What is content filtering, and what are its four primary purposes in an organization?
Content filtering controls traffic based on the data within the content, not just the port or protocol. Four purposes: 1. Corporate data control — governs outbound/inbound sensitive data. 2. Inappropriate content — blocks NSFW material; in homes called parental controls. 3. Malware protection — blocks sites hosting viruses, spyware, drive-by downloads. 4. Productivity policy — limits non-work browsing during business hours.
What is the difference between an allow list and a block list in URL filtering, and how does category-based management simplify administration?
Allow list — explicitly permitted domains; override block rules for that URL. Block list — explicitly denied domains; user receives a block page. Managing millions of individual URLs by hand is impractical, so URL filters group domains into categories (50+ types: Educational, Gambling, Malware, Social Networking, etc.). A single policy applies to the whole category rather than each domain individually.
What are the three dispositions that can be assigned to a URL category, and what does each one do?
Allow — traffic passes without logging; example: Educational category. Allow and Alert — traffic passes but an entry is written to the log and an alert is sent; example: Home and Garden. Block — connection refused; user receives a block page; example: Gambling. Dispositions allow different policies for different categories without the binary all-or-nothing of simple block lists.
What is agent-based content filtering, and what is its single most important advantage over firewall- or proxy-based URL filtering?
Agent-based filtering installs client software on the user’s device. The agent enforces policy locally, communicating with a central console for management and cloud updates. Its key advantage: location independence — filtering is always-on regardless of which network the user connects to (home, hotel, airport, public Wi-Fi). Firewall/proxy-based filtering only works when user traffic passes through the corporate perimeter. The agent follows the user everywhere.
What is a proxy server, and what four functions does it provide beyond simply forwarding web requests?
A proxy sits between users and the internet, making requests on behalf of users. Four functions: 1. Caching — stores retrieved content locally; subsequent requests are served from cache without hitting the internet. 2. Access control — restricts which users/devices can reach the internet (by username or IP). 3. URL filtering — blocks or allows sites by URL or category. 4. Content scanning — inspects responses for malware before delivery to users.
What is the difference between an explicit proxy and a transparent proxy?
Explicit proxy: the application or browser is manually configured with the proxy’s address and port. The user (or IT policy) explicitly tells the application to use the proxy. Apps not configured bypass it entirely. Transparent proxy: no client configuration is required. The network infrastructure silently redirects traffic through the proxy. Users and applications are unaware their traffic is being proxied — it is invisible to them.
What is a forward proxy (internal proxy), and what limitation does it share with NGFW-based URL filtering?
A forward proxy is a centralized proxy on the internal network that routes and controls all outbound employee internet traffic. Users request pages → proxy fetches on their behalf → proxy scans and filters → proxy delivers clean response. Shared limitation: like an NGFW URL filter, a forward proxy only protects users whose traffic passes through it. Employees working remotely off-network bypass the proxy unless a VPN or agent-based solution is also in place.
What is reputation-based filtering, and what are the five risk levels used to classify websites?
Reputation filtering evaluates websites by perceived risk rather than topic category. Five levels (lowest to highest risk): Trustworthy → Low Risk → Medium Risk → Suspicious → High Risk. Typical policy: Trustworthy = Allow; High Risk = Block; levels in between are configured per organizational policy. Reputation catches newly malicious sites even before they are added to a known-bad category, because risk is assessed independently of content type.
What is the difference between automated reputation scoring and manual reputation override?
Automated reputation: vendor crawlers continuously scan websites, analyze content, check hosting history, and assign risk scores algorithmically using real-time threat intelligence feeds. Covers hundreds of millions of sites. Manual override: an administrator assigns or changes a specific site’s reputation score by hand. Used when the automated score is incorrect (e.g., a legitimate security research blog rated High Risk). The manual assignment takes precedence over the automated score.
How does DNS filtering work, and why is it effective against malware command-and-control callbacks — not just browser-based threats?
Before any TCP connection to a website, the device performs a DNS lookup to get the site’s IP address. DNS filtering checks the requested domain against a real-time blocklist. If the domain is malicious: no IP is returned → no connection can be made. Effective against malware C2 because malware must also perform a DNS lookup to find its command-and-control server’s current IP. DNS filtering is protocol-agnostic — it blocks any application that resolves domain names, not only web browsers.