Third-Party Utilities for Your Proxy Server

Throughout this series about Microsoft Proxy Server, I've covered many how-to topics, such as installation and setup, security, caching, and troubleshooting. In this issue, I discuss third-party plugins that can make your life easier—the kind of utilities that add functionality or security to your proxy server and how they interact with Proxy Server. Specifically, I talk about proxy server content filters, virus scanners, and log analysis.

Proxy Server Content Filters
One popular Proxy Server add-in is the content filter. I promise that you'll never install anything more controversial in a proxy server environment than a content filter snap-in. These filters can monitor employee surfing and compare any requested URLs against a list of URLs that the filter generates. If an employee requests content that you've restricted, that user sees a warning page instead of the problem content.

Common filter categories include violence, profanity, alternate lifestyles, nudity, sexual or tasteless content, religion, games, hacking, chat, intolerance, dating, shopping, weapons, job search, cults, sports, drugs, criminal skills, activism, politics, questionable content, racism and hate, alcohol, and tobacco. As the Proxy Server administrator, you can allow or disallow employee access to any of these categories. Some filter products let you assign categories to your existing group structure so that some users have more access than others. Because you might want to make exceptions to your rules, the flexibility of user groups is handy. Many filter products also let you define sites to block, exclude certain sites, and grant particular groups or individuals additional access so that they can reach sites that you've otherwise blocked.

Proxy Server content filters can also scan URLs and content against a list of keywords. If the URL or any of the content matches one of the key words, a warning page appears. The keyword search is an alternative to list comparison: It's a fail-safe method in case the list is outdated or inaccurate. The drawback to the keyword comparison is that it can often be too restrictive. For example, if you block sites because they contain the word sex, you may inadvertently block sites dealing with safe sex. If your company offers a chemical dependency program, your content filter might block the program's Web site merely because the site contains drug information.

Installing Proxy Server content filters can also affect employee morale. Employees might mistake the filters for company efforts to survey or censor their surfing habits. When restrictive content filters interfere with regular business usage, employees often take a negative attitude toward the filters and the use of a proxy server in general. In addition, proxy server content filters aren't necessary in every proxy server environment.

Two alternatives to using Proxy Server content filters exist. The first alternative is to use Proxy Server's domain filtering, which I covered in "Proxy Server Security," March 2000. The second alternative is to trust your employees. If you already trust your employees, you can probably rely on a strong and enforceable acceptable use policy. Acceptable use policies spell out for employees the company's expectations for using their computers to access the Internet. Failure to establish these limits almost certainly leads to trouble. For example, with today's large computer monitors, employees can see, even across the room, an offensive page that another employee accessed, prompting a complaint to the human resources (HR) department. Now, HR has to get involved in the company Internet surfing habits, and you suddenly have a lot more work to do.

Many content filters have one minor annoyance: Because the filter must examine incoming content in realtime, the time needed to return a client request will increase, and the number of users you can reasonably expect to serve from one proxy server will decrease. Adding additional hardware to the proxy server offsets some of the losses, but you generally can't escape the performance hit.

Another added cost is regularly updating proxy-based content filters. The content filter maker is responsible for keeping up with and classifying every new Web site on the Internet—a daunting task. Many vendors have an easy way to submit a site for classification (e.g., letting you submit a suspect Web site to their site to expedite the classification), thereby bringing new sites to the attention of the content filter maker. The vendors then offer a subscription service. Here's a list of some of the more popular proxy content filter software makers:

Proxy Server Virus Scanners
Over the past few years, the press has featured stories about powerful viruses that can destroy users' computers. However, the strength of the viruses and worms hasn't changed, but the number of affected users has grown. The same destructive viruses that can wipe out a computer today were around 15 years ago: Users are just better connected to receive those viruses now. Thanks to the Internet, the time that viruses need to circumnavigate the globe has dropped significantly, too.

Many systems administrators already have protection for their fleet of company workstations. Similarly, many email administrators have installed protection on their corporate mail servers to guard against infected file attachments. Some companies have installed directly into their firewalls protection that looks for infected file attachments. Best practice is to use more than one antivirus solution in strategic places within the company to bolster protection. For example, you might use one solution at the firewall level, another solution at the local workstation level, and another solution on the company mail servers.

Because Proxy Server is an application-layer gateway or application-layer firewall, it makes sense to try to block viruses at their point of entry into the company. A few of the larger antivirus software companies make plugins that integrate nicely with Proxy Server. Anytime you scan for something in realtime, you can expect a resultant hit in proxy server performance. However, realtime virus scanners for proxy servers usually need to scan only attached files; you can often select which file types to scan to avoid needless scanning. Here are two popular proxy server antivirus software makers:

Log Analysis
A log analysis program can produce several reports. The most popular report shows the Web sites' users passing through a given proxy server most frequently access. Other reports include the most frequently downloaded file types, the most popular search engines, the most popular browser versions, and cache efficiency.

Microsoft also distributes a proxy server log analyzer. The Microsoft Site Server Analysis Tool, which is included with Site Server 3.0, provides a simple report about what sites users visit through a given proxy server. Microsoft also distributes Site Server Express 3.0, a free, scaled-back version of Site Server, on its Web site (http://www.microsoft.com/ntserver/all/downloads.asp—scroll down to Management and Deployment Tools). This product lets a Web site administrator run simple reports on a Web site's logs. Unlike the full version of Site Server, Site Server Express doesn't include the proxy server report.

A pitfall of log analysis. Reports from Proxy Server logs give you a lot of useful information, but they have a disadvantage, too.

Proxy Server logs each piece of content that passes through the Web Proxy, Winsock Proxy, Server Proxy, and Socks Proxy services (for information about these services, see "Planning for and Installing Proxy Server," February 2000). Proxy Server also provides a detailed chronology of a user's Web sessions. You can import these logs into many popular analysis programs and generate reports based on usage. The problem is whether the requestor of the information has permission to receive that information, which can be a sticky legal issue. Users often have a false impression or expectation of privacy when they sit down at a PC. You can address this expectation through your acceptable use policy and a reminder during the logon process. Notifying users that their actions are subject to monitoring beforehand is crucial before you attempt any user log interpretation or report analysis.

Occasionally, someone—a coworker, a manager, or another authority figure, such as a security manager—asks me to snoop on a particular user's Web-browsing activities. These requests can be dangerous, because if you disclose that information, you might put someone's job in jeopardy. Usually, by the time such a request comes to me, the employee's job is already in peril. Management is looking for incontrovertible evidence, and a detailed record of an employee's surfing habits seems like an easy and irresistible means.

I always respond to these requests by asking for representation from HR personnel, who usually have a good grasp on company policies and the extent to which the company can observe an employee. Involving the HR department can limit your liability if the employee retaliates for your disclosing the records.

Also, be careful about drawing conclusions from the data. The safest thing to do is to hand HR personnel the reporting data and let them draw the conclusion. I also recommend that you document the request well, including the name of the person who asks you to perform any such tasks.

Many companies produce Proxy Server log analysis software. Here are a few:

Next Month
In the last installment in the Proxy Server series next month, I'll close the series by showing you how to monitor your proxy server to maximize uptime and efficiency. I'll also run through the Windows NT Performance Monitor counters that are important to Proxy Server.Body copy.