Blog / Filtering websites is important for any organization.
How filtering websites works and what are the limitations?
It’s almost common knowledge these days that filtering websites is an important task for pretty much every business. But why? It’s not just to keep employees productive or off Facebook. It’s actually about liability, and not just the kind that crops up when one employee catches another on the wrong “hub” website. Yes, inappropriate browsing at work is a serious no-no, but the real danger here is from employees engaging in illegal conduct; if they do so using company property, the entire organization could be held responsible. This means that every organization needs at least some level of website filtering and employee monitoring.
There’s also no excuse not to filter websites in the office anymore. Years ago it was a technical indulgence. Nowadays filtering websites is fairly standard and usually handled by an organization’s firewall, which you should have anyways. But just because something is commonplace or automated doesn’t mean we should ignore how it works or what its limitations really are.
When a browser tries to open a website, your firewall connects to its website categorization service library, where it determines which category of website the requested URL belongs to. If it belongs to a barred category, the site is blocked. If the URL belongs to an allowed category of sites, the request is processed as normal. As for which categories are allowed or disallowed, those are configurable by you and your IT team/partners directly in the firewall, while the inspection and categorization of websites is provided by the device vendor.
Of course, the story doesn’t end there. Back before encrypting sites became commonplace and HTTP gave way to HTTPS, filtering was easy and accurate. These days that’s not necessarily the case. To understand why, let’s look at how website information is typically transferred, both with and without encryption. It’s a little more complicated in real life, but for now I’ve broken the process down into four basic steps.
- Ask your browser to open a URL (www.youtube.com/watch?v=GSIDS_lvRv4).
- Resolve the IP of the domain (www.youtube.com)
- Establish a TCP connection to the domain’s IP.
- Send an HTTP request to the server to then download the URL information.
Now, if the target website is unencrypted (HTTP), your firewall can not only read the site’s traffic, but also its complete URL. In other words, the firewall can send that URL off to the web filtering service by reading it from the data that gets sent back and forth in step four.
Encryption (HTTPS) changes things. Traffic and data from the site, including the URL, are encrypted between steps three and four. As a result anyone in the middle can’t see it, which of course is the purpose so hackers can’t easily intercept the data, but it’s also where you firewall sits in this particular process as well. The only thing that can be read in relation to the website is the CA (Certificate Authority) information in the certificate (which for YouTube is “*.google.com”), which is still useful for filtering websites but introduces slightly more complexity and possible minor inaccuracies into the process.
Putting the problems with encryption aside, there still remains the question of which site categories you should or shouldn’t block. At minimum you should be blocking anything that could create liability (such as pornography, violence, gambling, and the like). Beyond that, the question becomes one of company policy. Arguments for and against filtering can be made for various categories based on productivity or the expected needs of those being filtered, but however you configure your filtering categories, make sure you have a system that allows people to dispute your firewall’s decisions and request access to sites they may need to do their job. While many organizations “over” filter (and frankly from a cybersecurity perspective that’s probably a good thing), an almost universal mistake I see when it comes to filtering websites is having no method for those impacted to request a change.
This week’s Shakespeare quote comes from Hamlet; “We are oft to blame in this, – ’tis too much proved, – that with devotion’s visage, and pious action we do sugar o’er the devil himself.”
If you’d like help configuring your firewall, feel free to contact one of our IT professionals, and get yourself some stress-free website filtering today.
Be kind, courtesy your friendly neighbourhood cyber-man.