RE: Internet filtering at the packet level?

[BANIER Jeremie <Jeremie.BANIER () swift com>]

Hello, 
I would have two comments on this:
1) did you think about service filtering ?
   If you only allow http(s) and ftp you'll get rid of the p2p things.
2) About checking the packets: this may be cpu killer no ?
   Plus it won't help for the ssl enable site ... But does any 
   p*rn site provide ssl access ?

Cheers,
Jere.
 

> -----Original Message-----
> From: Will - Security Engine [mailto:security () the-engine org] 
> Sent: Tuesday, August 17, 2004 9:51 PM
> To: security-basics () securityfocus com
> Subject: Internet filtering at the packet level?
>
> Ok, I was wondering if it was feasable to filter internet 
> access at the 
> packet level.  Here is the scenario.
>
> Small college campus - lets say 500 live on campus.  About 
> half that has 
> internet access.  Then you also have the computer lab, with 16 
> computers.  Each teacher has a computer in their office as 
> well, and the 
> CIS dept has about 30 or so computers in use.
>
> The filtering would be done on a Linux server using TCPDump.  
> I know how 
> to implement flags for content checking (If the phrase "hot 
> monkey sex" 
> comes up in a packet, the user is flagged and traffic for that user 
> would be logged for a set period of time for reviewing later).  What I 
> don't know is how to actually stop the traffic - but we won't worry 
> about that for now.
>
> Is there any problems with this?  Is it feasable?  How about just the 
> flagging portion of it, rather than the actual content blocking?
>
> I'm a student at a private baptist college that gets it's internet 
> access through MOREnet.  They require that we filter the content in 
> order to use their services.  Currently we only use a URL keyword and 
> blacklist filtering system (from my own tests), but it's obvious that 
> anybody who is serious about getting around the filter will have no 
> problem (web proxies are stupid easy to set up yourself, and P2P isn't 
> filtered).  I'm worried that at some point it will come up that we 
> aren't doing a good enough job filtering, so we'd need a new solution. 
> I think the packet-based system would be more accurate.  I 
> would be more 
> inclined to not actually block the content that gets flagged.  I would 
> rather know that the user is accessing content ruled against 
> by the ToS 
> and confront them on the issue.
>
> Lets not turn this into a censorship debate please ;)
>
> ---------------------------------------------------------------
> ------------
> Computer Forensics Training at the InfoSec Institute. All of 
> our class sizes
> are guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Gain the 
> in-demand skills of
> a certified computer examiner, learn to recover trace data 
> left behind by
> fraud, theft, and cybercrime perpetrators. Discover the source 
> of computer
> crime and abuse so that it never happens again.
>
> http://www.securityfocus.com/sponsor/InfoSecInstitute_security-
> basics_040817
> ---------------------------------------------------------------
> -------------

Attachment: smime.p7s
Description: