these types of firewalls do block web traffic, they lack the ability to distinguish between specific sites as they cannot identify URLs or domain names.
Over time traditional firewalls have evolved into “Next Generation Firewalls” (NGFW) that combine the packet filtering of traditional firewalls with other network filtering functions such as web application firewalls (WAFs), web content filters, and intrusion prevention systems. These solutions are typically used to harden networks and block internet traffic that has been identified as malicious.
Unless you are using a next generation firewall (NGFW) with an integrated web filter that allows you to block specific URLs, a dedicated web filter is going to give you far more granularity for controlling access to websites.
What is considered the best web content filter depends on the needs of your environment. In many environments it is not uncommon to see multiple forms of web content filtering in place that meet different requirements.
For example, a business with dedicated office space could use an inline firewall to control ingress and egress traffic as it goes through their network while also using an endpoint-based URL filter to control what specific sites their employees can access.
To simplify the comparison this section will focus on two common solutions for blocking access to internet content: Inline network-based DNS filtering vs endpoint-based URL filtering with a software agent.
|Inline Web Content Filtering (Agentless)||Endpoint Web Content Filtering (Agent)|
|Custom filtering profiles for each user/device|
|Block website categories|
|Manage guest/unknown devices|
|Web content filtering schedules|
|Block websites on any network|
DNS web filters and endpoint-based web filters are two different approaches to filtering internet content.
DNS web filters work by intercepting and analyzing Domain Name System (DNS) requests made by client devices. When a client device makes a request to access a website, the DNS web filter checks the request against a predetermined set of rules or a list of blocked websites.
If the request is allowed, the DNS web filter resolves the request and the client device can access the website. If the request is blocked, the DNS web filter prevents the request from being resolved, and the client device is unable to access the website.
Endpoint-based web filters, on the other hand, work by installing software on each client device that is used to access the internet. This software is responsible for enforcing the web filtering rules on the client device.
When a client device makes a request to access a website, the endpoint-based web filter checks the request against the list of blocked websites. If the request is allowed, the client device is able to access the website. If the request is blocked, the client device is unable to access the website.
Both approaches can be effective at blocking inappropriate or unwanted internet content, but they work in a different way
The key difference between DNS filtering and URL filtering is that DNS filtering blocks entire sites based on DNS queries rather than specific URLs. DNS filtering will allow you to block undesirable domains for your entire network, however it lacks the ability to block a website while allowing individual web pages.
This can be problematic in an environment where users, computers, or departments require different levels of access. Examples include business environments where marketing staff need work-related access to social media or educational environments where students and staff need unique web content filtering policies.
In environments where user-level or device-level control is desired the best internet filter will be one that supports unique filtering profiles for each user or device.
Agent-based web content filtering software is the best web filter for remote workers as they will block websites even when they disconnect from the company network. This is ideal for other scenarios that have employees working offsite, such as laptops that need to be protected when a corporate device is used at a remote site.
Agent-based web content filtering software also provides the means to apply different allowed and blocked lists on a set schedule. This allows employees to access non-work websites after work hours in environments where employees are allowed to use company-provided equipment for personal use.
For BYOD environments, employees that use personal computers for work may not feel comfortable allowing their employers to install web content filtering software clients on their devices.
In this instance an inline DNS filter can be installed on the company network or a client-based computer filter can be installed on the device that they remotely connect to. However, added security controls must be in place to mitigate the risks of allowing non-managed devices to connect to the corporate network.
Category filtering is a must-have feature for restricting access to inappropriate content. Fortunately, both DNS-based and URL-based web content filtering software providers offer this feature. With web category filtering you can leverage a pre populated database of websites that you can block rather than manually sourcing your own list of websites.
DNS-based solutions with category filtering will only be able to strictly block or allow the entire category for your network. If you would like to block the social media category for the majority of your employees while still allowing access for your marketing team you will need URL filtering.
Web content filtering solutions only block what they are told to block. This leaves opportunities for end-users to visit undesirable websites that have not yet been added to the web content filtering solution.
Though many web content filtering solutions will include some form of logging or auditing to identify the websites that are being visited, using web content filtering in tandem with a dedicated internet and computer monitoring software is the ideal solution for enforcing acceptable use policies and ensuring that the internet is being used appropriately.
Want to start monitoring internet usage today? Get started with a free trial of BrowseReporter, CurrentWare’s internet activity monitoring software.
If you would like to set up web content filtering on a network where you will not have direct control over the devices that connect to it (such as a guest WiFi hotspot), you need a network-level web content filtering solution. An agent-based solution is not ideal in this scenario as there is no feasible way to install the agent on non-managed devices.
BrowseControl makes controlling internet access based on users, departments, and computers incredibly easy. Once you’ve installed the software all it takes is just a few clicks to set up user-based permissions. This tutorial will guide you through the general setup process and show you how to control internet access based on users with BrowseControl.
Setup File Contents:
Now you can start to control internet access based on users using BrowseControl. You can do this with one of three internet content filtering methods:
With BrowseControl’s category filtering feature you can easily block millions of websites across hundreds of predefined web categories. In just a few clicks you can prevent employees, students, and patrons from accessing social media, pornography, and other undesirable categories of websites.
If you would like to limit internet access to a pre-authorized list of websites, you can easily do that in BrowseControl.
Controlling access to the internet is a critical component of organizational security, productivity management, and acceptable use policy enforcement. The best internet filter will depend on the needs of your environment, the devices you would like to control, and the level of granularity desired.
With web content filtering you can meet compliance regulations, improve web protection, increase productivity, and prevent access to harmful websites, spam sites, and other undesirable content.
If you’d like advanced insights into information system usage you can combine web content filtering solutions with computer monitoring software such as CurrentWare’s BrowseReporter.
Ready to start with internet content filtering in your organization? Get started with a FREE 14-day trial of BrowseControl, CurrentWare’s web content filtering software.