What's the best deployment architecture for Internet content filtering?

Let's begin by defining terms...

  • On-Site based solutions include either specialized hardware appliances, or software loaded on servers, that are physically located on-site. They are usually deployed just inside the firewall.

  • Cloud based solutions perform all content filtering tasks out "in the Cloud". Common Web protocols such as HTTP and HTTPS are proxied to external servers, therefore requiring no on-site equipment.


Now let's take a look at some of the Positives and Negatives of each architecture...


On-Site: Positives

  • Ability to manage all Interent traffic, inclusive of all protocols.
  • Extremely difficult for users to bypass.
  • Instant reporting, real-time monitoring possible.
  • Maximum performance, lowest latency.
  • Ongoing operating costs are typically lower.
  • Less reliance on continuous quality performance of outside service.

On-Site: Negatives

  • Initial capital investment is typically higher.
  • Multiple Internet circuits may require multiple appliances or servers.


 Cloud: Positives

  • Initial capital investment is typically lower, often near zero.
  • Easy to set up trial accounts and perform testing.

Cloud: Negatives

  • Can only manage the fraction of Internet traffic that can be successfully proxied out to the Cloud service.
  • Potential for increased latency, with slower, less reliable performance.
  • Ongoing operating costs are typically higher.
  • Less difficult for users to bypass.


NOTE: the above analysis is highly simplified. There are a large number of additional (and non-obvious) technical issues that effect the decision on which architecture is actually the most cost-effective and appropriate. Please contact us for a more in-depth discussion of how these issues apply to your particular situation.