The future of Web Filtering

[yotefn]

This month is my 10 year anniversary since discovering Untangle, and has given me some time to reflect on what the internet looked like 10 years ago, what it looks like today, and what it will look like 10 years from now. Thinking about this has inspired me to re-evaluate if Untangle still meets my needs or not, and what things I would like to see in future offerings from all NGFW vendors.

I'd first like to give a shout-out to this page, which opened my eyes to the very obvious truth that the NGFW is dead:
https://www.anitian.com/the-ngfw-is-dead/

10 years ago, we transitioned our security posture off of the endpoints and became increasingly reliant on NGFW's. Today, as network boundaries are becoming fuzzier, the ability for the NGFW to be useful is becoming increasingly blurred. As an example, 10 years ago, most of my clients were running internal email servers. Today no one is. While the spam filtering on cloud email hosts is far far better than spam-assassin was (remember tuning bayes scores, anyone?), it's a great example of the phenomenon of the "Death of the NGFW." I no longer control my perimeter as far as email is concerned. The perimeter of security is now at the endpoint.

Secondly, as Let's encrypt has made it so effective and easy to obtain trusted certs, most of the web is now encrypted. While we can set up MITM using SSL Inspector, employing that for every site on the web is very heavy handed and has potential unwanted consequences. Again, the perimeter of security is now at the endpoint.

Thirdly, 10 years ago, most websites targeted a specific topic, and the content stayed within a specific range of acceptability. Today, one domain or site can contain such a wide array of different content (think YouTube, eBay, Amazon, Reddit, etc.). URL based filtering is so far off the mark today and doesn't solve the problems we are facing today.

There's not much an NGFW can do for the first 2 points. But to my third point, I think that for Untangle to stay relevant for the next 10 years, there needs to be a fundamental transition to Web Filtering. Besides for URL based filtering, content needs to be filtered dynamically based on keyword and page content, as well as skin tone content. This means that pages that exceed a certain percentage of words, or have a certain percentage of skin tone, should be blocked based on the current content on the page. Furthermore, the option to color in skin tone with another color (e.g. gray) in all images would be a welcome feature (as there's no need to see the woman in a bikini when I go to a banking site). I know this is difficult due to SSL (my second point earlier), but maybe together as a community, others of you out there will join me in putting our heads together to find ways to keep our kids, schools, and ourselves sane in an increasingly insane world.

[Sam Graf]

To add a thought, 10 years ago we didn't have access to various protections offered through DNS services. Those of us that opt to enable Web Filter's "Block pages from IP only hosts" can especially benefit from this additional layer of protection.

That said, I don't disagree with the idea that there are benefits to content filtering. For a number of years I used a product based on DansGuardian (now called e2guardian, I think). That was strictly content filtering, no URL filtering, no skin tone features. I felt comfortable with it, but I would emphasize "besides URL based filtering," because I wouldn't want content filtering alone (Web Filter protects us from more than pictures of women in bikinis), and I would want to be able to decide where the filtering weight rests for my situation--content or URL.

[sky-knight]

For me the content control aspect was less of a driver than throwing up barricades to malware. Much of this functionality will be more effectively displayed by the new Threat Prevention module.

I also disagree rather firmly with the idea that the next generation firewall is dead. The walled garden still exists, but its form has changed. Now we have cloud systems functioning as private spaces, and that's where the walls lie. This isn't a bad thing, because it means we can finally, easily consider internal users and external users the same. With an equal risk assessment and appropriate isolation, we're free to fully secure critical infrastructure.

This means, the NGFW is in the cloud, protecting cloud assets as well as providing a termination point for VPNs or other technologies we need to securely access those protected resources, while defining the appropriate trust values via our security policies.

If anything, the next step for Untangle is not an improvement of Web Filter, it's an improvement in the VPN modules. We need Untangle to be able to do what Meraki does, setup and tear down connections for us as needed among any number of enrolled devices. SD-WAN Router is critical to this reality, but without this capability the value prop is a loss leader.

Administrations are continuing the trend of going with technology that's easy over what's secure. Untangle does both, and yet I'm still losing subs to Meraki, and I have almost no hope of replacing what's left with new clients. The only business owners recently that I've had success with are the tiny ones that actually care, but when they're bought out by the larger fish, those larger fish are almost always Meraki.

And sadly, I don't think all of us here combined can compete with Cisco. Even a the weak, pathetic, and broken Cisco we have now, that's bleeding talent hand over fist, and producing utter garbage. They lie about vulnerabilities, and silence anyone with evidence of them. And the market doesn't care... if it does my sales aren't reflecting it.

And this hurts me, because an Azure hosted Untangle, with SD-WAN Router devices in the field, backed up by Unifi switches and WAPs, controlled by an Azure hosted Unifi Controller is the ultimate in security, capacity, transparency, trust, AND ease. It's also BUCKETS CHEAPER!

You'd think people would be tripping over themselves to buy into that... but nope... Meraki. Heaven save us from the propaganda that drives our market.

But back to the article, just to underscore all this

1.) The network perimeter is gone
2.) NGFW’s are not designed for cloud architectures
3.) Cloud providers are (or will) offer the same capabilities at a fraction of the cost
4.) The NGFW is not effective

1.) It's not gone, it's simply been redefined.
2.) True, if your UTM isn't software based... Untangle is, which means it's in a VM wherever you need it.
3.) This is a possibility, but hasn't happened yet.
4.) Patently false, and only true if you're an IT admin that hasn't done your job.

And in the end, in the everything is encrypted world... SNI is the only thing the network can filter on, and all of this Content Control stuff is going to have to move into security end points on the devices I guess. But... oh wait... that won't work because all the "new" endpoints are tablets / mobile devices, and most of those are controlled by a company that things censorship is never ok, while it steals every idea and fact it possibly can without any form of compensation.

But now I'm ranting...

[Sam Graf]

But now I'm ranting...

Venom.

Don't get me started. Let's go back in time, back to the beginning, and talk about who stole what.

I see small business operations differently from y'all. I see less cloud than talked about here. I see huge amounts of activity at resources like Pinterest and YouTube. I see more business communication through Facebook than through email. I'm grateful for NGFWs.

[f1assistance]

I'll bite my tongue...hard! :-J

[flynhawaiian]

I see small business operations differently from y'all. I see less cloud than talked about here. I see huge amounts of activity at resources like Pinterest and YouTube. I see more business communication through Facebook than through email. I'm grateful for NGFWs.

I tend to agree in this respect. I see more SB using facebook and instagram for their baseline communications. Gone are the days of sending emails from customers to businesses. A lot of this has to do with response time. It seems that majority of businesses are more serious about responding faster over facebook than they do with email. I think this has to do in large part with the metrics that facebook gives those businesses; such as response time.

[jcoffin]

Posted over two years ago on our blog by Untangle's founder.

https://www.untangle.com/inside-unta...o-content-era/

[f1assistance]

Who's your daddy now?
Wake up, Neo...
The Smart Grid has you...

Microsoft is testing ads in WordPad in Windows 10

[Sam Graf]

Posted over two years ago on our blog by Untangle's founder.

https://www.untangle.com/inside-unta...o-content-era/

I agree with that assessment, but using SSL Inspector isn't off the table yet for small businesses, in my opinion. I think it's far easier to deploy SSL Inspector in a small business environment than it is in a home environment. In my experience, anyway.

I'll bite my tongue...hard! :-J

A failed strategy.

[Jim.Alles]

This may be slightly tangential, but SDN should remain relevant.

Presidential Advisers Expected to Push Software-Defined Networking for Secure Comms

https://www.nextgov.com/cybersecurit...-comms/162588/