M86 Web Filtering and Reporting Suite

Click here to view appliance models

Deployment Options

M86 Security offers various options for installing a single M86 Web Filtering and Reporting (WFR) appliance. The appliance can be deployed in pass-by/SPAN port mode (outside the flow of traffic) or pass-through mode (within the flow of traffic).

Pass-by/SPAN Port Mode (Typical M86 Deployment)

The M86 WFR is one of few Web filters that can be deployed outside the flow of network traffic. This type of deployment makes it transparent to the network and uninvolved in the routing of packets from client to the Internet. This allows for automatic redundancy and automatic fail-safe; if the M86 WFR should fail and filtering stops, network traffic is unaffected.

In the diagram below, the M86 WFR is connected to the managed switching hub. The M86 WFR port is configured with the "port monitoring" function enabled. This allows it to mirror the port that is connected to the router. The diagram below also illustrates how URL requests are handled when the WFR is deployed outside the path of network traffic.

1. Inappropriate request is sent by user
2. M86 Web Filter monitors request as it passes through the hub/switch
3. M86 Web Filter matches the request against its database
4. If the website requested finds a match in the database, a TCP reset is sent to the Web server to kill the session (request). A block page is sent to the client.

Pass-by/Router Mode

This mode allows the M86 WFR to act as an Ethernet router, passing packets from one card to the other. As the packets pass through the M86 WFR, they are scanned and categorized. In this model, only outgoing packets need to be routed, allowing the M86 Web Filter to appear only in the outgoing path of the network traffic which limits the latency. In router mode, the original packets from the client are allowed to pass in all cases (just as if the WFR were an Ethernet router), but if the request is inappropriate, a block page is returned to the client to replace the actual requested Web page. The diagram below illustrates the flow of traffic and what happens when an inappropriate request is identified.

Pass-through/Firewall Mode

Most other Web filters must be deployed in line with network traffic. Although the M86 WFR is capable of in-line placement, the nature of a pass-through deployment can create latency on outgoing requests; therefore, the WFR is rarely deployed this way. The benefit of pass-through deployment is that it forces all outgoing traffic to pass through the Web filter and thus be scanned and categorized. An additional downside is that if the Web filter goes down, the Internet traffic will be seriously impacted.

In the pass-through illustration below, Web traffic is unaffected by the caching proxy, regardless of whether the caching proxy is filtered or has cached pages that violate policy. This is because the M86 WFR will stop any inappropriate requests from progressing beyond the point of the filter, so the caching server only returns Web pages that have been approved by the M86 WFR.