Web Content Filtering—What’s the Best Way to Block Websites?
Web content filtering is critical for protecting networks and users against web-based threats, objectionable internet content, and distracting websites. With all of the options for controlling internet access you may be wondering: what are the best web filtering solutions?
In this article I will overview solutions for web content filtering, describe the different content filtering methods, and emphasize the importance of blocking certain websites.
Table of ContentsWhat Is Web Content Filtering?
Web content filtering is the process of preventing employees, students, and other end-users from accessing content on the internet. The most common web content to block are websites that are offensive, inappropriate, or otherwise high-risk. Schools and businesses use tools such as internet filtering software to block these risky sites.
Web content filtering policies are typically combined with web usage monitoring programs. These programs produce web reports that provide an overview of user behavior on an organization’s devices including web browsing, bandwidth usage, attempts to visit adult content, and wasting time at work (such as spending time online shopping).
How Does Web Content Filtering Work?
Web content filtering works by establishing web content filtering policies that set rules for accessing websites. A web filter will block access to specific types of web content based on a variety of factors including pre-defined web content categories, keywords, IP addresses, and URLs/domains.
Web filters typically operate at layer 7 (the application layer) of the Open System Interconnection (OSI) model. This is the layer where specific websites can be uniquely identified by their URL or domain name.
With a web filter you can:
- Block an entire website while allowing exceptions for specific pages
- Modify web access permissions for each user, device, and department
- Schedule internet access permissions to give employees access to unproductive websites during their breaks
Why Is Web Content Filtering Important?
Hardware or software web content filtering solutions are essential for preventing users from accessing websites with malicious web content or inappropriate content such as pornography, malware infected sites, and sites that may be distracting to employees or students.
- Employee Internet Management (EIM): A web content filtering solution enables businesses to block offensive and distracting sites on a corporate network such as those with violent content, pornography, and games. This is essential for managing compliance requirements, bandwidth usage, or other business concerns.
- CIPA Compliance: US-based schools and libraries that wish to receive valuable e-Rate discounts need to use web content filtering to prevent minors from being exposed to unwanted content. With these measures in place they will meet their compliance regulations requirements.
- Enforce Corporate Policies: To prevent a demeaning work environment and sexual harassment claims companies will combine their corporate policies with web content filtering policies that ensure no pornographic content is accessed on the organization’s devices.
- Bandwidth Management: Network performance can be dramatically reduced by the overuse of bandwidth hogs such as video streaming sites. These websites can be restricted with web content filtering tools to help reduce bandwidth usage.
- Enterprise Network Security: Web content filtering provides network protection by blocking websites that are high-risk or known to have unsafe web content such as spam sites and malicious websites. Data leakage can also be prevented by restricting cloud storage sites and P2P file sharing services.
- Productivity Management: Web content filtering blocks offensive and distracting content such as social networking sites, computer games platforms, and video streaming services.
- Legal Liability: Web content filtering is essential to block access to content that is inappropriate such as porn, grotesque imagery, violence, and profanity. These filters prevent underaged users from accessing adult content and reduce the potential for internet abuse to cause a hostile work environment. Proactively blocking malicious websites is also a critical component of many security compliance regulations.
CASE STUDY
Keeping Students Safe With CurrentWare’s Web Filter for Schools
4 Types of Web Content Filtering
Keyword Filtering
Keyword-based web content filtering blocks end-users from accessing websites that have specific keywords in text strings. These keywords are identified using regular expressions (regex) and/or a predefined list of blocked keywords.
The intention of using keywords for web content filtering is to prevent users from accessing inappropriate content, however due to the Scunthorpe problem (keyword filters falsely flagging content) keyword filtering has a high potential to prevent access to legitimate websites. For this reason category-based content filtering programs that include adult-oriented web content categories are typically used instead.
Category Web Content Filtering
Category web content filtering (URL content filtering) is used to block websites based on content categories such as pornography, violence, hate, and social networking sites. To do this the web content filtering software references a centralized database that associates websites with common web content categories.
These databases need to be constantly updated to keep up with new websites as they are created. For this reason the database is most often provided by the vendor of the web content filtering solutions.
CurrentWare’s web content filtering software BrowseControl includes a category filtering database that provides you with a convenient way to block millions of websites across over 100 URL categories.
URL Filtering
When you seek access to a specific webpage, you will type in a Uniform Resource Locator (URL) into your address bar such as CurrentWare.com or CurrentWare.com/blog. URL filtering blocks or allows access to specific websites or web pages based on these URLs.
URL filtering provides more granular and detailed web content filtering than DNS filtering by allowing companies to block individual web pages instead of the whole website at once. To make blocking entire websites easier URL-based web filters may also allow for wildcard filtering, which blocks the entire website unless exceptions are added to an allow list.
For example, a wildcard-supporting URL filter with “Facebook” on its block list and Facebook.com/CompanyPage on its allow list will allow access to Facebook.com/CompanyPage and stop users from accessing any other Facebook link.
How Does URL Filtering Work?
With reference to the Open Systems Interconnection model (OSI model), a URL filter blocks websites using the packet information sent during the TCP/UDP protocol (layer 4, the transport layer) or by examining the URL in the address bar of the web browser (layer 7, the application layer).
DNS Filtering
From an end-user perspective blocking websites using a Domain Name System (DNS) filter is similar to web content filtering using a URL filter. Both solutions allow you to enter a website into the block list of the web content filtering software in order to prevent access to the website.
The key differences are:
- DNS filters can’t prevent access to websites based on URL; instead, it blocks entire domains.
- A DNS filter requires all internet traffic to be forwarded to an external DNS server provided by a web content filtering service provider.
- The URL web filter acts directly on HTTP/HTTPS traffic, while DNS filters acts on the initial DNS queries that precede the HTTP/HTTPS connection attempts.
To understand how DNS filters work, it’s important to understand how DNS is used when visiting a website. The human-readable URLs that we type into major web browsers are moreso there for our convenience; the process of connecting to a website actually resolves to an IP address that is associated with a web server that hosts the desired domain.
When we seek access to a website, the DNS is used to locate the server where the domain’s website is located. A DNS filter blocks access to websites by intercepting the initial DNS query.
The filter will use its own DNS resolving service to determine whether or not the DNS query will be allowed to continue. If the domain of the desired website is not permitted on the network the website will not be served and the user will be redirected to an alternative page with a warning message.
As these IP addresses are mapped to an entire domain (website), DNS filers do not allow you to selectively block individual pages. For example, if you would like to block access to Facebook while still allowing access to your company’s Facebook page you will not be able to do that.
For a detailed description of the DNS lookup process, check out this explainer from VeriSign.
5 Web Content Filtering Technologies
Browser-Based Internet Content Filters
Browser-based site blockers are browser extensions, applications or add-ons that are specific to each individual browser. Browser extensions are most often used by individuals that would like to block distracting websites on most major web browsers. These internet content filters are rarely used in business settings as they are easy to bypass by using other major web browsers.
Search Engine Content Filters
Search engines typically include some method of filtering out explicit search results. These web filters allow for search engines to be used in environments where adult-oriented content would be considered inappropriate such as schools, public libraries, and most workplaces.
Only filtering content in this way is often not sufficient to stop inappropriate user behavior, though it does act as a first line of prevention.
Inline Web Filters
Inline web filters are hardware or software appliances (such as an internet gateway) that operate within the network that they are filtering. These solutions are configured as a gateway that directly intercepts all traffic that travels through the network.
As they do not require a software client to be installed on each endpoint they are often used in environments that have guest networks, mixed platform devices, or other circumstances where direct control over devices is not feasible.
While the lack of a software client is advantageous for some deployments, it comes with a few tradeoffs. If access to a specific website is restricted in an inline filter it must remain restricted for all users on the network. These solutions are also not ideal for managing the devices of remote workers as the web content filtering only applies when they are connected to the network.
Endpoint-Based Web Content Filtering Software
Endpoint-based web filtering software has a software client that support computer filtering or user filtering, allowing the web content filtering solutions to be customized for each device or student/employee/patron.
The software clients receive web content filtering policy updates from a central server that is managed by the company and retain the policies even when the devices disconnect from the network.
Since a computer software client needs to be installed on each device that will be controlled, organizations with a large number of computers to filter will leverage automated software deployment tools that install the agent on all of their devices simultaneously.
The need for a dedicated computer software agent also means that endpoint-based web content filtering solutions are best used in environments that have in-office or remote workers using company-provided devices. Employees using personal devices for work-related tasks may object to having web content filtering software installed on their devices.
Firewalls
Firewalls are a type of inline web content filter. Firewalls can be hardware appliances or cloud-based/software-based virtual appliances. Rather than restricting specific URLs and domains, firewalls filter network traffic to authorized ports, protocols, and IP addresses.
Traditional packet-filtering firewalls operate at layer 3 (the network layer) of the OSI model to filter ports, protocols, and IP addresses. While these types of firewalls do block web traffic, they lack the ability to distinguish between specific sites as they cannot identify URLs or domain names.
Over time traditional firewalls have evolved into “Next Generation Firewalls” (NGFW) that combine the packet filtering of traditional firewalls with other network filtering functions such as web application firewalls (WAFs), web content filters, and intrusion prevention systems. These solutions are typically used to harden networks and block internet traffic that has been identified as malicious.
Unless you are using a next generation firewall (NGFW) with an integrated web filter that allows you to block specific URLs, a dedicated web filter is going to give you far more granularity for controlling access to websites.
What Web Content Filter Should You Use?
What is considered the best web content filter depends on the needs of your environment. In many environments it is not uncommon to see multiple forms of web content filtering in place that meet different requirements.
For example, a business with dedicated office space could use an inline firewall to control ingress and egress traffic as it goes through their network while also using an endpoint-based URL filter to control what specific sites their employees can access.
To simplify the comparison this section will focus on two common solutions for blocking access to internet content: Inline network-based DNS filtering vs endpoint-based URL filtering with a software agent.
Inline Web Content Filtering (Agentless) | Endpoint Web Content Filtering (Agent) | |
Allow/Block Domains | ||
Allow/Block URLs | ||
Custom filtering profiles for each user/device | ||
Block website categories | ||
Manage guest/unknown devices | ||
Web content filtering schedules | ||
Category filtering | ||
Block websites on any network |
DNS web filters and endpoint-based web filters are two different approaches to filtering internet content.
DNS web filters work by intercepting and analyzing Domain Name System (DNS) requests made by client devices. When a client device makes a request to access a website, the DNS web filter checks the request against a predetermined set of rules or a list of blocked websites.
If the request is allowed, the DNS web filter resolves the request and the client device can access the website. If the request is blocked, the DNS web filter prevents the request from being resolved, and the client device is unable to access the website.
Endpoint-based web filters, on the other hand, work by installing software on each client device that is used to access the internet. This software is responsible for enforcing the web filtering rules on the client device.
When a client device makes a request to access a website, the endpoint-based web filter checks the request against the list of blocked websites. If the request is allowed, the client device is able to access the website. If the request is blocked, the client device is unable to access the website.
Both approaches can be effective at blocking inappropriate or unwanted internet content, but they work in a different way
Level of Control (Granularity)
The key difference between DNS filtering and URL filtering is that DNS filtering blocks entire sites based on DNS queries rather than specific URLs. DNS filtering will allow you to block undesirable domains for your entire network, however it lacks the ability to block a website while allowing individual web pages.
This can be problematic in an environment where users, computers, or departments require different levels of access. Examples include business environments where marketing staff need work-related access to social media or educational environments where students and staff need unique web content filtering policies.
In environments where user-level or device-level control is desired the best internet filter will be one that supports unique filtering profiles for each user or device.
Remote Workforce Management
Agent-based web content filtering software is the best web filter for remote workers as they will block websites even when they disconnect from the company network. This is ideal for other scenarios that have employees working offsite, such as laptops that need to be protected when a corporate device is used at a remote site.
Agent-based web content filtering software also provides the means to apply different allowed and blocked lists on a set schedule. This allows employees to access non-work websites after work hours in environments where employees are allowed to use company-provided equipment for personal use.
For BYOD environments, employees that use personal computers for work may not feel comfortable allowing their employers to install web content filtering software clients on their devices.
In this instance an inline DNS filter can be installed on the company network or a client-based computer filter can be installed on the device that they remotely connect to. However, added security controls must be in place to mitigate the risks of allowing non-managed devices to connect to the corporate network.
Block Web Categories
Category filtering is a must-have feature for restricting access to inappropriate content. Fortunately, both DNS-based and URL-based web content filtering software providers offer this feature. With web category filtering you can leverage a pre populated database of websites that you can block rather than manually sourcing your own list of websites.
DNS-based solutions with category filtering will only be able to strictly block or allow the entire category for your network. If you would like to block the social media category for the majority of your employees while still allowing access for your marketing team you will need URL filtering.
Monitoring Web Activity
Web content filtering solutions only block what they are told to block. This leaves opportunities for end-users to visit undesirable websites that have not yet been added to the web content filtering solution.
Though many web content filtering solutions will include some form of logging or auditing to identify the websites that are being visited, using web content filtering in tandem with a dedicated internet and computer monitoring software is the ideal solution for enforcing acceptable use policies and ensuring that the internet is being used appropriately.
Want to start monitoring internet usage today? Get started with a free trial of BrowseReporter, CurrentWare’s internet activity monitoring software.
Guest Networks
If you would like to set up web content filtering on a network where you will not have direct control over the devices that connect to it (such as a guest WiFi hotspot), you need a network-level web content filtering solution. An agent-based solution is not ideal in this scenario as there is no feasible way to install the agent on non-managed devices.
How to Block Websites With BrowseControl
BrowseControl makes controlling internet access based on users, departments, and computers incredibly easy. Once you’ve installed the software all it takes is just a few clicks to set up user-based permissions. This tutorial will guide you through the general setup process and show you how to control internet access based on users with BrowseControl.
Setup File Contents:
- CurrentWare Server and Console Setup File (CurrentWare.exe)
- CurrentWare Client Setup File (cwClientSetup.exe)
Install the CurrentWare Console on the managing computer
- Launch the CurrentWare Console setup file (CurrentWare.exe)
- Read and accept the End-User License Agreement (EULA)
- Select “CurrentWareConsole” and click “Next”
- Select BrowseControl and Category Filtering solutions
- The Installer will proceed to install the CurrentWare Server, Console and BrowseControl onto the manager’s computer. This process will take 3-5 minutes to complete.
Install the CurrentWare Clients on the computers you would like to filter
- Take the CurrentWare Client setup file (cwClientSetup.exe) and launch it on the computers that you would like to filter websites on.
- The installer will ask you for the name of the computer that the CurrentWare console is installed on from step 1. You can also use the IP address of your CurrentWare Server.
- For instructions on how to find the name of the computer that you installed the CurrentWare Console on you can visit our tutorial or see the Microsoft support page.
- After the CurrentWare Client installation is complete, it will connect to your CurrentWare Console (the manager’s computer from step 1) automatically.
- Repeat this process on all the computers you would like to control with the BrowseControl software.
Launch the CurrentWare Console on the managing computer
Now you can start to control internet access based on users using BrowseControl. You can do this with one of three internet content filtering methods:
- Block a small number of specific sites based on their URL
- Block specific categories of websites
- Block all websites except for pre-approved websites
How to block websites by URL
- Select the user(s) that you would like to apply the web content filtering policy to
- Set “Internet” to “On” if it is not already on
- Go to “URL Filter”
- Add the URL (www.NameOfWebsiteToBlock.com) of the website you would like to block to the URL list
- Select “Blocked List”
- Click the checkbox next to the desired URL and then click “Add to Blocked List”
- Click “Apply to Clients” to deploy the web content filtering policy to the selected device groups or user groups
How to block websites by category
With BrowseControl’s category filtering feature you can easily block millions of websites across hundreds of predefined web categories. In just a few clicks you can prevent employees, students, and patrons from accessing social media, pornography, and other undesirable categories of websites.
- Select the user(s) that you would like to apply the policy to
- Set “Internet” to “On” if it is not already on
- Go to “Category Filtering”
- Add the web categories you would like to block (ex. “Social Media”) to the Blocked Category List
- Click “Apply to Clients” to deploy the web content filtering policy to the selected device groups or user groups
How to only allow access to specific sites
If you would like to limit internet access to a pre-authorized list of websites, you can easily do that in BrowseControl.
- Select the user(s) that you would like to apply the policy to
- Set “Internet” to “Off”
- Go to “URL Filter”
- Add the allowed websites to the Allowed List
Conclusion
Controlling access to the internet is a critical component of organizational security, productivity management, and acceptable use policy enforcement. The best internet filter will depend on the needs of your environment, the devices you would like to control, and the level of granularity desired.
With web content filtering you can meet compliance regulations, improve web protection, increase productivity, and prevent access to harmful websites, spam sites, and other undesirable content.
If you’d like advanced insights into information system usage you can combine web content filtering solutions with computer monitoring software such as CurrentWare’s BrowseReporter.
Ready to start with internet content filtering in your organization? Get started with a FREE 14-day trial of BrowseControl, CurrentWare’s web content filtering software.