Security Basics mailing list archives

Re: Internet filtering at the packet level?

From: Andreas <andreas () inferno nadir org>
Date: Fri, 20 Aug 2004 18:18:15 +0200

Hello,

On Tuesday 17 August 2004 21:51, Will - Security Engine wrote:

Ok, I was wondering if it was feasable to filter internet access at the
packet level.  Here is the scenario.


[small campus network]

The filtering would be done on a Linux server using TCPDump.  I know how
to implement flags for content checking (If the phrase "hot monkey sex"
comes up in a packet, the user is flagged and traffic for that user
would be logged for a set period of time for reviewing later).  What I
don't know is how to actually stop the traffic - but we won't worry
about that for now.


I wouldn't use tcpdump for that. With tcpdump you actually just watch traffic.
What about using an IDS like snort for tasks like this? You can even enable
flexrep to take countermeasures, eg. blocking traffic.
You can write your own rules, which is not as hard. Snort can deal 
with fragmentation etc.

I'm a student at a private baptist college that gets it's internet
access through MOREnet.  They require that we filter the content in
order to use their services.  Currently we only use a URL keyword and
blacklist filtering system (from my own tests), but it's obvious that
anybody who is serious about getting around the filter will have no
problem (web proxies are stupid easy to set up yourself, and P2P isn't
filtered).  I'm worried that at some point it will come up that we
aren't doing a good enough job filtering, so we'd need a new solution.


Possibly i misunderstood you, but you can only allow internet access
through your proxy. This will make it much harder to circumvent 
your filtering attempts.

Lets not turn this into a censorship debate please ;)


Did i already mentioned, that censorship is bad ?! ;)

http://snort.org
http://squid-cache.org

regards,

andreas

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040817
----------------------------------------------------------------------------

Current thread:

Internet filtering at the packet level? Will - Security Engine (Aug 20)
- Re: Internet filtering at the packet level? Andreas (Aug 23)
- Re: Internet filtering at the packet level? Rob Creely (Aug 23)
  - Re: Internet filtering at the packet level? Brian Kim (Aug 24)
- Re: Internet filtering at the packet level? Gabriel Orozco (Aug 23)
- <Possible follow-ups>
- Re: Internet filtering at the packet level? Will - Security Engine (Aug 23)
- RE: Internet filtering at the packet level? BANIER Jeremie (Aug 23)
  - Re: Internet filtering at the packet level? Brian Kim (Aug 25)
- RE: Internet filtering at the packet level? Bénoni MARTIN (Aug 23)
- Re: Internet filtering at the packet level? Will - Security Engine (Aug 24)
- RE: Internet filtering at the packet level? Billy Dodson (Aug 24)