St Bernard Software's iPrism Model 3000 is as large and rugged as its canine namesake. Its 2U-height chassis has plenty of power available from its 3.20GHz Pentium 4 processor and 2GB RAM, so its bite is worse than its bark. Filtering up to 30Mbps of HTTP traffic, this is the big brother of the smaller iPrism 1200, reviewed previously.
Installation is straightforward, although you need to load installation software on to the controlling workstation rather than simply point a web browser at its IP address. As a web page content filtering device, it is quite effective. Its filtering database is updated daily as part of St. Bernard's iGuard service.
The database contents are under constant review, and new sites are categorized and loaded as they appear. While this is an increasing trend in all kinds of devices, the use of off-site resources could be a problem if they are unavailable for some reason.
But provided the servers are available, the administrator is relieved of the responsibility of maintaining lists and can concentrate on determining which categories to block or monitor.
St. Bernard employs a team of web analysts who check the sites in the database. This is important to avoid misclassification, but is a double-edged sword: St. Bernard claims its database has hundreds of millions of URLs, which suggests that sudden changes (during domain hijacking, domain parking, or site redirection) might not be noticed immediately.
Categories can be refined to control or monitor access within time periods. A further level of fine-tuning is possible by assigning categories to groups of users or even individuals. If this level of control is needed, the users must be identified and authenticated by the system.
It can use a variety of authentication methods, including LDAP and Windows NTLM, or it can use its own user database. This flexibility allows the system to be deployed in networks that use Unix or Novell Netware systems as well as Windows, by integrating with NT user domains.
The integration with NT domains allows automatic login, too, using client-side NTLM authentication. Using this facility imposes certain restrictions on the environment (you can only use Windows clients and must use Internet Explorer, which may turn off some admins), but applying per-user filtering without authentication is handy for internal applications and terminal services.
The administrator can also generate specific block lists, which can then be included as needed. The only restriction here is that sites specified in custom block lists can only be blocked, whereas those in the standard lists can be monitored as well.
There are some interesting options available to users when their access to a site is blocked by the system. Instead of a message informing them that access has been refused and to contact the system admin, iPrism users have the option of overriding the block if they have rights, which requires a password to bypass the filter. The less privileged can generate an access request which allows them to explain why they need access. This is forwarded to the administrator who will make the final decision.
The system provides a comprehensive reporting system with a number of predefined reports covering most aspects of activity. As the iPrism can be configured with rules set only to log activity and not block anything, a thorough analysis of web activity in the organization can be conducted without hindering (or tipping off) users. There is also a facility for creating special reports. Interestingly, the log files can be uploaded automatically to an FTP server for archiving and further analysis.
As with all systems of this sort, determined users will be able to find their way through the filter. There are, for example, numerous public proxy services on the internet created specifically to defeat corporate or national filters (in regions like the Middle East and China), or to access illegal material. Also, the web caches at search engines such as Google, and archive services such as Archive.org can also defeat classification – just try to justify blocking Google!
However, activity of this sort can be spotted in reports and with suitable analysis, so while the filter may not be bulletproof, with regular auditing it can get close to the mark. The combination of effective filtering and the deterrent factor is usually enough to stop most casual abuse.
Of more concern to most enterprises is a higher degree of content awareness than a URL filter can offer.
You can't block every webmail service, but spotting webmail traffic and checking it for sensitive information is a high-value proposition. The iPrism offers a useful service, but it should be considered only a part of effective web filtering.