Web Filtering

Web filtering controls which websites and web content users can access from the organisation's network and devices. It protects against malware distribution, phishing attacks and unauthorised data sharing via web-based channels.

Back to Dictionary

What is web filtering?

Web filtering is a security measure that controls which websites users can visit. It is primarily about security: blocking access to sites that distribute malware, harvest credentials via phishing or serve as command-and-control servers.

Web filtering complements DNS security and firewalls as part of the network's defence. While firewalls filter at the network level and DNS security blocks at the domain level, web filters can inspect URLs, page content and file types.

Modern Secure Web Gateways (SWG) combine web filtering with DLP, malware scanning and TLS inspection in a single platform. This provides a unified defence against web-based threats and data leaks.

Filtering methods

Web filtering uses several methods:

URL filtering: Matches URLs against databases of categorised websites. Millions of sites are categorised, and new ones are added continuously. Categories such as malware, phishing and botnets are blocked automatically.
Category filtering: Blocks entire categories of websites based on the organisation's policy. Security-relevant categories (malware, phishing, exploit kits) should always be blocked.
Content inspection: Analyses page content in real time to identify threats that have not yet been categorised. Uses heuristics and machine learning.
TLS/SSL inspection: Decrypts HTTPS traffic to inspect the content. Necessary because the majority of web traffic is encrypted. Without TLS inspection, the filter is blind to the content.
File type blocking: Prevents download of risky file types such as .exe, .scr and .js from the web.

Integrate with threat intelligence feeds to ensure the filter knows about the latest threats. Real-time updates are important, as new phishing sites often exist for only hours.

Implementation

Web filtering can be implemented in several ways:

On-premise proxy: All web traffic is routed through a local proxy server that filters the traffic. Provides full control but only covers users in the office or via VPN.

Cloud-based SWG: Web traffic is routed through a cloud service regardless of where the user is located. Ideal for organisations with remote workers and mobile devices.

Agent-based: An agent on endpoints enforces filtering rules locally. Works without VPN and covers all web traffic from the device.

DNS-based filtering: Simple and easy to implement. Blocks access to entire domains based on DNS lookups. Less granular than proxy-based filtering but effective as a first line of defence.

Regardless of method, logging is important. Log all blocked and permitted requests and send data to the SIEM system. Review logs regularly to identify suspicious patterns and fine-tune policies.

Establish an exception process so that users can request access to incorrectly blocked sites. Combine with security awareness that explains why web filtering is necessary.

Regulations and standards

ISO 27001 and Annex A include control A.8.23 on web filtering, requiring that access to external websites is managed to reduce exposure to malicious sites. An ISMS should define web filtering policies.

CIS 18 Control 9 addresses protection of web browsers and email, including web filtering as a key component.

NIS2 requires organisations to implement measures against cyber threats, and web filtering is a fundamental part of this. DORA imposes similar requirements on financial institutions. Under GDPR, web filtering is a technical measure that reduces the risk of personal data being compromised via web-based attacks.

Frequently Asked Questions about Web Filtering

What is the difference between web filtering and DNS filtering?

DNS filtering blocks access to domains by preventing DNS lookups. Web filtering is broader and can inspect URLs, page content and file types. DNS filtering is easier to implement, while web filtering provides finer control.

Can web filtering block HTTPS traffic?

Yes, with TLS/SSL inspection, web filters can decrypt, inspect and re-encrypt HTTPS traffic. This requires installing a root certificate on endpoints. Without TLS inspection, the web filter can only see the domain name, not the specific URL or content.

How do you avoid over-blocking?

Start by blocking only clearly malicious categories and use warnings instead of blocking for grey areas. Establish a process where users can request access to blocked sites. Review blocking logs regularly for false positives.

Does web filtering work for remote workers?

Yes, with cloud-based web filtering solutions or Secure Web Gateways (SWG). Traffic from remote workers' devices is routed through the cloud service regardless of their location. Agent-based solutions also work without VPN.