Web Filtering: Choke-Point vs. Endpoint

There are generally two main enterprise architectures used to monitor and/or filter access to content available on the Internet: Choke-Point (web proxy, router, firewall, etc.) and Endpoint (client-server). Each has its advantages and disadvantages that we will explore.

Choke-Point Architecture

The Choke-Point architecture provides a central point of access to the Internet for all users.  The Choke-Point is normally a server, firewall or router with embedded filtering software or one or more “Internet appliances” – stand-alone devices for targeted applications.  Websense is an example of a caching Web proxy server that provides a nearby store of Web pages and files originating on remote Web servers, allowing local network clients to access them more efficiently.  When it receives a request for a Web page, a caching proxy looks for the content in its local cache. If the content does not exist in the proxy’s cache, the proxy server retrieves it from the appropriate Internet server in order to satisfy the request and saves a copy in its local cache for future requests. Sonicwall and Watchguard are examples of firewalls with embedded filtering software; usually third party URL filtering databases.  Since requests to access Internet sites are sent from each workstation in the managed environment, a decision about whether the site may be accessed can be made centrally at the Choke-Point. If a user requests a site that is determined to be off limits, the server or device returns a response to the user indicating that access is denied.

The greatest advantage of the Choke-Point architecture is its single point of installation. This provides simple installation and reduced IT management. In the case of a Web Proxy Server, access performance may be enhanced due to the caching nature of the proxy.   There are, however, a number of disadvantages to this architecture. The benefits of having a single point of installation also create a potential single point of failure that must be addressed with redundancy.  Since the web filtering and reporting functionality in a Choke-Point environment requires all Web access to occur through a single point, the workstations in the managed environment must be configured to direct Web access to the Choke-Point. It is therefore possible for a user to change their configuration or use alternate means to access the Web. This could include a readily available WiFi connection or a portable Internet access device. In addition, monitoring and filtering remote or mobile users that are not in the managed environment requires the remote workstations to be directed back into the Choke-Point – a highly inefficient means to manage traffic. Although somewhat offset by its caching capabilities, Choke-Point installations create a bottleneck to Internet content which, depending on traffic dynamics, may actually cause performance to suffer. In general, with respect to filtering, Choke-Point architectures are used primarily for Web content and typically do not address other Internet communication protocols such as content exposed in  email, chat, IM and dark web postings.

Endpoint Architecture

The Endpoint architecture places one or more servers in the managed environment and installs a client program or Agent on each workstation that is to be monitored and filtered. Pearl Echo is an example of an Endpoint monitoring and filtering solution.  In an Endpoint architecture, the server is usually passive, waiting for requests from the Agent – for example a list of allowable Internet access rules for the existing user or a request to receive and store captured data that describes the user’s Internet activity.  Endpoint architectures are commonly referred to as distributed architectures because the processing load is distributed to the clients.  For example, the workstation agent may analyze a Web request at the client and make a decision whether or not to present data to the user based on Internet access rules it received from the server.  The Endpoint architecture is a modular infrastructure that is intended to improve performance and scalability.

In Endpoint operation, user requests to Internet content are monitored and analyzed locally in real-time by the Agent when the request is being sent to or from the Internet. A decision about whether the content may be accessed is made at the Endpoint. If the transaction (Web site access, email content, IM payload) is determined to be off-limits or contain restricted data, the Agent on the workstation prevents transmission of the request. Activity monitored by the Agent is sent to a server for centralized analysis and reporting.

The disadvantages of this architecture relate to IT management issues.  Agents must be deployed on all machines to be managed.  This can be time consuming for implementations that don’t include Agent management tools or situations where users don’t authenticate on a network that administers the client’s computer policies. Another disadvantage of Endpoint implementations is the potential for conflict between the Endpoint Agent and other third-party applications that have not been developed according to common standards or best practices. Advantages of the Endpoint architecture include scalability and limited processing requirements for the server.  In addition, the Endpoint architecture provides real-time monitoring and control of remote and mobile users without re-routing communications through the local network. Because the Endpoint Agent is resident on the client, it is not possible to subvert the Endpoint solution by accessing the Internet through off-network means such as connection through WiFi hotspots or through a secondary network card.  Circumvention is possible, however, by removing the Agent from the client in non-secure implementations.  Unlike the Choke-Point architecture, a single point of failure will not impede the continuity of communications. By nature of its distributed design, the Endpoint implementation does not suffer from bottleneck performance issues found in the Choke-Point architecture.

Pearl Echo’s Design

As mentioned above, Pearl Echo is an Endpoint solution and thus provides all of the associated advantages described above.  To address the IT disadvantages of the Endpoint architecture, Pearl Echo integrates Agent management capabilities that allow centralized deployment and/or removal of the Pearl Echo Agent. Once installed, all program updates and upgrades are done automatically.  In addition, Pearl Echo is built to Windows Logo Standards as well as standardized requirements detailed in the Microsoft Windows Driver Model in order to assure full third party interoperability.

Due to the fact that the Pearl Echo agent is tied to the Endpoint, Pearl Echo’s Agent approach provides a greater level of insight into user, group and computer Internet usage patterns while simultaneously providing more detailed granularity when defining Internet access policies.

Comprehensive vs. 1-Dimensional Filtering

In addition to its in-depth monitoring capabilities, Pearl Echo’s filtering incorporates end-user defined

  • automated and configurable URL category lists (Echo.Filters™)
  • custom white and black lists for all segments of the Internet
  • contextual keyword and phrase analysis
  • text pattern analysis
  • time controls
  • bandwidth controls
  • safe search controls and
  • application controls

Using the Echo.Filters module, administrators can choose from over forty categories that they wish to block as well as run reports on users accessing web sites in these categories. Pearl Software’s URL database is created based on a carefully tuned blend of Web bots, Spider search capabilities, heuristic evaluation and human review to produce a comprehensive Web site blocking database.  Using Echo.Filters in combination with some or all of the control methods listed above produces a blended and powerful approach to filtering all Internet content on and off the Enterprise’s network.  Any approach taken to manage content should enable access to how sites are categorized, have the ability to customize filter modes and be able to immediately override and update blocked material.

Pearl Echo’s monitoring and filtering work across all segments of the Internet and in all locations providing a comprehensive solution not possible in Choke-Point solutions.

Posted in Cyber Security.