This was another of those interesting months in the SC Labs. For almost three years we have been watching the web content management landscape. We have seen a steady evolution from a group of products that were largely URL filters. The first time we tested these products all we had to do was develop a suite of black lists for various websites and types of content and tell the device being tested to try to go to those sites. Then we read the success rates. That was then and this is now.
Today, web content managers go way beyond filtering on bad sites and dirty word lists. Now they include peer-to-peer, instant messaging, social networking sites, and they even look at various types of malware.
As mentioned in my opening column, these are critically important functions in the currently emerging cyberthreat environment. While identifying bad sites and bad content is still important, the definitions of what that means has changed markedly in the past two years. Even a cursory web search on the term provides a wide variety of definitions, discussions and products. These range from the types of products and the context we are discussing here to products that help web developers manage the content of their websites.
Buying a product
What is important as we look forward is that the types of products we review this month stay current with all of the types of web-borne threats that are emerging on the internet. When you are evaluating web content management products, be sure that you are clear on how your users are using the web.
While we see this class of product converging with other types of perimeter defenses, that really has not happened yet. It is true that some aspects of web content management are showing up on other perimeter appliances, just as it is true that some aspects of anti-malware are showing up on web content management tools. However, a real convergence has yet to happen.
That said, you probably will need to fit web content management into your perimeter architecture. Because the products we looked at are in-line products, you can expect them to add some level of latency. With that in mind, you should be careful about how you build policies. It is possible to create real latency issues if you have a perimeter heavy with in-line devices of various kinds.
We also saw two distinct types of products with regard to scalability. One type was intended for very large enterprises, while the other type was not. The good news is that the products that are intended for smaller networks are scalable by virtue of their ability to use multiple devices on different internet-facing segments. The bad news is that they are not easily managed as a group from a central location and they cannot scale well to a single very large pipe. There were exceptions, of course.
How we tested
Testing web content management tools this year took a twist toward the more complicated. No longer is it enough to test for URLs and word lists. This year we also had to include some malware capability, peer-to-peer sites and instant messaging sites in our test suite.
Because we found that there is a tendency to connect into the enterprise infrastructure, this year our test bed had to include domains, Active Directory, etc.
What we saw was a high level of competency in general, a few warts and a few standouts on some products. One important point that we observed was the ease with which these products deploy and are managed subsequently. We took these boxes through the lab in near record time, but we didn’t miss anything for all of that.
The bottom line for this group is that you probably need it, you absolutely will benefit from it, and there are some precautions as you evaluate and purchase. Beyond a product’s feature set, you should consider the latency it adds into the network. Usually this is not great unless your policies are very complicated or badly written.
Once you decide on a product – after a thorough requirements analysis, of course, to make sure the product that you settle on is the right one for your organization – plan your deployment carefully. That means plan your policies, address everything you need to, but don’t setup a needlessly complicated set of policies. You probably don’t need to deal with every type of threat that might exist, so be sure that you identify what you do need to protect against.