network filtering
DESCRIPTION
Network Filtering. Network Filtering Overview. Controls deployment outside of the home in the ISP Effectiveness depends on desired goal Protection of users wanting to avoid access Prevention of users wanting to gain access Number of network techniques DNS filtering IP blocking - PowerPoint PPT PresentationTRANSCRIPT
© British Telecommunications plc
Network Filtering
© British Telecommunications plc
Network Filtering Overview
• Controls deployment outside of the home in the ISP• Effectiveness depends on desired goal
– Protection of users wanting to avoid access– Prevention of users wanting to gain access
• Number of network techniques– DNS filtering– IP blocking– Network deployed web filtering software– Deep Packet Inspection– Hybrid options
• Not just about technology…
© British Telecommunications plc
Web browsing overview
www.bbc.co.uk = 212.58.244.67http://www.bbc.co.uk/news
DNS
2125824467
© British Telecommunications plc
DNS (Domain Name Service) filtering
What– DNS translates an easily typed address (domain) into the IP
address of the end site– DNS Filtering involves changing the IP address the domain
resolves to, or removing the entry all together.
http://www.bbc.co.uk = 212.58.244.67
© British Telecommunications plc
DNS Filtering overview
www.bbc.co.uk = Non existenthttp://www.bbc.co.uk/news
DNS
2125824467
?
© British Telecommunications plc
www.bbc.co.uk
http://www.bbc.co.uk/news
© British Telecommunications plc
DNS (Domain Name Service) filtering
Issues– Blocks a whole site (eg, www.bbc.co.uk) and not specific
elements– Users can easily change the DNS service to a different server
from that provided by the ISP– Many facilities to manually translate the domain to IP address
on the web. (eg: http://www.network-tools.com)• User then enters IP address rather than domain name (eg:
http://212.58.244.67/news)
http://www.bbc.co.uk = 212.58.244.67
© British Telecommunications plc
IP Blocking
What– Requires an ISP to block user traffic to the IP address of the
site in their network
© British Telecommunications plc
IP Blocking overview
www.bbc.co.uk = 212.58.244.67http://www.bbc.co.uk/news
DNS
2125824467
Router
© British Telecommunications plc
IP Blocking
Issues– Like DNS, blocks a whole site (eg, 212.58.244.67) and not
specific elements– Users can still gain access via “proxy” sites on different
networks to bypass the filtering– Easy for sites to move between IP addresses by altering DNS
entries
© British Telecommunications plc
© British Telecommunications plc
Proxy overview
freeproxyserver.net = 67.159.44.96http://freeproxyserver.net/DNS
2125824467
Router
671594496DNS
© British Telecommunications plc
http://www.bbc.co.uk/news
© British Telecommunications plc
Proxy overview
http://freeproxyserver.net/DNS
2125824467
Router
671594496DNSwww.bbc.co.uk = 212.58.244.67
© British Telecommunications plc
© British Telecommunications plc
Network deployed web filtering software
What– Requires deployment of equipment that understands the user
communication (eg, web proxies)– Able to block very specifically
© British Telecommunications plc
Filtering software overview
www.bbc.co.uk = 212.58.244.67http://www.bbc.co.uk/news
DNS
2125824467
http://www.bbc.co.uk/newshttp://news.bbcimg.co.uk/images/header.jpghttp://news.bbcimg.co.uk/images/image1.jpghttp://news.bbcimg.co.uk/images/image2.jpghttp://news.bbcimg.co.uk/images/image3.jpghttp://news.bbcimg.co.uk/icons/sm_icon.ico
© British Telecommunications plc
© British Telecommunications plc
Network deployed web filtering software
Issues– Must sit in the route of the users traffic– Cost of deploying new dedicated hardware– Users can still gain access via “proxy” sites on different
networks to bypass the block
© British Telecommunications plc
Deep Packet Inspection
What– Can cover more protocols than application specific technology– Able to block very specifically– Can look deeper into packets to stop proxying
Issues– Must sit in the route of the users traffic– Generally more costly than application specific technology as
requires greater processing power.– Encryption disables the ability to inspect traffic
• https web proxy sites• Tunnelling networks (eg TOR)
– Greater user privacy concerns
© British Telecommunications plc
Packet inspection
• http:// Text is readable https:// Text is secure
© British Telecommunications plc
Hybrid Options
What– Combination of network routing and deployment of hardware
to minimise costs• Stage 1 – manipulate routing to direct traffic between user and
site to dedicated filtering hardware• Stage 2 – filter using application layer or DPI technology
© British Telecommunications plc
Request to good URL on filtered server (2,5)Request to filtered URL on filtered server (3,4)Request to good URL on OK server (1,6)
Ealing
Ilford
T/houseKingston
Bletch.
Birm
Manc
Edin Glas Sheff
Redbus
St.Alb
UK/EULinx Peers
WWW
WWW
WWW
WWWFilteredServer OK
Server
FilteredServer
OKServer
1
2
3
4
5 6
Network Traffic Overview
BT Global
NetworkBT UK
Network
© British Telecommunications plc
Ealing
Ilford
T/houseKingston
Bletch.
Birm
Manc
Edin Glas Sheff
Redbus
St.Alb
UK/EULinx Peers
BT Global
Network
WWW
WWW
WWW
WWWFilteredServer OK
Server
FilteredServer
OKServer
BT UKNetwork
1
2
3
4
5 6
Revised Traffic Overview
Filteringequipment
Request to good URL on filtered server (2,5)Request to filtered URL on filtered server (3,4)Request to good URL on OK server (1,6)
© British Telecommunications plc
Hybrid Options
Issues– Users can still gain access via “proxy” sites on different
networks to bypass the filtering as these sites won’t be directed to dedicated technology
– Encryption disables the ability to inspect traffic• https web proxy sites• Tunnelling networks (eg TOR)
© British Telecommunications plc
Not just about technology…
• Who decides what to filter?• Operational cost of managing filtering
© British Telecommunications plc
Summary
• Shown BT’s current offerings• Highlighted options available to customer’s in the home• Shown network controls and associated issues
• Effectiveness depends on desired goal– Protection of users wanting to avoid access– Prevention of users wanting to gain access
Questions & Answers