8e6 Technologies R3000

This filter blocks unwanted network traffic without compromising performance.

February 13, 2004

6 Min Read
NetworkComputing logo in a gray background | NetworkComputing

You can add URLs to existing lists or create custom categories. The R3000 also can block individual newsgroups, TCP ports such as FTP (21) and common instant messaging services. The R3000 can bar prohibited requests from Internet proxy servers and sites offering anonymous surfing and can block results pages for forbidden search terms as well.

The R3000 houses a Pentium 4 2-GHz processor, 1 GB of RAM and a 120-GB Maxtor IDE hard drive. I configured the appliance using its Java GUI interface. The R3000 supplies a Java 1.3.1_02 plug-in for Internet Explorer, but does not support Netscape/Mozilla. The GUI is well-designed and contains context-sensitive help files. Unfortunately, the R3000 lacks a CLI (command-line interface) and SSH (Secure Shell) access to detailed system logs and configuration.

Block Tests

To see how well the R3000 blocked traffic under load at our Syracuse University Real-World Labs, I configured it to block HTTP get requests sent from a Spirent WebAvalanche to Apache servers on a Dell PowerEdge 1650 (Pentium III, 1,133-MHz, 1,024 MB of RAM) and a Sun Microsystems Sunfire 280R (Dual UltraSparc, 750 MHz, 2048-MB RAM).

With both the WebAvalanche and the PowerEdge attached to a Hewlett-Packard ProCurve 2520 switch, I connected the R3000's two network interfaces to 100-TX ports on the switch. One interface is for management; the other sniffs traffic mirrored to it from the switch's ports. I placed the PowerEdge and Sunfire addresses on a prohibited URL list and used the WebAvalanche to request their index pages.My testing did not scale high enough to verify the vendor's claim that the R3000 can block more than 99 percent of unwanted Web traffic up to 80 Mbps. But I did attain a peak of 38 Mbps (well exceeding 1,000 transactions per second) in HTTP requests alone, with an overall block rate of 99.83 percent. It's surprising that the appliance performed so well on our network, considering that it had less than 1 ms to intervene.

Despite the R3000's filtering efficiency, I discovered that when the WebAvalanche sent HTTP requests to our forbidden test servers--simulating a load of more than 50 simultaneous users per second--the block pages loaded extremely slowly or timed out. When the rate was doubled, block pages ceased to load. 8e6 reps said the problem was the block page, which is sent by a light Apache Web server and contains a redirect link back to the R3000. When I configured the redirect to access another site, however, block pages were still delivered slowly and clients continued to time out.

I also set up 8e6's ER3 (Enterprise Reporter 3.0) appliance to report on the R3000's monitoring and blocking activities. The ER3--$6,995 for 1,000 users--is necessary for fine-tuning filtering rules based on observed traffic. That seems pricey, but together with the R3000, the cost is only about $17 per user annually.

Once the network configuration is set, you can contact 8e6 to receive a set of URL libraries, which is updated automatically each day. With the libraries loaded, the box is ready to filter HTTP, IM and NNTP by IP address ranges.

If creating custom profiles by IP is too cumbersome, you can configure the R3000 to block by users or groups in Active Directory, an LDAP directory or an NT Domain. The product lets you modify profiles to allow or block URLs by category. There are more than 75 categories, ranging from pornography and hate groups to drugs and weapons.Like an increasing number of offerings from its competitors, including software from Netspective and SurfControl, the R3000 doesn't force you to direct all traffic through the product as a router would. Instead, the R3000's pass-by mode lets it sit on a switch and monitor traffic that flows past. If the device spots an HTTP request that requires blocking, it will serve a block page to the client and a TCP reset to the target server. This way, even if the R3000 fails, traffic won't come to a screeching halt.

Brain and Brawn

8e6 claims to have gathered several million URLs using high-speed artificial intelligence, verified and categorized manually. The URL libraries are organized by topic--gambling, games, porn, shopping and so forth.

To check the comprehensiveness of the libraries, I targeted seven categories with a total of 100 test URLs distributed across the subjects. Most of the URLs I used were for sites listed on the first or second page of results from major search engines, found using common keywords relevant to each category.

I requested the sites with a cURL (curl.haxx.se) script. Out of 100 test URLs, 82 were blocked by their corresponding libraries. In this test, the R3000 got a perfect score for blocking pornography (15 out of 15 sites), but it missed two of 15 game sites, three of 15 shopping sites, six of 15 hate sites, two of 15 gambling sites, three of 10 sports sites and two of 15 travel sites. Next, I set the R3000 to block URLs listed in any of the libraries provided. Of the 100 URLs I chose, 86 were blocked.Some URLs appear in more than one library. For instance, many Internet search sites are listed in "Search Engines" and "General Business." A URL blocked in one library will remain so across the board.

IM and Newsgroups

Good

Bad

8E6 R3000 ENTERPRISE FILTER, $10,995 for up to 1,000 users; 8E6 ENTERPRISE REPORTER 3.0, $6,995, for 1,000 users. 8e6 Technologies, (888) 786-7999, (714) 282-6111. www.8e6.com

Instant-message filtering is controlled by an independent library that handles AOL Instant Messenger, ICQ, MSN Messenger and Yahoo Messenger. In my tests, the first three were blocked effectively and users could not connect to the service. However, Yahoo Messenger 5.6 was still functional despite the filter.

IM blocking is accomplished by server address, so if an IM server is not in the library, it doesn't get blocked. The next revision of the R3000 will sport intelligent footprints to identify and block IM.

Newsgroup filtering is enabled by default, but you can add or remove groups on the library-configuration page. As with all other libraries, existing entries are unlisted. NNTP blocking is enabled whenever filtering is turned on, so the administrator allows groups from the library as needed.

8e6 is one of the few vendors that provide hardware-based Web filtering. Major competitors like Websense, Vericept (formerly eSniff) and SurfControl offer only software and leave it to the customer to supply compatible hardware. Although some software solutions block or filter additional protocols, such as SMTP, it's hard to beat the ease of a network appliance, largely configured out of the box and ready to take on an enterprise load.

Michael Kuszczak-Bielecki is a network administrator and freelance technical writer in Hayward, Calif. Write to him at [email protected].Post a comment or question on this story.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights