06 May 2013

Internet Filtering Series -- Part VII (Conclusions)

Now that all of the labs and testing regarding filtering are done, it's time to put everything together with not only what one can pull out of this series, but also what I think regarding filtering. That said, I'll split this into a couple of sections.


  • There are different methods of filtering available
  • The method employed depends on several variables such as: costs, intents/purposes/aims of filtering, technical skill/expertise needed to deploy and maintain, and network topology (e.g. size, complexity, essential services that need to be unfettered)
  • When there is a will, there is a way. With every filtering method, somebody with sufficient technical skill will invariably engineer a way around it if given sufficient time, energy, and resources. 
    • However, some methods are much harder for casual users to bypass 
    • Arguably, one could say that web filtering is meant to deter the casual users from not breaking policies or going where they shouldn't be
  • Different filtering methods have unique benefits and drawbacks 
  • Security is NOT about eliminating risk, but rather it is about mitigating risks to an acceptable level
  • Trade-offs are likely going to need to be made
  • Filtering itself is often not just a "set it and go" proposition; 
    • Often, it's about also educating end-users about acceptable-usage policies and safe browsing behaviours
    • Times and people change, and ensuring that policies remain current and relevant is a crucial factor


  • The first question I ask is: "is filtering Internet access even necessary?" 
    • Sometimes, it is (e.g. if it is mandated by statute or court-order, or due to serious issues in the workplace). 
    • Other times, it is not--if in a network of 500 users you have, say, 20 who aren't following the rules and are causing 80% of the issues, then perhaps it might be more constructive to remove or otherwise limit Internet access to those users
  • So, an entity decides that for whatever reason they want to filter. A temptation is to filter out everything that might be offensive or "time-wasting." 
    • However, those are often counter-productive in the long run, as blocking stuff that more and more people would argue is "harmless" will just encourage more of the average users to try to work around the filtering
  • Filtering policies set must be reasonable. And, while "reasonable" is open to debate, here's what I think for three scenarios: 
    • At home, filtering policies should be set in a way that they will prevent illegal and malicious material coming in, but also allow kids to gain access to materials that they will need for school. 
      • As the kids grow up, I also think that the categories and sites that are blocked could be reduced as trust is earned. 
      • It would also be constructive in my opinion to have solid reasons for blocking certain classes, and by solid reasons I mean something more than "I'm the parent and it's blocked because I said so." 
      • Of course, this should go hand-in-hand with safe online habits. 
    • In enterprise environments, most companies/organisations/agencies have acceptable-use policies included in the employe handbooks that delineate what users can and cannot access from the network. 
      • Many also have reminders to these policies displayed on login--and indicate that these systems are both monitored and subject to interception. 
      • Filtering should be the least-restrictive while still enforcing the existing policies in their entirety without dilution.
      • If the overarching access and acceptable-use policies are changed, the filtering should then be promptly changed to reflect those changes 
      • In addition, it may be very constructive to have some sort of "relaxed" or "special-hours" policy that can apply on common lunch/meal periods, and outside of the company's "normal business hours," particularly if the employes aren't performing work and getting paid.  
    • K-12 schools and public libraries are an entirely-different "ballgames" as there are various laws that strongly-encourage (if not place an outright statutory mandate for) filtering.
      • Filtering policies for this category must be effective to protect children and the public as well as ensure quality network service, but it also cannot be "overzealous," as the infamous Effin and Scunthorpe problems illustrate. 
      • There must necessarily be a balance struck between keeping inappropriate materials out of the hands of minors and free access of information and knowledge
      • Nor should legitimate research on topics that might end up straddling policies (e.g. sites about breast cancer) be blocked. 
      • There is also the issue on how to handle sensitive topics like political and religious content--a policy must be effective, but also should not be composed such that legitimate public speech is not unfairly censored (e.g. it would be wrong to block all religious and political websites except those that paint, say, Catholicism or the Republican Party in a positive light). 
  • Filtering is a form of censorship by its very nature, however there are legitimate reasons for private entities (and within public institutions, only within that institution) to filter their Internet connections.  
    • It is incumbent on the company/organisation/government/school-board/family to clearly delineate their rules and expectations regarding acceptable Internet usage, and on the system administrator(s) to deploy and maintain the appropriate filtering solutions that will meet this policy in the least-restricive manners possible
  • Is there one "best" solution? I would say "it depends on the network, fiscal considerations, and user needs."
    • For businesses, I'd seriously look into dedicated filtering, especially if the IT budget allows it. 
    • For small-office and home (SOHO) usage, I'd consider these: 
      • Client-side solutions would work best for home networks where there are very young children who hardly know how to use the computer and computer usage is very light. 
      • For most purposes, DNS filtering is rather inexpensive and does the job. 
        • If you have an ISP that requires its own DNS for some services (e.g. AT&T U-Verse), you will need to use a secondary router behind your ISP gateway in order to use DNS filtering. This may be tricky, but it's doable. 
      • The Home edition UTM provides the best coverage, but may be overkill in some situations and in my opinion would require someone who's knowledgeable to really harness its full potential and ensure it works properly. 
      • If the network infrastructure and resources permit, I'd recommend deploying a UTM appliance and ensuring that all Internet connections run through it. Otherwise, I would recommend sticking with OpenDNS. 
  • Finally, I believe that it is necessary to allow user feedback, and to allow users to request that sites be unblocked. 
    • When filtering is in place, the user knows that at least they can make a case to either management or the sysadmin to reverse their viewpoint on that particular site, and very likely receive feedback as to why their case is valid or not. 
Go back to Part VI

No comments:

Post a Comment