SOLUTION CARD

WHITE PAPER

Next Generation Web Security Architecture: Layer 2 Ethernet Bridge

Providing High Performance Broad Spectrum Web Traffic Inspection

About This White Paper Introduction

This white paper examines the Web filtering is an established and mature security technology. URL blacklists and Web

key advantages of an inline Web category databases have existed and been refined for over 15 years. However, traditional

traffic inspection design Web filtering methods were developed on less-than-ideal Web traffic inspection platforms;

approach commonly known as a namely (1) proxy-based filtering or (2) parallel traffic packet sniffing. Both of these approaches

Layer 2 Ethernet Bridge. have significant disadvantages.

This paper seeks to inform and ContentKeeper has pioneered and refined a next-generation Web filtering architecture that

educate the reader on the provides real-time, scalable and fast inline Web traffic inspection. This approach employs a

fundamental architectural network technology known as a “Layer 2 Ethernet Bridge”. Put simply, ContentKeeper

advantages of an Internet bridge inspects Web traffic at the data packet level for all incoming and outgoing traffic. It physically

filtering design versus other sits in line with your network’s Internet connection and inspects every data packet transmitted

competing methodologies. in or out of your connection.

After reading this white paper, The result is a Web filtering and Internet security solution which can outperform any proxy-

the reader should have an based solution and provide real-time analysis of all Web traffic generated by your

understanding how organization.

ContentKeeper provides high

performance, broad spectrum, Old School: The Sniffing-Based Filter
real-time Web security. In 1998, when ContentKeeper began to pioneer Layer 2 Bridge filtering technology, the main
competing solutions were deploying either a sniffing or proxy methodology. The sniffing
methodology (as deployed by competitors like 8e6 Technologies - now Trustwave) for
example relies on a span port to mirror all traffic to the web filter which then inspects the
traffic and generates block events by spoofing TCP reset packets as needed (essentially
inserting a block page as appropriate).

The sniffing traffic filtering method requires minimal network configuration changes and is less
resource intensive (and performance degrading) than proxy-based approaches. However,
the sniffing approach is problematic. It could often be evaded due to the inability to address
encrypted traffic and the fact that the block mechanism relies on very precise timing for the
TCP reset operation. This timing issue creates inconsistent and unreliable policy
enforcement. The window to block inappropriate Web requests comes down to nanoseconds
and under heavy network load, when the URL category database lookup process may take
additional time, the ability to block the request may be missed. This in turn leads to random
policy enforcement where some users may be able to access inappropriate material while
others are blocked.

1
 SOLUTION CARD

Old School: The Proxy-Based Filter

The proxy-based approach (employed by BlueCoat, Websense and Barracuda for example)
is typically implemented in either an explicit proxy model or transparent proxy. Explicit
proxies require the configuration of each client device (which is typically onerous) whereas
transparent proxies rely on a network device (usually a switch or router) to forward traffic to
the proxy server(s). While proxies allow a greater degree of control compared to the sniffing
method, the approach comes with a significant resource and performance penalty.
The resource (and therefore performance) penalty is due to the fact that the proxy server
must re-write the entire 7 layer OSI stack for all filtered traffic. This essentially means that
each proxy server must perform most of the computational load of all of the front end web
servers sending content as well as the web clients generating web requests. This load is
generated irrespective of the web filtering function, thus adding an additional resource
demand. If SSL Decoding is utilized, that also adds an incremental computational burden.

In addition, transparent proxies create a computational load on the network devices because
the device must identify and then redirect selected types of traffic to the proxy. This load is
modest at lower bandwidth thresholds, but can put significant strain on larger throughput
networks. The cost of this additional network infrastructure is not trivial at multi-gigabit
speeds. The fact that only selected traffic is even seen by the proxy server also introduces an
additional evasion vector and therefore control gap.

Next Generation: The Layer 2 Ethernet Bridge

With these limitations in mind, ContentKeeper has created an alternative approach that offers
greater control and efficiency while minimizing the deployment complexity and network
resource burden.

The Layer 2 Ethernet Bridge model allows the ContentKeeper Web Filter Pro to observe and
analyze all traffic flowing over the bridge. Traffic is reconstructed from the Ethernet frames

2
 SOLUTION CARD
(Datalink layer) with minimal computational overhead and then runs through a content
analysis engine. Traffic that is approved is forwarded from one bridging interface to the other
with near-zero latency as this approach avoids the computational burden of traversing all 7
layers of the OSI model. This efficiency allows ContentKeeper to allocate the majority of the
filters’ computational resources to higher value functions such as traffic analysis, SSL
Decoding, and granular policy enforcement.

Because this approach is transparent to the network infrastructure, the filtering process does
not generate any additional computational load on other network devices, thus eliminating
another scalability constraint. Throughput can be increased by increasing the computational
resources and network IO on each filter as well as aggregating filters with the use of a
transparent load balancer or leveraging other native link aggregation technologies. This
approach yields both scalability as well as resiliency advantages as evidenced by single
ContentKeeper implementations supporting over 500,000 concurrent users.

In addition to the scalability advantages, the Layer 2 Ethernet Bridging approach also offers a
much more reliable blocking process as it is not subject to a race condition or timing error.
Blocked traffic requests are simply not forwarded across the bridge while a custom response
is sent back to the client with a notification message. Having visibility to all traffic also
eliminates the WCCP process as a possible vulnerability and allows the filter to address traffic
that is not proxy-capable. For example, P2P applications can also be controlled using
ContentKeeper Web Filter Pro.

It is also worth noting that the Layer 2 Ethernet Bridging model is 100% proxy compatible. In
scenarios where a proxy model is desired, ContentKeeper can be deployed in conjunction
with either the ContentKeeper Cache High Performance Proxy or with any 3rd party proxy.

Security
The ContentKeeper bridge design provides significant next generation security advantages.
Traditional proxy-based anti-virus protections focused on executable malware downloaded via
standard HTTP protocols. Today’s malware circumvents this approach, using browser-based
vulnerability exploits to install small pieces of malware which “phone home” via obscure ports
and download additional malware through backdoors in an organization’s firewall. In other
words, malware creators deliberately go around proxy-based filters by directing traffic to other
ports, much like VoIP traffic such as Skype.

The ContentKeeper inline filtering approach scans all incoming and outgoing Web traffic
regardless of the port it is directed to. This makes ContentKeeper ideally suited to deal with
any malicious threat and able to detect malicious Web traffic even when the malware uses
deliberate proxy avoidance methods.

3
 SOLUTION CARD
Disclaimer: The information herein is
provided for informative purposes only
and is offered “as is” without guarantee,
either express or implied, including but not
limited to the implied warranties of
merchantability, fitness or a particular
purpose, and non-infringement.
ContentKeeper Technologies is not liable
for any damages, including any Key Features and Benefits of Layer 2 Ethernet Bridge Architecture:
consequential damages, of any kind that
EFFICIENT - Resource efficient for both filter and other network infrastructure
may result from the use of this document.
The information is obtained from publically DIRECT - Allows computational focus to be on content analysis, policy processing, and
available sources. Although reasonable SSL Decoding
effort has been made to ensure the
HIGH PERFORMANCE - Near-zero latency
accuracy of the data provided,
BREADTH OF SECURITY - Comprehensive visibility and control for diverse traffic
ContentKeeper Technologies makes no
claim, promise or guarantee about the protocols
completeness, accuracy, timeliness, or ROBUST - Ideally suited to malicious threat detection and next-generation malware
adequacy of the information and is not
prevention
responsible for misprints, out-of-date
information or errors. ContentKeeper MULTIFACETED PROTECTION - Reliable blocking of unwanted traffic
Technologies has no warranty, expresses MEASUREABLE - Easily quantified performance impact (measure latency from one
or implied, and assumes no legal
bridge interface to the other)
responsibility for the accuracy or
EASY TO DEPLOY:
completeness of any information
contained in this document. Scalability strategy built into open standards for Ethernet protocols (link aggregation and
transparent load balancing)
Allows Layer 2 and Layer 3 information to be leveraged in filtering policies (VLAN tags, MAC
Addresses, etc.)
Implementation requires minimal changes to network environment
Implementation requires no client configuration changes (proxy setting or other client side
software)
ContentKeeper is the only bridge based implementation capable of inline SSL Decoding without
client software required.

In Conclusion
Layer 2 Ethernet Bridge architecture enables ContentKeeper to provide the fastest possible
Web filtering solution. It also enables ContentKeeper to inspect a wide range of Web traffic
protocols in real-time without introducing latency and providing more in-depth policy
enforcement. These advantages are ideally suited to the next-generation demands of today’s
Web security environment. With ever-increasing demands for bandwidth and faster Web
browsing performance, no other Web filtering solution can match the scalability, speed and
depth of protection available with ContentKeeper.

 www.contentkeeper.com [email protected]  888.808.6848

Copyright © 2013 ContentKeeper Technologies. All rights reserved. ContentKeeper is protected by U.S. and international copyright
and intellectual property laws. ContentKeeper is a registered trademark of ContentKeeper Technologies in the United States and/or
other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item # WP-L2B-
2014-02-07-US