Confronting the Modern Complexities of Web Filtering

Web filtering is an Internet security feature used to screen incoming web pages before the pages are displayed in an Internet user’s browser.   In the past, Web filtering was seemingly more straightforward with the use of tools such as invisible bridge settings, and the purposes built appliances like the Lightspeed Rocket Platform provided by Lightspeed Systems ( Presently, web filtering technology has evolved further, and users of the Internet must prove secure content by utilizing secure page encryption. This practice is being fueled by projects such as Let’s Encrypt.

Due to most websites using encryption, the analysis of content on a particular page is challenging.

Let’s Encrypt provides free SSL certificates, which encrypt personal and sensitive information such as usernames and passwords, to websites. These certificates are becoming easier than ever to obtain, and the task of filtering out inappropriate content has become increasingly difficult. Due to most websites using encryption, the analysis of content on a particular page is challenging.  Encryption only allows the filtering system to view only the client’s IP address, and the destination’s IP address, but not the actual content being loaded. This is especially problematic for schools because some education websites are hosted on shared servers that also host inappropriate content. Since the filtering system only sees the IP address of the webserver, the site with inappropriate content will be blocked, as will all sites hosted on that same IP address, whether inappropriate or acceptable. Another issue that encryption presents is the inability to view search queries on popular search engines. For example, if a student searches for  “guns” on Google, the filtering system might only capture that the student visited Google, rather than the inappropriate search for “guns” that the student had requested via the search query. These encryption barriers on the Internet are leading to ineffective filtering and reporting.


Lightspeed, like most other content filters, has developed ways to combat ineffective filtering. By employing Lightspeed, an intermediary server called a proxy, can be deployed to your enterprise network via GPO’s (Group Policy Objects). A PAC file controls the proxy settings, and the file has two modes. The first mode proxies only items that are on the specified list. The second one, however, proxies all sites except for the items that are on the specified list, and creates an exclusion list. Although proxying with a PAC file may seem like an easy solution, there are flaws within it. The main disadvantage is that only computers that are on your specified network are proxied. This exercise does not affect the BYOD devices. There have also been issues with specific browsers not trusting the man in the middle between certificates. Although proxying is a good first step, it is not the best solution in effective filtering. Lightspeed has deployed its WCCP (Web Cache Communication Protocol) support to the latest versions of their platform. This feature requires a firewall that also supports WCCP.  With this feature, the proxy will be done at the firewall level, rather than the device level. In return, this allows us to proxy all devices on the network, not just on locally owned equipment. Since we are proxying at the firewall level, there is no need to deploy PAC files, and man in the middle certificates. This feature is beneficial because it brings the content filtering back to the original bridge set up, which keeps it transparent to users.

As the Internet continues to evolve, IT support must adapt to new strategies. Employing PAC files and WCCP are just some of the latest ways that IT services and vendors are adapting to the evolution of the Internet. As technology progresses, there will be new and inventive ways that will break filtering platforms. IT services will be forced to overcome these platforms with new and innovative methods.