Wavecrest’s RealTimePlus Filtering

Thursday, January 28th, 2010

RealTimePlus is our customer-configurable three-layer filtering process. It uses three layers of screening based on: (1) custom categories, (2) the Wavecrest categorization (control) list and (3) a real-time deep packet analysis process.

1. Custom Categories (the “First Layer”). ‘Custom categories’ supplement the standard categories. This enables you to better identify and control your users’ Web activity.   For example, you can create a custom category to:

  • Serve as a “white list” that contains all sites to which visits are allowed (while blocking all others).
  • Track and possibly block access to ‘standard’ sites that are not in the Wavecrest URL List but are of special local interest or concern.
  • Serve as a “black list” that contains all sites to be blocked (while allowing access to all others).
  • Track (but not block) visits to internal servers (intranet sites) and/or partner sites.

You can add custom categories at the Advanced Settings – Category Setup – Custom Categories screen. Then use the Advanced Settings – Category Setup – Edit URLs screen to add sites into your custom categories.

2. The Wavecrest URL List (the “Second Layer”). To accurately identify and categorize the vast majority of visits, Wavecrest products use a large, mature categorization control list.  This ‘control’ list consists of 69 ‘standard’ content-identification categories that is updated daily with URLs from around the world.  We recommend that you download the list daily to get the best filtering and monitoring coverage.   You can setup an automatic daily download of the list at the Administration – URL List – Schedule screen.

Another great customization feature with the control list is that you can add and move URLs in the standard categories.  For example, if you use Twitter as a Marketing tool but want to continue to block all other social networking sites, you can simply add www.twitter.com to the Marketing category.  You can make this change at the Advanced Settings – Category Setup – Edit URLs screen.

Finally, set your block/allow policies for your custom categories and standard categories at the Advanced Settings – Filtering Settings – Block Web Categories screen.

3. Deep Packet Analysis (the “Third Layer”). Using real-time ‘deep packet analysis,’ CyBlock can determine if the content of a URL is Flash, video streaming, audio streaming, images, Active X and more.  Any or all of these could be considered “inappropriate” and can be blocked.  You can also add your own extensions to be blocked.  You can block these types of content or add your own at the Advanced Settings – Filter Settings – Block Web Content screen.

Other Features

1. Hourly Blocking. You can block or allow categories at specific hours during the day.  For example, you may want to allow access to some categories during the lunch hour. You can set these hourly policies by clicking on the clock icon at the Block Web Categories screen.

2. Customizable Blocking Message. CyBlock comes with a standard blocking message, but you can configure the product to point to your own Web policy or personalized blocking message.  You can set this custom message at the Advanced Settings – Filter Settings – Web Blocking Message screen.

What Is the Purpose of the ‘IP Address’ Category?

Tuesday, November 17th, 2009

From time to time we are asked, “What is the purpose of the ‘IP Address’ category used by Wavecrest products?” The short answer is — it’s used to capture and segregate the IP addresses of Web sites that the product was unable to associate with ‘regular’ categories. Customers can then analyze them to identify network security threats, traffic to intranet sites, or other patterns of interest.

Here’s a bit more detail.

First note that our products identify many IP addresses and place them in content categories. The Wavecrest URL (control) list contains many such addresses.

Unfortunately though, initially unidentifiable IP addresses still appear from time to time. Generally speaking, we see three types, i.e., addresses associated with:

  1. Internal (and partner) Web pages
  2. Innocent links on Web sites
  3. Possible malware or virus servers

When the product encounters any of these three types, it places them in a special ‘IP Address’ category. Customers can then run reports on that category the same way they do on any other category. In addition, if the customer runs a Top Non-Categorized report, the uncategorized IP addresses will be listed along with uncategorized domain names.

Because the traffic associated with unidentified IP addresses can be important or even dangerous, it’s obviously desirable to pursue the matter further. So what can be done? Well, with a bit of work—and in some cases with some help from Wavecrest—it is possible to:

  • determine the source and purpose of most of the addresses
  • categorize the legitimate ones
  • isolate/neutralize the malicious ones

Let’s see how this is done. We’ll take it one ‘type’ at a time.

  1. Internal and Partner Web Pages. Some unidentified IP addresses may have resulted from users going to internal (intranet) or partner sites. (These normally would not be in the Wavecrest URL list.) To address this issue, start by running a Top Non-Categorized Sites Report or IP Address Category Report. Using your local knowledge, try to determine the IP addresses of those sites and then enter the information in one or more custom categories. (Instructions on how to create custom categories can be found in our manual.)
  2. Innocent links on Web Sites. These addresses could be associated with image or ad servers. If you want to address this issue, send a copy of a Top Non-Categorized Sites (“OtherWise”) Report to Wavecrest (sites@wavecrest.net). Our categorization team will then research and categorize the unidentified IPs for you the same way they categorize domains. If you would like to identify the IPs yourself, you can use IP address lookup tools such as the one available from https://www.networksolutions.com. This tool will provide you with information about the owner of the IP address(es) of interest. For example, the owner of the IP address could be a marketing company that serves ads, or it could be an image server. Once identified, if you desire, you can add the addresses to one or more custom categories.
  3. Possible Malware or Virus Servers. Some of the unidentified IP addresses could be associated with malware, spyware or virus servers. The clue here is very high around-the-clock traffic. This is an indication that the user’s computer has been infected or attacked. The solution in these cases is to isolate the internal computer(s) and remove the malware/spyware or virus. Here’s an approach you can use to help solve this problem.
  • Using the Dashboard, run a Trend report on the IP Address category and look for any unusual spikes. If you see anything suspicious then …
  • Run a category audit on the IP Address category and look for large amounts of activity coming from a particular PC(s). Make a note of the IP address(es) and then scan for infected files.

Summary. The IP address category was created to be a ‘red flag.’ Its purpose is to alert you that further action may be needed to resolve problems or to simply give you a more complete and comprehensive picture of all Web activity.