280 likes | 425 Views
Network Filtering. Network Filtering Overview. Controls deployment outside of the home in the ISP Effectiveness depends on desired goal Protection of users wanting to avoid access Prevention of users wanting to gain access Number of network techniques DNS filtering IP blocking
E N D
Network Filtering Overview • Controls deployment outside of the home in the ISP • Effectiveness depends on desired goal • Protection of users wanting to avoid access • Prevention of users wanting to gain access • Number of network techniques • DNS filtering • IP blocking • Network deployed web filtering software • Deep Packet Inspection • Hybrid options • Not just about technology…
Web browsing overview http://www.bbc.co.uk/news DNS www.bbc.co.uk= 212.58.244.67 2125824467
DNS (Domain Name Service) filtering What DNS translates an easily typed address (domain) into the IP address of the end site DNS Filtering involves changing the IP address the domain resolves to, or removing the entry all together. http://www.bbc.co.uk= 212.58.244.67
DNS Filtering overview http://www.bbc.co.uk/news DNS www.bbc.co.uk= Non existent ? 2125824467
http://www.bbc.co.uk/news www.bbc.co.uk
DNS (Domain Name Service) filtering Issues Blocks a whole site (eg, www.bbc.co.uk) and not specific elements Users can easily change the DNS service to a different server from that provided by the ISP Many facilities to manually translate the domain to IP address on the web. (eg: http://www.network-tools.com) User then enters IP address rather than domain name (eg: http://212.58.244.67/news) http://www.bbc.co.uk= 212.58.244.67
IP Blocking What • Requires an ISP to block user traffic to the IP address of the site in their network
IP Blocking overview http://www.bbc.co.uk/news DNS www.bbc.co.uk= 212.58.244.67 Router 2125824467
IP Blocking Issues • Like DNS, blocks a whole site (eg, 212.58.244.67) and not specific elements • Users can still gain access via “proxy” sites on different networks to bypass the filtering • Easy for sites to move between IP addresses by altering DNS entries
Proxy overview http://freeproxyserver.net/ DNS freeproxyserver.net = 67.159.44.96 Router 2125824467 671594496 DNS
Proxy overview http://freeproxyserver.net/ DNS Router 2125824467 671594496 DNS www.bbc.co.uk = 212.58.244.67
Network deployed web filtering software What Requires deployment of equipment that understands the user communication (eg, web proxies) Able to block very specifically
Filtering software overview http://www.bbc.co.uk/news DNS www.bbc.co.uk= 212.58.244.67 http://www.bbc.co.uk/news 2125824467 http://news.bbcimg.co.uk/images/header.jpg http://news.bbcimg.co.uk/images/image1.jpg http://news.bbcimg.co.uk/images/image2.jpg http://news.bbcimg.co.uk/images/image3.jpg http://news.bbcimg.co.uk/icons/sm_icon.ico
Network deployed web filtering software Issues Must sit in the route of the users traffic Cost of deploying new dedicated hardware Users can still gain access via “proxy” sites on different networks to bypass the block
Deep Packet Inspection What Can cover more protocols than application specific technology Able to block very specifically Can look deeper into packets to stop proxying Issues Must sit in the route of the users traffic Generally more costly than application specific technology as requires greater processing power. Encryption disables the ability to inspect traffic https web proxy sites Tunnelling networks (eg TOR) Greater user privacy concerns
Packet inspection • http:// Text is readable https:// Text is secure
Hybrid Options What Combination of network routing and deployment of hardware to minimise costs Stage 1 – manipulate routing to direct traffic between user and site to dedicated filtering hardware Stage 2 – filter using application layer or DPI technology
WWW WWW Filtered Server OK Server UK/EU Linx Peers Request to good URL on filtered server (2,5) Request to filtered URL on filtered server (3,4) Request to good URL on OK server (1,6) 6 5 4 3 2 1 WWW Kingston Redbus T/house Filtered Server Ealing Bletch. Birm Ilford WWW Manc OK Server Edin Glas St.Alb Sheff Network Traffic Overview BT GlobalNetwork BT UKNetwork
Request to good URL on filtered server (2,5) Request to filtered URL on filtered server (3,4) Request to good URL on OK server (1,6) 6 5 4 3 2 1 Revised Traffic Overview WWW WWW Filtered Server OK Server UK/EU Linx Peers Filteringequipment WWW Kingston Redbus T/house Filtered Server Ealing Bletch. BT GlobalNetwork BT UKNetwork Birm Ilford WWW Manc OK Server Edin Glas St.Alb Sheff
Hybrid Options Issues Users can still gain access via “proxy” sites on different networks to bypass the filtering as these sites won’t be directed to dedicated technology Encryption disables the ability to inspect traffic https web proxy sites Tunnelling networks (eg TOR)
Not just about technology… Who decides what to filter? Operational cost of managing filtering
Summary Shown BT’s current offerings Highlighted options available to customer’s in the home Shown network controls and associated issues Effectiveness depends on desired goal Protection of users wanting to avoid access Prevention of users wanting to gain access