Product: GFI WebMonitor 3.0
Product Homepage: click here
One of the primary reasons for deploying an advanced stateful packet and application layer inspection firewall is to increase protection against exploits that take place over Web (HTTP) connections. Two major issues afflict companies of all sizes:
- Intended and unintended downloads of dangerous code in the forms of spyware, viruses and worms
- Intended and unintended visits to Web sites that are not appropriate in a work environment
Protection against dangerous downloads prevents not only the users’ computers from being compromised, but helps protect the entire network, and data moving over corporate network channels from being intercepted and forwarded to an intruder. Blocking access to non-business related sites helps protect the company from legitimate and spurious lawsuits regarding workplace friendliness and also helps to improve employee productivity.
The ISA firewall’s extensible architecture enables developers to extend its already impressive stateful packet and application layer inspection mechanisms. One of the more popular extensions of the ISA firewall’s core firewall engine is the ISA firewall’s Web Proxy filter.
The Web Proxy filter is an extension of the ISA firewall’s core firewall engine that enables the ISA firewall to act as a Web proxy device. A Web proxy device (or server) can intercept Web requests from client machines that are explicitly configured as Web Proxy clients, or as in the case of the ISA firewall’s advanced application layer inspection routine, forward non-Web proxy client connections to the ISA firewall’s Web proxy filter without requiring explicit configuration of client Web browsers.
There are a number of solutions on the market today that plug into the ISA firewall’s Web proxy filter that enable you to block dangerous downloads and non-work related Web sites. One of the slickest and easiest to configure and manage solutions I’ve found so far is the GFI WebMonitor 3.0.
WebMonitor 3.0 brings a number of useful Web access and monitoring features to the table of the ISA firewall administrator. Some of these include:
- Monitor user activity in real time on a per connection or per user basis and disconnect bandwidth abusers
- Quickly view a URL History the last 200 URLs accessed through the ISA firewall
- Block access to adult Web sites/domains
- Check all Web and Web proxy mediated FTP downloads for viruses and related exploits
Monitor User Activity in Real Time and Per Connection and Per User Basis and Disconnect Bandwidth Abusers
One of the biggest complaints coming from ISA firewall admins is the inability to get a good bead on what particular users are doing and what they’re doing in real time. While you can use the ISA firewall’s impressive real time log viewer and enhanced filtering capabilities to find out what a particular user is doing, it requires that you configure the log filter and then collate data manually afterward. While the built-in functionality is very nice, WebMonitor 3.0 ups the ante on tracking users.
Check out the figure 1 that shows the WebMonitor 3.0 Web-based management console. Here you see the number of hits, the amount of bandwidth used, and the URL domains this user has accessed. This gives you a nice birds-eye view of user Web activity. If you want to get more details, you can click on the user name.
In figure 2 you can see a detailed number of hits the user generated to each site and get an high level view of what time of day the user was most busy by looking at the Day-time web usage (hits over time) line.
Another big problem ISA firewall admins encounter is bandwidth abuse. Every firewall administrator has this problem. We need to quickly determine if there are one or more users downloading large files and then be able to disconnect those downloads. After identifying and disconnecting the users, we can take further action by configuring ISA firewall policy to circumvent those users’ abusive network behavior.
The GFI WebMonitor 3.0 Web-based monitoring console makes it easy to find those users. First, you can use the Users History information we saw in figures 1 and 2, which gives a good running count on users’ bandwidth history. When we need to find out what users are downloading right now, we can use WebMonitor’s Active Connections display, as seen in figure 3. Notice the size of download appears in the Bytes column. When you click the red “x” in the Status column, you can stop the download while in progress.
Quickly View a URL History the last 200 URLs Accessed through the ISA Firewall
The ISA firewall’s real time log viewer and log filtering features enable you to see the communications moving through the ISA firewall at any single point in time, or for any particular time interval you’re interested in. However, as I mentioned earlier, you need to figure out how the ISA firewall’s log filtering feature works, then construct the appropriate log query and then export the results if you want to look at things more closely. While this works great, GFI WebMonitor 3.0 makes life a lot easier and does most of the heavy lifting for you.
For example, suppose you want to see what’s been going on recently and want to eyeball up to the last 200 URLs that have been visited through the ISA firewall. Just click on the Last Web Access node in the WebMonitor 3.0 Web management interface and you’ll see all these URLs and see detailed information about the URL visited, the user who accessed the site, the number of Bytes transferred, and the MIME type of the data accessed.
Figure 4 shows the Last Web Access display.
Whether you’re on a fishing expedition or trying to figure out what users have been visiting a specific URL of interest, one thing all ISA firewall admins will appreciate is the WebMonitor’s URL history feature. Using the URL History feature, you can quickly view the fully qualified domain names of all the sites accessed through the ISA firewall. Sites that have been filtered by the WebMonitor Web filtering mechanism are called out with a pink highlight.
Figure 5 shows an example of the URL History feature’s monitor page. Each fully qualified domain name for URLs hit in that domain appears on the URL History page. You can see the number of hits to each domain during the monitoring period and number of Bytes transferred.
You can see the users who went to the domain of interest by clicking on the link for the domain. In figure 6 you’ll see a list of users who visited the domain and the number of hits the users registered at that domain. Access to the domain seen in the figure was automatically blocked by the WebMonitor Web filtering feature and the domain was automatically added to an ISA firewall URL Set that is used to block adult oriented domains.
If the domain were not automatically blocked, you can click the Add site to ISA destination set button to add the domain to an ISA firewall URL Set (there are no Destination Sets in ISA 2004 firewalls).
If you click the users name as seen in Figure 6, you’ll be able to access a complete list of domains the user visited during the monitoring period.
Block Access to Adult Web Sites/domains
The WebMonitor 3.0 Web filtering feature uses the Yahoo SafeSearch database to determine which sites are safe. If the Web site is determined to be an adult site based on a query to the Yahoo database, then the connection is automatically entered into the ISA firewall’s URL Set that is used to drop connections to adult, non-business related sites.
It’s very easy to enable this feature. All you need to do is click the Site Rating node in the left pane of the Web management console and select the Enable Site Rating option. You can also configure exceptions to site rating restrictions, so that some users are not exposed to the site rating restrictions and can access the Internet to sites that they may have otherwise been blocked.
Figure 8 shows how easy it is to get Web filtering working using the Site Rating feature.
Check all Web and Web Proxy Mediated FTP Downloads for Viruses and Related Exploits
WebMonitor’s key feature is its ability to perform antivirus checks on all HTTP and HTTP tunneled FTP downloads. WebMonitor can use up to two antivirus engines to check downloads: BitDefender and Kaspersky. You might think that inspecting downloads for viruses and other malware would significantly slow down the ISA firewall, but from my limited performance testing of WebMonitor 3.0, I found performance wasn’t nearly as bad as I had expected. However, you must be aware that any application layer inspection is going to have an impact on performance. You can mitigate the effect by scaling up your processor and memory.
Configuration of antivirus checking is very easy. AV checking is enabled by putting a check in a checkbox. You can then configure how often you want to check for AV signature updates. Figures 9 and 10 show how you enable AV scanning and how to configure the AV signature update interval.
Figure 11 shows what the end user experiences when downloads take place. The end user sees a progress bar while the file is downloaded, and then sees the results of the AV scanning after the download is complete. When the downloaded file is checked and found free of viruses, the user can click the Save to Disk option to save the file to his local hard drive.
WebMonitor 3.0 is an interesting product. In contrast to some of the more popular Web filtering products for ISA firewalls on the market today, I found WebMonitor 3.0 extremely easy to configure. I didn’t need to read the manual, I didn’t need to wade through confusing setup dialog boxes, and I only needed to refer to the Help file once to get a completely working solution. Needless to say, WebMonitor created a very positive first impression.
The content filtering approach is very different from those that I’m accustomed to using. Most vendors of popular Web filtering add-ons for the ISA firewall maintain their own databases of undesirable Web sites. This allows them to fine tune their categories and gives you granular control over the types of sites you want to block, allow, or check up on. In contrast, WebMonitor 3.0 uses a public database from Yahoo, and uses that database to populate a URL Set on the ISA firewall which you can use to create a Deny Rule.
This is extremely clever and allows you to get the most out of the ISA firewall’s built-in feature set without stepping all over the ISA firewall’s core firewall model. The drawback to this approach is that you don’t have fine-tuned control over what types of content you want to filter – it’s an all or nothing adult-site oriented filtering approach. If this meets you’re company’s requirements, then it’s a great solution, especially in light of the fact that using the Yahoo database allows GFI to keep the price significantly lower than what you would pay for other Web filtering solutions.
WebMonitor 3.0’s antivirus checking facility turned out to be very effective in my tests. When I tried to download infected test files through the ISA firewall with WebMonitor installed, none of the compromised files made it past the WebMonitor filters. I was also impressed by the performance of the virus scanner, in that it did not keep the processor pegged around the clock, which is something I’ve seen with other Web AV scanning products.
The one thing that really rocks about WebMonitor 3.0 is that it doesn’t break the ISA firewall’s core firewall model. Many of the existing Web filtering solutions for the ISA firewall require that you force authentication on the Web proxy listener and that all clients be explicitly configured as Web proxy clients. This approach to Web filtering is consistent with a low security Bluecoat or Proxy Server 2.0 approach, but is completely inappropriate for the ISA firewall.
Why? Because the ISA firewall’s Web proxy filter and Firewall service work together to enable you to forward authenticated connections from Firewall clients to the ISA firewall’s Web proxy filter. Because of this, Firewall clients can act as de facto Web proxy clients and have their connections exposed to the ISA firewall’s Web proxy filter.
This means that even if users disable the Web proxy configuration in the browser, the Firewall client continues to service authenticated connections through the ISA firewall, and those connections are exposed to the ISA firewall’s Web proxy filter and the WebMonitor’s content inspection rules. This is something that makes WebMonitor a very strong entry in the race for ISA firewall Web filtering add-ons.
WebMonitor is a great solution for cost-conscious businesses who require Web filtering and AV checking for Web and FTP downloads. This is especially true if your ISA firewall administrator is already overworked and doesn’t have time to get a Ph.D. in a complex Web filtering plug-in to the ISA firewall. The primary drawback of WebMonitor 3.0 is its lack of granular control over the types of content categories you can filter. Given the overall pro’s and con’s of WebMonitor and considering its price, I’ll award WebMonitor 4 stars out of 5.
Have questions or comments about this review? http://forums.isaserver.org/Discussion_about_review_on_GFI_WebMon_3%250/m_2002003383/tm.htm
ISAserver.org Rating: 4 / 5
Get more information about GFI WebMonitor 3.0