Filtering The Malicious WebFiltering The Malicious Web

The internet can be a great productivity tool. It's also a prime source of trouble. From Web-based malware to inappropriate use of the Internet at the office, today's enterprises need to protect themselves from Internet misuse.

Mi5 Networks, named after Britain's domestic security service, offers a single-appliance approach to solving the problems the Internet creates. Providing URL filtering, antivirus scanning, malware protection and cleaning, and limited file leakage protection, the Webgate Web security appliance advertises zero latency while protecting systems and company data. We tested the Webgate 005 model.

Webgate is a competent URL and malware filter that does its job without adding latency to network traffic. It detects and blocks inbound threats. It's also useful for blocking outbound traffic, such as botnet or spam activity. And it includes a malware cleaning tool to remove infections.

On the downside, its file leakage prevention feature isn't very useful, and the malware cleaning tool only works with Internet Explorer. Its reporting interface also could use some polish.

The Webgate appliance scans all traffic and ports, not just HTTP, searching for malware and inappropriate URL access. Webgate blocks access to inappropriate or dangerous Web sites through URL filtering. Leveraging Web site category lists provided by IBM ISS, Web sites are grouped by categories based on the content of the site, such as pornography. Filters are updated hourly.

URL filtering policies can be applied to entire networks. More granular policies can be applied to groups or users through the product's integration with Active Directory. This requires a software agent to be installed on domain controllers. The agent monitors login events and maps user names to a system IP address. With this integration, IT staff can track Web site access via user name or system IP address.

Mi5 licenses its antivirus signatures from Sophos. HTTP and FTP downloads are scanned by the appliance before delivery to the user. Mi5 expects to incorporate instant message file transfer scanning in the first quarter of 2008.

If malware infiltrates the network by other vectors, Webgate can detect activities such as phone-home attempts and botnet traffic. Based on administrator-defined policy settings, the appliance can send alerts or block the communications outright.

We infected several test machines with more than 50 varieties of malware. We then enabled the Mi5 malware protection. Immediately, the appliance began reporting on and blocking inbound and outbound malware activity. If this had been a real infection, more than 2,000 spam messages would have been sent within the first hour.

The appliance also can be configured to scan PCs and laptops with SpyWash, an ActiveX control deployed directly from the appliance. SpyWash cleaned most malware detected, though a few items were quarantined and could not be removed because of running processes and system dependencies. Your IE security settings may need to change to enable the ActiveX control to run.

The file leakage prevention system can block downloads and uploads based on file types, which is too blunt to be very effective for preventing data leaks. If you're really worried about data leaks, more fine-grained solutions are available.

As tested, Webgate 005 supports throughput of 100 Mbps and is licensed for 500 users. List price is $24,775 plus annual support costs, which depend on the appliance model and support level.