ContentWatch Security Appliance Offers Filtering, Anti-malware

ContentWatch’s CP 300 security appliance offers very good content filtering, traffic shaping and anti-malware capabilities, as well as excellent reporting. It also integrates with directory services such as LDAP to let businesses enforce Internet usage policy per person.

Many businesses need to keep employees safe on the Internet and require solutions to monitor and, in some cases, block activity. The reasons vary: regulatory compliance, data loss prevention, information security policy and even HR policy.

A powerful driver for these solutions is the ability to limit or restrict bandwidth usage based on content categories or media type so that Jane in research can browse the Web looking for information on competitors’ products, but Bob in accounting can’t stream live video of the Victoria’s Secret fashion show.

In this space, ContentWatch is offering a 1U (1.75-inch) appliance, the ContentProtect 300, that provides solid filtering and anti-malware protection. The CP 300 also integrates with various directory services.

There are a lot of options available in this market, ranging from simple URL filtering solutions to solutions bundled with other perimeter protection services such as anti-malware all the way up to UTM (unified threat management) offerings with full perimeter security. Which architecture appeals most to you will be dictated by your existing security solutions and whether you want to increase or replace them.

Historically, Web content filtering solutions relied on static lists of URLs that were pushed out by the provider much the way anti-virus signatures are. There are a number of drawbacks to this method – it only works with a frequently updated database (and no database of all the content on the Web can ever be completely up-to-date). There are also some easy ways around filters like this, such as using a “safe” domain (such as blogspot) to host “non-safe” content (such as pornography).

Therefore, good solutions not only filter on the text string of the URL but also conduct some sort of page-based content analysis on the fly. This analysis can be conducted on the actual device or somewhere out in the cloud. Administrators need to balance settings to provide enough protection while not scanning so deeply that the Web browsing experience is compromised.

Along with the filtering and anti-malware features, the ContentWatch CP 300 includes bandwidth management and application control. The integration with directory services such as LDAP allows businesses to set and enforce Internet usage policy per person rather than the usual way, which is per MAC or IP address. Rules governing content, application and bandwidth usage can be set for individuals and groups. Administration can be done via browser or SSH (Secure Shell), and larger organisations have the option of managing multiple ContentProtect boxes through a single interface.

I installed the CP 300 following the clearly written Quick Start guide, configuring it first from a workstation directly attached via cross-over cable and then moving it onto my Secure Web Gateway testbed to sit between the external firewall and the testbed’s Ethernet switch. Ports are clearly labelled and located on the front of the unit. The device includes a hardware bypass so that network traffic continues to pass through it even if it fails. A helpful and informative wizard walked me through initial configuration, although I was disappointed that there was no way to configure SMTP authentication when configuring e-mail alerts.

The main Web GUI is separated into three main categories: Report, Manage and Admin. Another drawback to the product is that there is no context-sensitive help – clicking the Help button downloads and opens a PDF of the manual. The streamlined GUI is easy to use, yet at times it felt poorly organised. For example, configuring bandwidth utilisation for the WAN link is, for some baffling reason, under Admin, Configuration, Miscellaneous. Other than a few quirks, everything is where you’d expect it to be, the GUI is responsive, and reporting is excellent.

I synchronised the CP 300’s user directory with my LDAP server and started to build policies under the Manage tab. I put users in groups, created rules for time of day, content category and traffic shaping, and then assigned those rules under the Policy Manager. It seemed a bit cumbersome at first, but this modular approach makes it very easy to tweak policy later.

To make it easier to get started, ContentWatch provides several ready-made policies, ranging from denying all access to monitor-only. In most businesses, a good place to start is with Moderate settings, which block certain Web content categories, allow IM and prevent users from bypassing the device through proxying.

Those default rules did a great job when I ran through my usual content filtering tests. Google, Dogpile and Yahoo Safe Search was enforced automatically using my Moderate policy, all of the usual porn sites I test with were stopped, and all of the external proxying sites were blocked. I was impressed that many of my efforts to get around filtering using foreign languages were blocked as well, although I did eventually get to native-language Japanese pornography.

A major disappointment hit when I subverted the filter entirely by accessing well-known pornography sites through Internet archive sites like archive.org. Administrators who want to completely lock down Web use can always block everything and only allow whitelisted sites. In addition, the page that appears when content is blocked informs the user why – for example “filter avoidance real-time filter” – and provides a link to a spyware removal tool. This page can be customised easily.

The CP 300 excels at reporting. Reports can be sorted by user, IP address, site, application (other than browser) and bandwidth used. I could find specific threats such as spyware or viruses that were blocked, the sites that attempted to serve them, and the workstation or user who browsed that page. Any report can be displayed as a table, pie or bar chart; searched and filtered; and exported to Excel.

The CP 300 retails for approx £2060 for the hardware; the software subscription depends on the number of nodes supported and whether it’s one, two or three years.