Security Basics mailing list archives

RE: Internet filtering at the packet level?

From: "Billy Dodson" <billy () pmm-i com>
Date: Mon, 23 Aug 2004 14:06:28 -0500

If your running linux anyway, you should look into Squid Proxy for
linux.  It is a Proxy server/Caching engine that runs on linux.
http://www.squid-cache.org  It has the logging and reporting that I
think you might be looking for.




-----Original Message-----
From: Rob Creely [mailto:programmingart () gmail com] 
Sent: Saturday, August 21, 2004 5:51 PM
To: Will - Security Engine
Cc: security-basics () securityfocus com
Subject: Re: Internet filtering at the packet level?

Any reason you can't just block all outgoing traffic except traffic to
your proxy server which is doing the filtering?

I think you looking at a lot of overhead and network slowdown by
scanning every single packet.  How about the people that connect to a
secure web proxy via SSL?  How about people that use SSH forwarding to a
web proxy?  You can't examine those packets, they are encypted.

Just my 2 cents.....

Cheers.

--Rob 

On Tue, 17 Aug 2004 14:51:25 -0500, Will - Security Engine
<security () the-engine org> wrote:

Ok, I was wondering if it was feasable to filter internet access at 
the packet level.  Here is the scenario.

Small college campus - lets say 500 live on campus.  About half that 
has internet access.  Then you also have the computer lab, with 16 
computers.  Each teacher has a computer in their office as well, and 
the CIS dept has about 30 or so computers in use.

The filtering would be done on a Linux server using TCPDump.  I know 
how to implement flags for content checking (If the phrase "hot monkey

sex"

comes up in a packet, the user is flagged and traffic for that user 
would be logged for a set period of time for reviewing later).  What I

don't know is how to actually stop the traffic - but we won't worry 
about that for now.

Is there any problems with this?  Is it feasable?  How about just the 
flagging portion of it, rather than the actual content blocking?

I'm a student at a private baptist college that gets it's internet 
access through MOREnet.  They require that we filter the content in 
order to use their services.  Currently we only use a URL keyword and 
blacklist filtering system (from my own tests), but it's obvious that 
anybody who is serious about getting around the filter will have no 
problem (web proxies are stupid easy to set up yourself, and P2P isn't

filtered).  I'm worried that at some point it will come up that we 
aren't doing a good enough job filtering, so we'd need a new solution.
I think the packet-based system would be more accurate.  I would be 
more inclined to not actually block the content that gets flagged.  I 
would rather know that the user is accessing content ruled against by 
the ToS and confront them on the issue.

Lets not turn this into a censorship debate please ;)

----------------------------------------------------------------------
----- Computer Forensics Training at the InfoSec Institute. All of our

class sizes are guaranteed to be 12 students or less to facilitate 
one-on-one interaction with one of our expert instructors. Gain the 
in-demand skills of a certified computer examiner, learn to recover 
trace data left behind by fraud, theft, and cybercrime perpetrators. 
Discover the source of computer crime and abuse so that it never 
happens again.

http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_
040817
----------------------------------------------------------------------
------


------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of a certified computer examiner, learn to recover trace data
left behind by fraud, theft, and cybercrime perpetrators. Discover the
source of computer crime and abuse so that it never happens again.

http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_04
0817
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Current thread:

Internet filtering at the packet level? Will - Security Engine (Aug 20)
- Re: Internet filtering at the packet level? Andreas (Aug 23)
- Re: Internet filtering at the packet level? Rob Creely (Aug 23)
  - Re: Internet filtering at the packet level? Brian Kim (Aug 24)
- Re: Internet filtering at the packet level? Gabriel Orozco (Aug 23)
- <Possible follow-ups>
- Re: Internet filtering at the packet level? Will - Security Engine (Aug 23)
- RE: Internet filtering at the packet level? BANIER Jeremie (Aug 23)
  - Re: Internet filtering at the packet level? Brian Kim (Aug 25)
- RE: Internet filtering at the packet level? Bénoni MARTIN (Aug 23)
- Re: Internet filtering at the packet level? Will - Security Engine (Aug 24)
- RE: Internet filtering at the packet level? Billy Dodson (Aug 24)