Problem solve Get help with specific problems with your technologies, process and projects.

How well do content filtering tools limit network traffic?

Newer content filtering products are available, but are they worth the investment? In this SearchSecurity.com Q&A, network security expert Mike Chapple explains the technology behind content monitoring/filtering tools and whether you should wait for these products to mature.

How do content monitoring and filtering tools work? How well do they monitor outbound traffic?
Content filters are an evolving area of security technology. Essentially, they monitor all traffic on a network and compare it to a set of rules that define unacceptable activity. Content monitors alert administrators to the unwanted activity, while content filters block the objectionable traffic from entering the network.

The technology behind content filtering is fairly simple. If the device is set up to be a monitor, technicians can attach it to the network by using a network tap, span port or similar replication technology, ensuring that the network has a copy of all traffic. If it is designed to serve as a filter, it can be placed at a choke point in the network.

The important criteria to evaluate when deciding if a content filter meets your business requirements is how the filter decides which traffic is allowed and which is denied. Most of the current generation of content filters use whitelist/blacklist technology to build lists of acceptable and unacceptable content. Depending upon the organization's security requirements, either a default "allow" or "deny" rule is applied. This approach is often seen in Web content filtering, where users are blocked from accessing inappropriate Web sites. While maintaining these lists can be quite a chore, filter manufacturers often provide a subscription service that offers access to a centrally maintained site categorization scheme.

Some companies are experimenting with newer content-filtering technologies. Using document signatures, traffic profiles and other techniques, these approaches seek to identify leaks of confidential information and other inappropriate content. While they hold promise, they're probably only useful if you have extremely high security requirements or a desire to be on the cutting edge of security technology. Otherwise, I'd recommend waiting a couple of years until these technologies mature.

More information:

  • Use IPsec rules to filter network traffic.
  • A content filtering tool is only one of the important intrusion defense technologies. Learn about the others in SearchSecurity.com's Intrusion Defense School.
  • This was last published in February 2007

    Dig Deeper on Real-time network monitoring and forensics

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.