Sophos applies itself to Web filtering

 

Gallery

Posted on 10 Jan 2007 at 11:33

Security company Sophos has launched a Web filtering appliance offering content security, application control and URL filtering to small and medium-sized businesses.

The WS1000 is aimed at SMEs of between 100 and 1,000 users, and the appliances can be clustered to support greater numbers. The company also plans to launch a corporate version in the future.

It sits at the network edge, checking both the pages requested by users, and the pages returned to them for malicious threats, unsavoury content or simply blocking access to sites that are unnecessary for staff to view, such as gambling or sports sites.

The appliance replaces the more common approach of employing discrete security solutions that check URL requests and incoming pages with a single box and assesses the risk of each page to determine the level of scrutiny each page is put under.

While some page requests might be blocked, other URLs can be set at different levels of risk, and the data sent back from them scanned at either a basic level for HTML, executable and generic phish threats or analysing everything include images and other elements. This helps prevent any latency issues arising from every page being fully scanned.

The Internet has become the medium of choice for online attacks in recent times. A year ago, malicious email accounted for 1 in 12 of all email, according to Sophos. Currently it accounts for just one in 300. 'We've seen a drop in email-borne attacks,' said Graham Cluley, senior technology consultant at Sophos. 'Attackers don't use email to attach malicious executables so much these days.'

IDC claims some 30 per cent of companies with 500 or more employees have become infected because of Internet surfing.

Even so, Sophos' selling point for this appliance is its anti-malware pedigree. 'One of the huge advantages of our solution is that we are adding 7,000 new pieces of malware to our database every month,' said Cluley. 'Most of these are Trojan downloaders, which download malicious code onto infected PCs. Each time we see a new piece of malware with a new URL in it we chuck it into our [web appliance] filter ... Here we can block access to sites without needing to see it.'

Of the 7,000 new malware elements discovered by Sophos each month, many feature a URL in some form. Much of the malicious code hosted at these addresses is changed regularly - the code downloaded by the Tbspk Trojan was changed seven times a day, for example - meaning that antivirus companies have to keep their software up to date to handle this.

But, even if an attacker hasn't uploaded malicious code to a URL, once Sophos has recognised a 'bad' URL it can block access without having to analyse the data made available there.

The URL filtering of the WS1000 is also augmented with technologies from Sophos' industry partners, including a deal with SurfControl to feed in data from its web categorisation database that classifies more than 21 million web pages.

This data, coupled with Sophos' own scans of the Internet, adds in excess of 5,000 new 'bad' URLs to the filter each day.

So confident is Sophos of the new appliance, it is hoping to use its success in identifying and blocking threats as a means to show up the deficiencies of desktop security solutions. Cluley told us that if the WS1000 picks up outgoing packets that are destined to 'bad' URL - perhaps as the result of a keylogging Trojan sending out passwords to an online criminal - the sysadmin will be notified that a desktop PC within the network is infected. 'The eventual aim is to chuck out those guys there (on the desktop) and replace them with Sophos,' he said.