Book Reviews: Information Security Books and Product Reviews – GFI WebMonitor

Today we are going to take GFI WebMonitor for a test. GFI WebMonitor is a web security product that can be run on its own server, or as a plug-in to Microsoft’s ISA or TMG server, and markets itself not as a proxy, but as a proactive web security solution. It’s an important distinction that too often is lost on technologists. A proxy fetches content for you. It can parse rules and scan content, but its primary job is to retrieve and cache web content to improve response times and reduce bandwidth utilization, and that’s not what WebMonitor is about. GFI WebMonitor is a security product designed to* protect users from malware hosted on compromised websites or infecting downloads* filter Internet access to enforce company policy

* control bandwidth usage

Install and configuration-8 out of 10

GFI WebMonitor is fairly easy to install on either standalone hardware, or as a plug-in for ISA or TMG. There are three versions available. WebFilter Edition controls Internet access, WebSecurity Edition handles file blocking multiple antivirus engines, an anti-phishing engine and the GFI ThreatTrack engine for malicious website blocking, whilst the Unified Protection Edition combines both. If you are not interested in any kind of blocking, only malware protection, the WebSecurity Edition is for you. I really cannot see buying anything but the full Unified Protection package myself as this offers the most security and protection, but it is good to have options. 

It’s pretty much a next-next-enter install, and simple enough anyone can handle it. You do want to know whether or not you want to perform HTTPS inspection before you begin, and if you do, make sure you are a Domain Admin with permission to modify the Group Policy before you begin.

Default security posture-10 out of 10

The product really impressed me with its out-of-the-box configuration. While it applies no blocking by default, it runs the full gamut of antimalware scanning with multiple engines. This way you get maximum protection, but no risk of blocking something until you are ready to start enforcing policy. Too many security products start up as brick walls…this is a refreshing change.Administration-8 out of 10

Local administration is through a browser based console. You can use a browser for remote admin too, but you need to be sure your admin station is configured to use the WebMonitor server as your proxy so you can connect. It uses a tab based approach that is fairly easy to use, and you can find your way around it pretty quickly.

My only complaint is that the default fonts are on the small side, so be prepared to have to zoom your browser in (or buy a bigger monitor.)

Effectiveness-10 out of 10

WebMonitor uses a massive database of 280+ million categorized sites, its reputation service to keep ahead of zero day and newly compromised sites, and multiple scanning engines to scan downloads and web pages for malware. It also has an anti-phishing and known malicious website engine (ThreatTrack). We set up a policy based on categories of content (gambling, porn, drugs, sports) and try as we might, we couldn’t get anything past it-even when using HTTPS since we installed the HTTPS inspection component. Performance was very quick and when we accessed a permitted site, we couldn’t tell any difference in load time. Accessing blocked site quickly brought up the banner page.

HTTPS inspection-9 out of 10

GFI WebMonitor offers an optional HTTPS inspection capability which works very well for domain joined machines. The WebMonitor server will generate its own certificate, which you can use a GPO to push out to all domain joined machines. It will then generate SSL sessions on the fly between each client and the WebMonitor server, and proxy those connections to the Internet so it can perform inspection and content scanning. It’s a great way to ensure that nothing gets past just because it’s wrapped in SSL.

Logging and reporting-8 out of 10

Logging and reporting are both fairly straight forward. All activity the WebMonitor server handles can be logged to its own database, or to an external SQL server. If you want to keep logs for anything longer than a month, and you consider yourself a medium or larger size business, you probably want to use the SQL option. WebMonitor will want to keep all logs for a year by default, and even with a 500GB RAID 5 array on our test server, it looked like we would fill that using the local database and running for a full year.

You can search for activity based on user, site, category and more, and a really nice feature is that you can query for activity while keeping the specific user anonymous. This lets you check on actions of the company as a whole, without singling out an individual. Of course, if need arises, you can search on a specific user.

What we liked

* Multiple A/V engines* Easy to install, easy to administer* Broad category database with custom whitelists and blacklists* SafeSearch enforcement keeps all search results SFW

* Bandwidth policies can limit, without completing blocking, streaming media to conserve bandwidth

What needs work

* Fonts are a little small
* Instant messaging filtering needs to support more protocols, particularly AIM

Total rating-88%

GFI WebMonitor scores high across the board. If you are looking for a strong web security solution for your network, you can download a free trial of GFI WebMonitor here.