Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Network analysis is like turning over rocks

J.F. Rice | June 22, 2015
Among the things that crawled out were a number of websites that supposedly were being blocked.

I just found out my company's employees have been finding ways to get around my Web filtering. And that came as a surprise, because I use a best-in-class product that employs a database to categorize and block website URLs, which I thought I could rely on. But as I found out, that product is not perfect.

It all started when I downloaded a trial version of software that analyzes network traffic to the Internet. It's a pretty cool product. Not unlike the Web filtering technology, it uses a database to compare the traffic on my network to known risks, like file-sharing sites and unapproved cloud services. The way it works is simple: I export my firewall logs to a (rather large) file, import them into the software, and it combs through all the traffic to websites and compares it against the risk database. I thought it would be good validation of my website blocking capability -- and I was right. But I expected my website filtering to be a lot more effective than it turned out to be.

When I got my first report from the software, I thought it must be wrong. Google Drive, DropBox and other file-sharing services were prominent on the list. But I block those sites! And webmail -- another category that I block -- was being accessed a lot more than I had thought. I also found some usage of remote access services and collaboration sites that can allow remote control of my company's end-user computers. Those also should be blocked. There were quite a few other surprises as well, including a website that aggregates communications from email, instant messaging, social media and mobile devices -- along with a huge potential for data leakage.

Unfortunately, the report was not wrong. Since it was based on my own firewall logs, there wasn't much question of the integrity of the data itself. I was able to verify that people have indeed been going to the websites in question.

I did some investigation and discovered that my Web filtering product is not 100% effective at categorizing all websites. For example, Google Drive has many URLs that are not in the file-sharing category. And it's also not completely effective at blocking access to websites over SSL-encrypted browser sessions. So if my end users know a particular URL, and especially if that URL is https rather than http, they can get past my filter. And as it turns out, many of my users are especially adept at finding ways around the system.

So while it's a good thing I went through this exercise to check the effectiveness of my Web filtering, I was a lot happier before I knew the truth.

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.