RE: Internet filtering at the packet level?

[Bénoni MARTIN <Benoni.MARTIN () libertis ga>]

Hi !

Well...the well-known snort (www.snort.org) can block / log suspicious traffic. Tcpdump is a packet filter + logger 
(with the -w option or smth like that) but it cannot do smth more. Snort is very flexible, you can set what you want: 
block traffic, alert but pass, pass only, ... according to a content you just set up !


-----Message d'origine-----
De : Will - Security Engine [mailto:security () the-engine org] 
Envoyé : mardi 17 août 2004 20:51
À : security-basics () securityfocus com
Objet : Internet filtering at the packet level?

Ok, I was wondering if it was feasable to filter internet access at the packet level.  Here is the scenario.

Small college campus - lets say 500 live on campus.  About half that has internet access.  Then you also have the 
computer lab, with 16 computers.  Each teacher has a computer in their office as well, and the CIS dept has about 30 or 
so computers in use.

The filtering would be done on a Linux server using TCPDump.  I know how to implement flags for content checking (If 
the phrase "hot monkey sex" 
comes up in a packet, the user is flagged and traffic for that user would be logged for a set period of time for 
reviewing later).  What I don't know is how to actually stop the traffic - but we won't worry about that for now.

Is there any problems with this?  Is it feasable?  How about just the flagging portion of it, rather than the actual 
content blocking?

I'm a student at a private baptist college that gets it's internet access through MOREnet.  They require that we filter 
the content in order to use their services.  Currently we only use a URL keyword and blacklist filtering system (from 
my own tests), but it's obvious that anybody who is serious about getting around the filter will have no problem (web 
proxies are stupid easy to set up yourself, and P2P isn't filtered).  I'm worried that at some point it will come up 
that we aren't doing a good enough job filtering, so we'd need a new solution. 
I think the packet-based system would be more accurate.  I would be more inclined to not actually block the content 
that gets flagged.  I would rather know that the user is accessing content ruled against by the ToS and confront them 
on the issue.

Lets not turn this into a censorship debate please ;)

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less 
to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified 
computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the 
source of computer crime and abuse so that it never happens again.

http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040817
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040817
----------------------------------------------------------------------------