If you want to control access to specific websites, you need a web filter – not a firewall. In this article I’ll compare web filtering software to firewalls so you can get the best internet filter for controlling employee internet access.
Why your firewall is NOT a replacement for a web filter
They’re Too Strict: The closest that traditional firewalls can get to a web filter is by blocking based on the IP address of the domain. They lack granularity and cannot exempt specific URLs from their firewall rules (eg. YouTube.com/user/CurrentWare), forcing you to block the whole website from being accessed by your entire network.
They Can be Easily Bypassed: Firewall policies only apply to your network. Without a web filtering agent installed on the device your employees or students can still access blocked websites by connecting their devices to their own network or a mobile hotspot.
Firewalls Are Finicky: A dedicated web filter makes blocking employees from accessing unproductive websites simple and efficient. Firewalls often require a high degree of technical proficiency and tedious IP lookups to block websites. With a web filter all you need to do is add the URL of the website to the blocked or allowed list.
That said, a web filter is not a direct replacement for a firewall. Each tool has its own unique use-cases. For the greatest security, a multi-layered approach that includes both solutions is ideal.
A web filter is best for…
A firewall is best for…
When you want to block internet access based on users, devices, or workgroups.
When you want to control inbound (ingress) and outbound (egress) traffic separately.
When you want to block websites based on their URL
When you want to prevent unauthorized traffic within your network
When you want to easily configure internet access permissions for several endpoints
When you want to block traffic that has been identified as being potentially malicious
What’s the difference between a firewall and a web filter?
Fundamentally web filters and firewalls serve different purposes. A web filter blocks access to specific types of web content and a firewall prevents your network from exposing internal services and computers to external threats.
Packet filtering firewalls operate at layer 3 (the network layer). They inspect data packets to filter traffic based on IP address or network port.
Firewalls can also operate at layer 4 (the transport layer). They will filter network traffic based on protocols such as Transmission Control Protocol (TCP)
Web filters and web application firewalls operate at layer 7 (the application layer). This is the layer where specific websites can be uniquely identified by their URL or domain name.
Free Sample Template: Employee Internet Usage Policy
Download this FREE acceptable use policy, customize it, and distribute it to your employees to set a precedent for the acceptable use of the internet in the workplace.
Web filters use URL filtering and domain filtering to block websites. BrowseControl restricts internet access by comparing the websites that employees are visiting to an established blacklist (blocked list) and whitelist (allowed list). Any URLs or domains (eg. Facebook.com) that are on the blacklist are blocked from being accessed.
A web filter gives you greater web access control than a firewall
Unless you are using a next generation firewall (NGFW) with an integrated web filter that allows you to block specific URLs, a dedicated web filter is going to give you far more granularity for controlling access to websites.
With a web filter you can:
Block an entire website while allowing exceptions for specific pages
Modify web access permissions for each user, device, and department
Schedule internet access permissions to give employees access to unproductive websites during their breaks
Firewalls with added DNS-based internet restriction capabilities can block websites as well, but they can only block the entire website – not specific URLs. When a user types in “YouTube.com”, their browser will make a DNS query to get the IP address of the website. Unfortunately, a firewall with a DNS filter cannot tell the difference between YouTube.com or https://www.youtube.com/user/Currentware/ as they both have the same IP address.
See how easy it is to block a website with BrowseControl
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.