Network filtering - SmartFilter
Performance, clean management.
Each component needs separate initial configuration.
As good as its predecessors, just faster and smarter. Could use a policy umbrella for managing big environments.
The SmartFilter product from Secure Computing was one of the earliest products to perform category-based URL filtering. Now in version 3.2, the basic principles of the product remain, with performance and management improvements aimed at making the task of controlling web access as simple as possible.
SmartFilter is intended to sit on a web proxy behind a firewall, or on the firewall itself. The product comprises agents that reside on the gateways, a management server that runs on Windows, Solaris and Linux servers, and a management console which can run on the same platforms. The server and console components are both Java based.
The agents support a number of platforms, including Cisco Content Engine, Check Point FireWall-1, Microsoft ISA, Microsoft Proxy Server, Netscape, Squid and iPlanet. Each can be individually added to the management server as agents, and individually configured.
One of the product's advantages is reducing the number of intermediate devices required in a network – it is quite feasible to run firewall, proxy and filter services on a single Windows server using SmartFilter. We tested the product on a Dell PowerEdge server running Windows 2000 Server and Microsoft ISA Server.
At the heart of the system is the management server, though you rarely come into direct contact with it. All the hard work is conducted through the management console, which can manage any remote SmartFilter server. Agents can be grouped for management by single servers, though each component must be separately configured. Migrating configuration between agents is easy enough: all the config data resides in text files which can be manipulated with ease, but an automated tool for this would be very useful, especially for large distributed environments.
Communication between the console and the server can be encrypted. You have to set the option to do so manually, which leaves the possibility for accidental clear-text transmission of admin usernames and passwords over the wire. It would be useful if the server could be set to reject attempts to communicate insecurely, and possibly reset exposed passwords while it's at it.
The console itself is fairly standard. A left-hand tree view of installed agents and servers, with specific configuration tasks on the right. A top bar gives quick access to basic functions such as adding filter patterns and sites to block. While the console is a little sluggish, the actual filtering engine performs extremely well. URLs are divided into the usual categories, including sport, sex, web-mail and so on. Most of this is preconfigured – Secure Computing provides a control list which is updated daily, and the server can be set to update its list as frequently as you like.
Policies are created which specify types of access with plenty of granularity. Specific sites or certain file types can be blocked during times of the day, right down to individual hours. Policies are then assigned to groups of users, which can be defined by usernames or IP address blocks. SmartFilter can sync against LDAP, Microsoft Active Directory and iPlanet servers.
Users viewing blocked sites can be presented with a message explaining why. SmartFilter offers a limited, but perfectly adequate, ability to configure the message. Filtered pages and files can also be set to be retrieved after a delay of up to 30 seconds, rather than being blocked outright. This is intended to discourage activity which is contrary to an AUP but not in outright violation.
Filtering rules can become complicated, especially if you are blocking down to specific pages and types of files. SmartFilter provides a useful mechanism for identifying redundant or contradictory filters, helping keep complexity down and performance up.
The main strength of the interface lies in its simplicity. Every component is configured in a consistent fashion, and it is difficult to put a foot wrong. In some cases it is possibly too simple.
Logging is good, and can be to text files, Access databases or SQL Servers. It might be nice to have the option to use all or none of these, instead of only one at a time, but that is not a serious shortfall.
Reporting should have been good – Secure Computing bundles the basic version of WaveCrest's web-based reporting tool Cyfin, which offers usage and trend reports. A 'professional' version expands its repertoire, however, the system sent for review did not include the reporting tool, so we have to take the company's word for it. Documentation is thorough, in a custom help browser (remarkably similar to Microsoft's pre-web help browser) and PDFs.
Blacklists tend to be criticised for a lack of transparency and accountability, and Secure Computing has not gone out of its way to allay these concerns. The administrator cannot actually see the list of URLs which are being blocked. There is a page at the product web site which allows individual URLs to be laboriously queried, but it lacks a clear reporting mechanism or contact details for site owners to get an incorrectly blacklisted site removed.
Overall, the product continues to provide a strong solution. It does not offer many exceptional features, but focuses on the core tasks consistently and well.