Why Your Web Filter Should Not Serve as a Second Firewall

Posted by Geraldine Hunt on Fri, Feb 19th, 2021

Every enterprise today should be implementing a layered security strategy that utilizes multiple defensive layers to keep threats at bay.  Two of these include a firewall appliance and web filter.  At its most basic level, a customary perimeter firewall allows a security admin to open and block port access to and from the enterprise.  More advanced firewalls today analyze incoming traffic using layer seven scanning or behavioural analysis.  The basic function of a web filter is to prevent users from accessing designated website categories to prevent users from browsing inappropriate content, unproductive games or known malware deployment hubs.  In order to accomplish this, web filters target must HTTP port 80, and for modern day filters, HTTPS port 443.  Some advanced web filtering solutions also serve as antivirus gateways, stripping incoming web packets of malware and malicious code. 

Security Simplified while reducing CapEx

Web filtering today includes three basic solution architectures. Traditionally, web filtering is implemented as an appliance, either as an in-line device or as a proxy.  Recently, cloud-based solutions have become popular, simplifying the deployment and management process while reducing CapEx.  This is especially indicative of inline web filtering appliances.  An inline web filter appliance is placed between the core switch of the enterprise and the perimeter firewall.  This means that all traffic moves through the appliance.  Sometimes an inline architecture may overlap the functions of a firewall.  Although on the surface this may seem more secure, it often leads to big problems that can be difficult to troubleshoot.  A couple actual examples include the following:

A data administrator lost the ability to transfer files to a cloud-hosted server using SFTP.  Instinctively, the network support team focused on troubleshooting port 22 on the perimeter firewall.  After consuming much of their time, it was discovered that the web filter had begun interfering with SFTP traffic after a patch update.

A help desk technician was deeply frustrated with the inconsistent performance when remoting into local desktops using a cloud-based support access site to support their users.  It would take four, five even ten attempts to connect to the desktops, this despite the URL of the site being categorized as a safe site.  After troubleshooting the issue for weeks, the instigator was found to be the web filter.

Most inline web filters have an easy solution to get around these types of issues by simply inputting the IP address of the involved computers.  There are two problems with these exemptions.  The first is that web filter exempt computers require a static IP address, which complicates IP management.  The other is that the filter is wide open for those designated computers.  This opens up users of these devices to proceed to malware deployment sites and other unsavoury locations of the Internet that could compromise the enterprise. 

Keeping Mobile Devices Secure

Web filtering on premise-based architecture has been greatly complicated by the plethora of mobile devices in so many enterprises today.  When users take their mobile devices beyond the safe confines of the network perimeter, their devices can surf the Internet at will.  This is a real challenge for K12 school systems that implement one-to-one device programs.  School administrators must be able to assure parents that their child has the same safe web experience on school-issued devices whether they are at school or at home. To accomplish this, off-premise web sessions must be redirected back to the enterprise web filter.  Many web-filtering solutions utilize some sort of dedicated client application to do this.  This is on top of the Active Directory client that the device is always running in order to apply user-based policies.

Recently, a public school system in the southeast United States found out firsthand the problems that an additional client application can bring about. The district had boasted a well-managed one-to-one laptop program involving 13,000 devices. Over the summer, the school district upgraded all of their 18,000 devices to the Creators edition of Windows 10.  Shortly after the upgrade, all mobile devices lost the ability to install Windows Updates although the stationary desktops continued to process updates normally. After weeks of troubleshooting the problem, the school system turned to Microsoft who invested over a week themselves pursuing the issue. In the end, Microsoft engineers found the culprit - the web filtering mobile application.  The district is now waiting on the filtering solution to come up with a patch. During the five-week period, laptops were not properly patched, possibly exposing them to known vulnerabilities.

Cloud-Based DNS Filtering

The fact is that the proliferation of mobile devices demands a new type of web filtering architecture which is why cloud-based solutions are quickly becoming so popular.  Cloud-based DNS filtering solutions provide the same experience and architecture no matter where your mobile users are.  What’s more, filtering occurs for web-based traffic only, allowing your application traffic to flow unimpeded.  This eliminates problems that require perpetual troubleshooting, consuming the precious time of your already over-committed IT staff.  The digital transformation of today’s mobile world now constitutes that so many of your assets and service need to be migrated to the cloud, your web filtering solution is no different. 

If you would like to experience the benefits of DNS based web filtering for free, contact us.  We are offering companies the opportunity to try WebTitan Cloud or WebTitan Cloud for WiFi for free, with no setup costs or credit cards required, no contracts to sign, and no commitment to continue using our service at the end of the trial period.

To find out more this opportunity, speak with one of our specialists today. They will be happy to answer any questions you have about DNS based web filtering and guide you through the process of creating your free account. If you subsequently require any help redirecting your DNS or navigating the management portal, we are always here to help.