network filtering
DESCRIPTION
Network Filtering. Network Filtering Overview. Controls deployment outside of the home in the ISP Effectiveness depends on desired goal Protection of users wanting to avoid access Prevention of users wanting to gain access Number of network techniques DNS filtering IP blocking - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/1.jpg)
© British Telecommunications plc
Network Filtering
![Page 2: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/2.jpg)
© British Telecommunications plc
Network Filtering Overview
• Controls deployment outside of the home in the ISP• Effectiveness depends on desired goal
– Protection of users wanting to avoid access– Prevention of users wanting to gain access
• Number of network techniques– DNS filtering– IP blocking– Network deployed web filtering software– Deep Packet Inspection– Hybrid options
• Not just about technology…
![Page 3: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/3.jpg)
© British Telecommunications plc
Web browsing overview
www.bbc.co.uk = 212.58.244.67http://www.bbc.co.uk/news
DNS
2125824467
![Page 4: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/4.jpg)
© British Telecommunications plc
DNS (Domain Name Service) filtering
What– DNS translates an easily typed address (domain) into the IP
address of the end site– DNS Filtering involves changing the IP address the domain
resolves to, or removing the entry all together.
http://www.bbc.co.uk = 212.58.244.67
![Page 5: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/5.jpg)
© British Telecommunications plc
DNS Filtering overview
www.bbc.co.uk = Non existenthttp://www.bbc.co.uk/news
DNS
2125824467
?
![Page 6: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/6.jpg)
© British Telecommunications plc
www.bbc.co.uk
http://www.bbc.co.uk/news
![Page 7: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/7.jpg)
© British Telecommunications plc
DNS (Domain Name Service) filtering
Issues– Blocks a whole site (eg, www.bbc.co.uk) and not specific
elements– Users can easily change the DNS service to a different server
from that provided by the ISP– Many facilities to manually translate the domain to IP address
on the web. (eg: http://www.network-tools.com)• User then enters IP address rather than domain name (eg:
http://212.58.244.67/news)
http://www.bbc.co.uk = 212.58.244.67
![Page 8: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/8.jpg)
© British Telecommunications plc
IP Blocking
What– Requires an ISP to block user traffic to the IP address of the
site in their network
![Page 9: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/9.jpg)
© British Telecommunications plc
IP Blocking overview
www.bbc.co.uk = 212.58.244.67http://www.bbc.co.uk/news
DNS
2125824467
Router
![Page 10: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/10.jpg)
© British Telecommunications plc
IP Blocking
Issues– Like DNS, blocks a whole site (eg, 212.58.244.67) and not
specific elements– Users can still gain access via “proxy” sites on different
networks to bypass the filtering– Easy for sites to move between IP addresses by altering DNS
entries
![Page 11: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/11.jpg)
© British Telecommunications plc
![Page 12: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/12.jpg)
© British Telecommunications plc
Proxy overview
freeproxyserver.net = 67.159.44.96http://freeproxyserver.net/DNS
2125824467
Router
671594496DNS
![Page 13: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/13.jpg)
© British Telecommunications plc
http://www.bbc.co.uk/news
![Page 14: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/14.jpg)
© British Telecommunications plc
Proxy overview
http://freeproxyserver.net/DNS
2125824467
Router
671594496DNSwww.bbc.co.uk = 212.58.244.67
![Page 15: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/15.jpg)
© British Telecommunications plc
![Page 16: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/16.jpg)
© British Telecommunications plc
Network deployed web filtering software
What– Requires deployment of equipment that understands the user
communication (eg, web proxies)– Able to block very specifically
![Page 17: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/17.jpg)
© British Telecommunications plc
Filtering software overview
www.bbc.co.uk = 212.58.244.67http://www.bbc.co.uk/news
DNS
2125824467
http://www.bbc.co.uk/newshttp://news.bbcimg.co.uk/images/header.jpghttp://news.bbcimg.co.uk/images/image1.jpghttp://news.bbcimg.co.uk/images/image2.jpghttp://news.bbcimg.co.uk/images/image3.jpghttp://news.bbcimg.co.uk/icons/sm_icon.ico
![Page 18: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/18.jpg)
© British Telecommunications plc
![Page 19: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/19.jpg)
© British Telecommunications plc
Network deployed web filtering software
Issues– Must sit in the route of the users traffic– Cost of deploying new dedicated hardware– Users can still gain access via “proxy” sites on different
networks to bypass the block
![Page 20: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/20.jpg)
© British Telecommunications plc
Deep Packet Inspection
What– Can cover more protocols than application specific technology– Able to block very specifically– Can look deeper into packets to stop proxying
Issues– Must sit in the route of the users traffic– Generally more costly than application specific technology as
requires greater processing power.– Encryption disables the ability to inspect traffic
• https web proxy sites• Tunnelling networks (eg TOR)
– Greater user privacy concerns
![Page 21: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/21.jpg)
© British Telecommunications plc
Packet inspection
• http:// Text is readable https:// Text is secure
![Page 22: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/22.jpg)
© British Telecommunications plc
Hybrid Options
What– Combination of network routing and deployment of hardware
to minimise costs• Stage 1 – manipulate routing to direct traffic between user and
site to dedicated filtering hardware• Stage 2 – filter using application layer or DPI technology
![Page 23: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/23.jpg)
© British Telecommunications plc
Request to good URL on filtered server (2,5)Request to filtered URL on filtered server (3,4)Request to good URL on OK server (1,6)
Ealing
Ilford
T/houseKingston
Bletch.
Birm
Manc
Edin Glas Sheff
Redbus
St.Alb
UK/EULinx Peers
WWW
WWW
WWW
WWWFilteredServer OK
Server
FilteredServer
OKServer
1
2
3
4
5 6
Network Traffic Overview
BT Global
NetworkBT UK
Network
![Page 24: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/24.jpg)
© British Telecommunications plc
Ealing
Ilford
T/houseKingston
Bletch.
Birm
Manc
Edin Glas Sheff
Redbus
St.Alb
UK/EULinx Peers
BT Global
Network
WWW
WWW
WWW
WWWFilteredServer OK
Server
FilteredServer
OKServer
BT UKNetwork
1
2
3
4
5 6
Revised Traffic Overview
Filteringequipment
Request to good URL on filtered server (2,5)Request to filtered URL on filtered server (3,4)Request to good URL on OK server (1,6)
![Page 25: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/25.jpg)
© British Telecommunications plc
Hybrid Options
Issues– Users can still gain access via “proxy” sites on different
networks to bypass the filtering as these sites won’t be directed to dedicated technology
– Encryption disables the ability to inspect traffic• https web proxy sites• Tunnelling networks (eg TOR)
![Page 26: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/26.jpg)
© British Telecommunications plc
Not just about technology…
• Who decides what to filter?• Operational cost of managing filtering
![Page 27: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/27.jpg)
© British Telecommunications plc
Summary
• Shown BT’s current offerings• Highlighted options available to customer’s in the home• Shown network controls and associated issues
• Effectiveness depends on desired goal– Protection of users wanting to avoid access– Prevention of users wanting to gain access
![Page 28: Network Filtering](https://reader036.vdocuments.site/reader036/viewer/2022081604/5681640d550346895dd5b38a/html5/thumbnails/28.jpg)
Questions & Answers