Hello,
I would have two comments on this:
1) did you think about service filtering ?
If you only allow http(s) and ftp you'll get rid of the p2p things.
2) About checking the packets: this may be cpu killer no ?
Plus it won't help for the ssl enable site ... But does any
p*rn site provide ssl access ?
Cheers,
Jere.
-----Original Message-----
From: Will - Security Engine [mailto:security@the-engine.org]
Sent: Tuesday, August 17, 2004 9:51 PM
To: security-basics@securityfocus.com
Subject: Internet filtering at the packet level?
Ok, I was wondering if it was feasable to filter internet
access at the
packet level. Here is the scenario.
Small college campus - lets say 500 live on campus. About
half that has
internet access. Then you also have the computer lab, with 16
computers. Each teacher has a computer in their office as
well, and the
CIS dept has about 30 or so computers in use.
The filtering would be done on a Linux server using TCPDump.
I know how
to implement flags for content checking (If the phrase "hot
monkey sex"
comes up in a packet, the user is flagged and traffic for that user
would be logged for a set period of time for reviewing later). What I
don't know is how to actually stop the traffic - but we won't worry
about that for now.
Is there any problems with this? Is it feasable? How about just the
flagging portion of it, rather than the actual content blocking?
I'm a student at a private baptist college that gets it's internet
access through MOREnet. They require that we filter the content in
order to use their services. Currently we only use a URL keyword and
blacklist filtering system (from my own tests), but it's obvious that
anybody who is serious about getting around the filter will have no
problem (web proxies are stupid easy to set up yourself, and P2P isn't
filtered). I'm worried that at some point it will come up that we
aren't doing a good enough job filtering, so we'd need a new solution.
I think the packet-based system would be more accurate. I
would be more
inclined to not actually block the content that gets flagged. I would
rather know that the user is accessing content ruled against
by the ToS
and confront them on the issue.
Lets not turn this into a censorship debate please ;)
---------------------------------------------------------------
------------
Computer Forensics Training at the InfoSec Institute. All of
our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the
in-demand skills of
a certified computer examiner, learn to recover trace data
left behind by
fraud, theft, and cybercrime perpetrators. Discover the source
of computer
crime and abuse so that it never happens again.
http://www.securityfocus.com/sponsor/InfoSecInstitute_security-
basics_040817
---------------------------------------------------------------
-------------
smime.p7s
Description: S/MIME cryptographic signature
