R3000 Enterprise Filter
Price: Starts at $10,995/1,000 users
Running a software-based Web filter on a firewall or proxy server requires constant administration to prevent traffic bottlenecks. 8e6 Technologies' R3000 Enterprise Filter
The appliance needs to be configured for port monitoring and connected to a switch port for pass-by filtering. It uses a mirror port on the outbound distribution switch to watch all HTTP traffic. It monitors IP packets as they flow through the network, matching Web site requests against its database of 75 filter categories and, when necessary, sending "blocked page" messages to the offending client machines. Requests are blocked through TCP session interception: A reset is sent to the Web server, and traffic is stopped before it loads in the browser.
Its content filtering is URL-based but doesn't employ blacklisting. While URL listings could be more inclusive (we found various porn and hacking sites that weren't identified), the filter performs admirably. R3000's filter database can be updated nightly from 8e6 servers via its proprietary X2 Search Array database, also known as MudCrawler, which continuously scrapes the Web to populate the database. New categories, including cults, humor and travel, enable enterprises to block nonbusiness Web traffic.
R3000's Java-based Web management console relies solely on Internet Explorer, which is somewhat limiting. While the console eases installation and administration, it's difficult to navigate the array of top- and side-mounted menus. However, it provides transparent authentication through LDAP or NT domains and enables you to customize user profiles based on content category filters.
Reporting in R3000 is nonexistent. 8e6 says this is necessary to maximize the appliance's speed. At a minimum, access to raw log files would provide a simple way to know if the filtering software is working.
During a scan of R3000, the appliance locked down fairly well, but the Java server crashed. While the filter continued to operate correctly, we were prevented from calling the admin console. The only recovery was a direct power cycling of the appliance. Another vulnerability surfaced with 8e6's use of an older version of OpenSSH 3.7.1, which is susceptible to a number of attacks. 8e6 says that both issues are being addressed.
8e6's tech support was eager to please and fairly knowledgeable, but it was only available during weekday business hours. The technicians did share various methods for performing manual filter updates, such as using a direct connection from 8e6 into the local R3000 and using the manual update feature contained in the Java Console.
Not to completely abandon the old-school approach, R3000 has modes for traditional pass-through and router-based filtering. The main advantage of pass-by filtering is that, if it fails, Web traffic continues to flow, but there would be lag time before anyone notices or complains. In router mode, however, users would complain immediately because traffic wouldn't reach the Internet.
Despite its lack of reporting and clunky admin console, 8e6's R3000 is an easily configurable, scalable and manageable enterprise offering that does a solid job of content filtering.
About the Author
Tom Bowers is a contributor to Information Security magazine.
This review orginally appeared in Information Security magazine.
This was first published in September 2005