network filtering

© British Telecommunications plc

Network Filtering


Network Filtering Overview

• Controls deployment outside of the home in the ISP• Effectiveness depends on desired goal

– Protection of users wanting to avoid access– Prevention of users wanting to gain access

• Number of network techniques– DNS filtering– IP blocking– Network deployed web filtering software– Deep Packet Inspection– Hybrid options

• Not just about technology…


Web browsing overview

www.bbc.co.uk = 212.58.244.67http://www.bbc.co.uk/news

DNS

2125824467

http://www.bbc.co.uk/


DNS (Domain Name Service) filtering

What– DNS translates an easily typed address (domain) into the IP

address of the end site– DNS Filtering involves changing the IP address the domain

resolves to, or removing the entry all together.

http://www.bbc.co.uk = 212.58.244.67



DNS Filtering overview

www.bbc.co.uk = Non existenthttp://www.bbc.co.uk/news

DNS

2125824467

?



www.bbc.co.uk

http://www.bbc.co.uk/news


DNS (Domain Name Service) filtering

Issues– Blocks a whole site (eg, www.bbc.co.uk) and not specific

elements– Users can easily change the DNS service to a different server

from that provided by the ISP– Many facilities to manually translate the domain to IP address

on the web. (eg: http://www.network-tools.com)• User then enters IP address rather than domain name (eg:

http://212.58.244.67/news)

http://www.bbc.co.uk = 212.58.244.67


http://www.network-tools.com/

http://212.58.244.67/news



IP Blocking

What– Requires an ISP to block user traffic to the IP address of the

site in their network


IP Blocking overview


DNS

2125824467

Router



IP Blocking

Issues– Like DNS, blocks a whole site (eg, 212.58.244.67) and not

specific elements– Users can still gain access via “proxy” sites on different

networks to bypass the filtering– Easy for sites to move between IP addresses by altering DNS

entries


Proxy overview

freeproxyserver.net = 67.159.44.96http://freeproxyserver.net/DNS

2125824467

Router

671594496DNS


http://www.bbc.co.uk/news


Proxy overview

http://freeproxyserver.net/DNS

2125824467

Router

671594496DNSwww.bbc.co.uk = 212.58.244.67


Network deployed web filtering software

What– Requires deployment of equipment that understands the user

communication (eg, web proxies)– Able to block very specifically


Filtering software overview


DNS

2125824467

http://www.bbc.co.uk/newshttp://news.bbcimg.co.uk/images/header.jpghttp://news.bbcimg.co.uk/images/image1.jpghttp://news.bbcimg.co.uk/images/image2.jpghttp://news.bbcimg.co.uk/images/image3.jpghttp://news.bbcimg.co.uk/icons/sm_icon.ico



Network deployed web filtering software

Issues– Must sit in the route of the users traffic– Cost of deploying new dedicated hardware– Users can still gain access via “proxy” sites on different

networks to bypass the block


Deep Packet Inspection

What– Can cover more protocols than application specific technology– Able to block very specifically– Can look deeper into packets to stop proxying

Issues– Must sit in the route of the users traffic– Generally more costly than application specific technology as

requires greater processing power.– Encryption disables the ability to inspect traffic

• https web proxy sites• Tunnelling networks (eg TOR)

– Greater user privacy concerns


Packet inspection

• http:// Text is readable https:// Text is secure

http://developers.sun.com/mobility/midp/articles/security4/images/ethereal_http.gif

http://developers.sun.com/mobility/midp/articles/security4/images/ethereal_https.gif


Hybrid Options

What– Combination of network routing and deployment of hardware

to minimise costs• Stage 1 – manipulate routing to direct traffic between user and

site to dedicated filtering hardware• Stage 2 – filter using application layer or DPI technology


Request to good URL on filtered server (2,5)Request to filtered URL on filtered server (3,4)Request to good URL on OK server (1,6)

Ealing

Ilford

T/houseKingston

Bletch.

Birm

Manc

Edin Glas Sheff

Redbus

St.Alb

UK/EULinx Peers

WWW

WWW

WWW

WWWFilteredServer OK

Server

FilteredServer

OKServer

1

2

3

4

5 6

Network Traffic Overview

BT Global

NetworkBT UK

Network


Ealing

Ilford

T/houseKingston

Bletch.

Birm

Manc

Edin Glas Sheff

Redbus

St.Alb

UK/EULinx Peers

BT Global

Network

WWW

WWW

WWW

WWWFilteredServer OK

Server

FilteredServer

OKServer

BT UKNetwork

1

2

3

4

5 6

Revised Traffic Overview

Filteringequipment

Request to good URL on filtered server (2,5)Request to filtered URL on filtered server (3,4)Request to good URL on OK server (1,6)


Hybrid Options

Issues– Users can still gain access via “proxy” sites on different

networks to bypass the filtering as these sites won’t be directed to dedicated technology

– Encryption disables the ability to inspect traffic• https web proxy sites• Tunnelling networks (eg TOR)


Not just about technology…

• Who decides what to filter?• Operational cost of managing filtering


Summary

• Shown BT’s current offerings• Highlighted options available to customer’s in the home• Shown network controls and associated issues

• Effectiveness depends on desired goal– Protection of users wanting to avoid access– Prevention of users wanting to gain access

Questions & Answers

network filtering

Documents

address domain

news http

dns service

ip addresses

service filtering whatdns

service filtering issuesblocks

ip blocking whatrequires

end sitedns filtering