Lesson 13—Web Filter

Hello! In this lesson, we will look at web filtering and the development of this technology.

During the early days of the Internet there were little to no restrictions on what websites you could visit.
Unfortunately, some of those sites had malware that could infect the browsing computer. Or,
sometimes a website contained content that others objected to. What constitutes objectionable
content can be controversial, but these two reasons—security and objectionable content—formed the
impetus for the development of web filtering technology.

So, what is a web filter? It’s an application that examines incoming webpages to determine if some or
all of the content should be blocked. The web filter makes these decisions based on rules set in place by
the organization, or individual, who installed the application. There is a corresponding interface that
allows you to configure the rules, and determine what gets blocked and what gets through. A web filter
can also establish different rules for different types of users. For example, at home a parent may want
to enforce stricter rules for children, than for adolescents and adults.

In the United States, libraries were the first to install web filters on their publicly accessible computers
in response to community pressure. The federal government passed the Children’s Internet Protection
Act (CIPA) in 2004 requiring all computers in a public library to have web filters, if that library accepted
federal funds for computers that access the Internet. These measures were met with a mixed reception.
As web filtering spread from libraries to schools, some argued that censoring information, no matter
how offensive, countered the mission of libraries and education. What’s more, sometimes the filters
were not sophisticated enough to distinguish between art and a lewd photograph, or the filters blocked
literature because of an expletive. These legitimate complaints about the limitations of the technology
prompted the developers of these applications to design more sophisticated filtering techniques, and
to make filter configuration more granular.

While the initial motivation was to protect children, after the technology was developed, its utility for
other purposes became apparent. Information could be censored for religious, political, or ideological
purposes. In addition, previous misdeeds of a government could be erased from the digital record. Still,
on the other side of the ledger, browsing was made safer by developing filters that could block adware,
spam, viruses, and spyware. Today, web filtering forms the first line of defense against web-based
attacks. In addition to client workstations, web servers, and ISPs, web filters were added to other
network devices, such as firewalls, proxy servers, sandbox technology, and wireless access points.

How does a web filter work? A web filter can consult a URL database that lists websites and domains
that are known to host malware, phishing, and other harmful tools. With over a billion active websites
on the Internet, this can be an onerous task. The URLs found on this naughty list are also known as a
deny list. There can also be a allow list, which is a sanctioned list of URLs. Another method that can be
used is a filter that looks for a keyword or predefined content. As noted earlier, the problem with this
method is the number of false positives; that is, it can inadvertently block legitimate content, such as
art. Machine learning may, in time, overcome this deficiency. Other types of web filters, such as the
Google search engine, use machine learning to help you find what you are looking for. Like other
network security devices, machine learning is the next step in building more effective web filters.

28
Fortinet has integrated web filters into a number of its products: for example, FortiClient®, FortiGate®,
and for wireless access points, FortiAP™.

Thank you for your time, and please remember to take the quiz that follows this lesson.

29
Lesson 14—SASE
Hello! In this lesson, we will introduce you to Secure Access Service Edge SASE, and explain how it has
evolved.

SASE is a technology that combines Network as a Service with Security-as-a-Service capabilities. SASE
is delivered through the cloud as an, as-a-service consumption model, to support secure access for
today’s distributed and hybrid enterprise networks.

Network security is a top priority for most organizations, however new challenges have emerged. Rapid
and disruptive digital innovation has brought on:
 an Expanding thin edge defined by small branch locations that are attached to the core network
 a Growing amount of off-network users accessing the central data center
 a Challenging user experience for off-network users
 an Expanding attack surface
 Multi-level compliance requirements, and
 Increasingly sophisticated cyber threats

As work environments have evolved, so too have user behavior and endpoint protection requirements.
Users no longer access information from a dedicated station within a pre-defined network perimeter
confined to a corporate office. Instead, users access information from a variety of locations, such as in
the home, in the air, and from hotels. They also access that information from different devices, such as
desktop workstations, laptops, tablets, and mobile devices. Adding to this network complexity is the
rise of Bring-Your-Own-Device, where users access enterprise systems through personal devices that
are not part of the enterprise infrastructure.

Organizations today require that their users have immediate, continuous secure access to network and
cloud-based resources and data, including business-critical applications, regardless of location, on any
device, and at any time. Organizations must provide this access in a scalable and elastic way that
integrates thin edge network sites and remote users into the central infrastructure, and that favors a
lean operational, as-a-service model.

Finding solutions that meet these requirements is challenging,

The reasons for this are clear.

While networks have evolved to support the workflows for remote endpoints and users, many outdated
network security solutions remain inflexible and do not extend beyond the data center to cover the
ever-expanding network perimeter and, therefore, the attack surface. With the advent of new thin edge
networks, this challenge is exacerbated.

Secondly, these solutions to converged networking and security oversight require that all traffic,
whether coming from thin edge locations or off-network users, runs through the core data center for
inspection. This results in:
 High cost

30
  Complexity
 Elevated risk exposure
 Latency and a poor user experience when accessing multi-cloud-based applications and data

Finally, the multi-edge network environment of today has exposed the limitations of VPN-only
solutions, which are unable to support the security, threat detection, and zero-trust network access
policy enforcement present at the corporate on premise network. VPN-only solutions cannot scale to
support the growing number of users and devices, resulting in inconsistent security across all edges.

A new scalable, elastic, and converged solution is required to achieve secure, reliable network access for
users and endpoints. One which addresses the security of many hybrid organizations, defined by
systems and users spread across the corporate, and remote network. That solution is SASE.

A SASE solution provides integrated networking and security capabilities, including:

 Peering, which allows network connection and traffic exchange directly across the internet
without having to pay a third party.
 A Next-Generation Firewall NGFW or cloud-based Firewall-as-a-Service FWaaS , with security
capabilities including Intrusion Prevention System IPS, Anti-Malware, SSL Inspection, and
Sandbox,.
 A Secure Web Gateway to protect users and devices from online security threats by filtering
malware and enforcing internet security and compliance policies.
 Zero Trust Network Access ZTNA, which ensures that no user or device is automatically
trusted. Every attempt to access a system, from either inside or outside, is challenged and
verified before granting access. It consists of multiple technologies, including multi-factor
authentication MFA, secure Network Access Control NAC, and access policy enforcement.
 Data Loss Prevention DLP prevents end-users from moving key information outside the
network. These systems inform content inspection of messaging and email applications
operating over the network.
 Domain Name System DNS, which serves as the phone book of the internet and provides SASE
with threat detection capabilities to analyze and assess risky domains.

These services deliver:

 Optimized paths for all users to all clouds to improve performance and agility
 Enterprise-grade certified security for mobile workforces,
 Consistent security for all edges, and
 Consolidated management of security and network operations

Although classified as cloud-based, there are common SASE use cases, which may require a
combination of physical and cloud-based solutions. For SASE to be effectively deployed in this
scenario, secure connectivity with network access controls must be extended from the physical WAN
infrastructure to the cloud edge. For example, to roll out access to SASE at branch offices, you may see
SASE reliant on physical networking appliances, such as wireless (LTE and 5G), and wired (Ethernet)
extenders or Wi-Fi access points.

31
The goal of SASE is to support the dynamic, secure access needs of today’s organizations. Proper SASE
service allows organizations to extend enterprise-grade security and networking to the:
 Cloud edge, where remote, off-network users are accessing the network, and
 the Thin edge, such as small branch offices

Fortinet’s cloud-based SASE solution is called FortiSASETM.

Thank you for your time, and please remember to take the quiz that follows this lesson.

32