03 May 2013

Internet Filtering Series -- Part I


[Author's Note: About a year ago, I did some labs and a nice little writeup that I put on Facebook regarding the filtering of web traffic. It was something related to a project that I had to do for work, and I had access to a lot of resources. So in my spare time, I did some experimenting with various methods and tried to delineate what I found were positives and negatives. What follows is mostly the original writeup, though I've made a few minor changes based on what I've learned since and have also readjusted the formatting for Blogspot.]

Internet filtering. These two words start a major debate in American culture. Many, if not most, of us have been in a place or have had to work with controlled/restricted/filtered Internet connections. Often, it's regarded as an annoyance among users, and a necessity for various policy-makers, political groups, certain denominations and religions, and other entities.

In this series, I will attempt to evaluate filtering policies. I believe that I am an excellent person to do this for two reasons: first, my profession is in the information technology (IT) field with a forte in network security (although it is worth noting that I am a new grad and still adjusting to the field); and second, my personal and political convictions veer rather sharply towards the libertarian in nature. Therefore, I envision this series to fill out somewhat like this:

  • Part I: Introduction and Purpose, Filtering Defined
  • Part II: Common arguments made in support and against filtering (e.g. "why should filtering be implemented" and "why it should NOT be implemented")
  • Part III: Client-Side Filtering Lab
  • Part IV: Small Network Filtering Lab
  • Part V: Medium Network Filtering Lab
  • Part VI: Enterprise-level Filtering Lab
  • Part VII: Epilogue and my own thoughts regarding filtering

My evaluations on Internet filtering will be on both sides. What I mean by this is that to start, I will look at it from the eyes of the systems adminstrator (sysadmin) or security-team professional charged with filtering a specific PC or network. After it is set up and the filter is verified to be functional, I will then switch hats and act in the role as a user (without any administrator rights to either the filter or the test PC) who wants to access a blocked (but not adult/pornographic/violent) site such as Facebook.

As I outlined above, there are four labs, each focused on either a specific method of web filtering or a network setup where filtering is implemented: client-side, a "home and small office" network, a small-office networked setup (where all PCs are joined to a single small Windows domain), and finally a simulation of an enterprise network where filtering is in place.

Each lab will be a separate Note and will contain: typical scenarios that the lab will cover, technical information about the setup of one or more test machines (or in the case of a network solution, a test network) within VMware Workstation, details on a "typical", "common", or "average" filtering solution that would be appropriate for the typical scenarios, the filtering settings used (which will vary between moderate and restrictive--but not overly-restrictive), an appropriate "Goal" for myself to achieve in the attempts to circumvent the filtering solution, successful methods used to effectively achieve said goal, and my ideas (as a network security guy) as to how these successful methods could be controlled, if not stopped altogether.

Filtering Defined

This said, Web filtering is what it implies--it simply refers to the process of restricting access to certain Internet sites or groups of Internet sites. These can be done both by the vendor providing the solution, and by an administrator who sets up and maintains the implemented solution. Sometimes, this is legally-mandated as a condition of receiving federal and/or state aid. Such methods can also be deployed for people suffering from Internet addiction, by companies setting an acceptable-use policy and desiring to keep employes from wasting network resources on things that have little or no purpose to the company, or to aid in providing some sort of hedge from sexual-harassment and other hostile-workplace claims.

This can be done with several methods. The three broad categories that this series is concerned with are as follows:


  • Client-Side: Simply put, these are solutions that are most often programs designed to run on individual PCs and are often marketed for individual or small-scale deployments. The advantages are that they can be relatively easy and inexpensive to deploy, and relatively speaking easy to tailor to individuals who primarily use that computer. On the down side, they are a hassle to deploy on a larger scale and many times only support computers running a recent version of either Windows or Mac OS X; anyone who uses Linux, BSD, Solaris, OS/2, etc. won't be able to be filtered by this method. 


  • DNS Service: There are services that can provide a baseline filtering solution upstream of the end-user by largely leveraging existing Internet infrastructure. DNS is used to translate, or "resolve," addresses on the Internet (e.g. 69.171.224.11) to an easier-to-remember name (e.g. facebook.com). This type of method essentially works by having the upstream DNS servers refuse to resolve the IP addresses of a specific website. A major benefit to this is that DNS systems are platform-agnostic, so other operating systems can still be filtered. On the downside though is that unless the DNS filtering is done as part of the Internet Services Provider (ISP)'s connection, it requires configuration on clients, and often any servers and network equipment as well. On systems without a networked domain (e.g. Windows Active Directory), this configuration would have to be done manually and requires testing to ensure no disruptions in current service. 


  • Dedicated filtering appliances: These solutions are usually only seen on larger enterprise networks, often mounted on server racks, and sold by companies such as Sophos, Palo Alto, and Barracuda. Like the DNS service, these are platform-agnostic and are relatively easy for the IT department to configure. Unlike the DNS service though, these can be configured to filter all incoming and outgoing traffic regardless of where on the network it originates and be virtually-transparent to the end-user. The major downside of this method are the cost compared to other solutions, and that most of these units aren't designed to be implemented and used outside of a dedicated wiring closet, server room/bay, data centre / Network Operations Centre (NOC), or in a few cases, a dedicated VMware virtual-appliance server. 

Go to Part II

No comments:

Post a Comment