IP Filtering Options & Objectives

Research Plan Introduction Filtering Needs Filtering Options Caveats Scalable Options Hierarchical Web Caching Summary Resources and Information

Networks and Workstations Links

Domain Name System (DNS) Internet Connection Support Network Design and Planning Network Installation and Configuration Troubleshooting Utilities Workstations Return to: Networks and Workstations Home Tech Support Home

IP Filtering Options & Objectives

Research Plan

Topic

The purpose of this white paper is to provide a general overview of IP filtering. The discussion focuses on the use of IP filters to block access to inappropriate sites.

Scope

The audience is presumed to have a general understanding of filtering software such as Cyber Patrol and Net Nanny and to be familiar with the term Internet blocking. This paper offers different options for implementing Internet blocking or IP filtering. The scope of this paper is driven by the need for educational institutions to protect minors from inappropriate material on the Internet. Filtering is used to provide content filtering, network security, and improved network performance. A variety of solutions will be discussed.

Research Objectives

• Discuss filtering needs.
• Discuss scalable options.
• Provide a list of software vendors.

Probable Outcome

• Adoption of local solutions that may be scaled on a statewide basis.
• Addition to MOREnet's Product Support Matrix.
• Training and seminar presentations for the adopted solution.
• Informational documentation to assist customers with solving content filtering objectives.

Introduction

Although Internet access is an important mainstay in the education of our youth, much unregulated content can be found on the World Wide Web. Parents want to be assured that their children are safe from "bad influences." Because the Web is worldwide, it is impossible to create a global agreement on what material is inappropriate and how that material should be regulated. The problem we face is how to protect minors from inappropriate material on the Internet. What filtering solutions are available? How do we choose one that will work?

Filtering allows you to control what sites your children can and cannot visit. There are a variety of ways to filter access to the Internet, but none of these methods claim to block 100% of the inappropriate sites. However, third party services claim to cover the vast majority. For this reason it is necessary to develop a local acceptable use policy (AUP) to compliment your filtering solution. Your AUP and filtering are effective tools to protect your children. Several good AUP links are provided at the end of this paper for further reference. The following pages will describe a variety of filtering options, their uses and limitations.

Back to Top

Filtering Needs

Filtering is a tool that helps control access to the Internet. With the Internet bringing the world to you, it is easy to stumble across sites with questionable content. Parents expect the public library and school system to protect their children from such controversial material. They expect these institutions to protect their children with the assumption of minimum standards for what types of material a child might encounter. Some organizations do not have the space or staff to monitor the student every minute. Therefore it is necessary to implement an AUP in schools and libraries where minors have Internet access without the direct supervision of a parent or faculty/staff member.

The impact of filtering is geared toward network administrators of large networked PCs, such as labs, libraries, and corporate offices. They need a tool that will protect their network data from outsiders and control which sites are accessible to persons using their system. Filtering offers firewall access to protect data and to provide control of Internet access, limiting the users' access to the information needed and controlling what sites can and cannot be accessed.

Filtering network access to certain sites is accomplished using a variety of methods:

IP Filter Lists. IP filter lists in a router can block IP packets bound for a denied site and keep them from passing through the router.

IP Forwarding. IP forwarding, or NAT (Network Address Translation), between your router and your network prevents outsiders' access to your network. It is a way to increase security on your network, but not necessarily secure your network.

Web Proxy Server. A Web proxy server can be used to block access to certain sites, allowing access only to chosen sites. It also caches the webpages you download so the next time you visit that site you get the page from your Web cache and not from the Internet.

Firewall. A firewall contains a variety of tools to secure your network from the outside Internet: NAT, IP filtering, encryption, and authentication, to name a few.

Content Filtering Services. Content filtering or third-party filtering services are for sale as server-based, stand-alone, or packaged online services. They are continually updated but do not promise to block 100%.

Back to Top

Filtering Options

Router Filters and Access Lists

Filtering IP addresses can be managed using a Cisco router. You can create a filter list that will deny access to a site and then apply that list to one of the router's interfaces. This is fine for static lists and blocking IP packets from accessing certain ports on your network; i.e. to block access for certain machines to port 21 (FTP uses port 21). If you want to maintain a list on a daily or weekly basis, this is not a good solution. Use this for static access lists that are not likely to change much or to block unwanted services, like FTP, access to your network.

Firewall

This is an excellent solution for adding security to your network and preventing outsiders from accessing your internal devices. Firewalls come in a variety of packages, from server-based software applications to a stand-alone appliance with a turnkey installation. Early firewalls supported IP filtering and NAT. Currently most firewall providers offer tiered pricing for additional features like encryption, user authentication, web-proxy and dynamic packet filtering, to name a few.

Web Proxy Cache

A Web proxy cache allows your users to pool their Web browser cache on one server. With this tool, when a second user downloads the same file you just spent 20 minutes downloading, the file is retrieved from the Web-caching server and not the Internet. This method, integrated with third-party software that provides ongoing updates, is a complete and scalable solution. It allows a single point of management and provides a selection of filter categories to meet your needs.

IP Forwarding (NAT)

IP forwarding for Unix or NAT (Network Address Translation) by other vendors allows one server to act as the IP address for all the devices on your network. The device provides a gateway service for all devices on the network at the IP layer and hides your network from the outside world. Some NAT devices may include other services like static filtering or web proxy caching.

Third-party Filtering Software

This software solution involves a third-party developer who maintains and updates a site-content database, and continually provides the updated information to its customers for use in denying sites based on the content found on the site. Filtering software supports a wide range of platforms. You can run this filtering software on a stand-alone workstation or as a server-based solution. A server-based solution gives you a central point of control and offers the best solution for reducing expenses for support staff. Since third-party software provides ongoing updates, expect a yearly subscription fee.

Back to Top

Caveats

Contrary to the misconceptions of some critics, few (if any) of these products filter based on keywords alone. For example, blocking based on the term "sex" blocks out any sites that mention Middlesex, England as well as erotic websites.

Several companies now provide keyword searching by parsing documents on the fly, based on options selected by the customer. One approach lets users filter a site based on a list of forbidden words, then categorize the site based on criteria they have developed for acceptable use. This is not 100% reliable but has improved greatly from the early stages of this paper.

Another approach permits users to create their own Web search engine by restricting access to a strict list of acceptable sites. This guarantees quality searches but limits user searches to a finite set of sites. The administrator does have the ability to override the rule set to allow more exhaustive unprotected searches.

Scalable Options

There are two popular content-filtering options. The most popular is the integration of a third-party filtering list and a Web proxy caching service.

A second option is a turnkey, stand-alone box that sits on the local area network (LAN) and listens to the IP traffic. If the destination of the IP packet is in a list of denied sites, the filter box will deny access to the site and notify the client that the request has been denied.

Hierarchical Web Caching

Some web caching devices support the cascading of several caching servers in a hierarchical fashion. This allows a site to group their Web caching to better utilize their Internet traffic.

Summary

The tools we have discussed here are all very powerful. Managing a static IP access list may be an inexpensive approach, but this approach does not provide up-to-date lists for your network. It is also time consuming and prone to human error.

Filtering solutions that integrate with third-party filtering software work the best and scale well on a large network. They do not promise 100% protection, but they have made significant progress on filtering constantly changing Internet websites.

The AUP is a tool that should be included in any filtering strategy. It communicates a reasonable expectation to the user and sets boundaries for use of the Web. It should not be the only tool used, since enforcement requires constant supervision that may not be practical in all situations.

Managing your filtering solution from a single point should be considered. This solution should be server-based for larger networks and may be workstation-based for smaller businesses and libraries. Integrating IP filtering with third-party filtering software provides the ability to filter Web access to certain sites with a variety of options. Your AUP will compliment these filtering tools to provide a scalable solution for your system.

Back to Top

Resources and Information

Charley's Content Filtering Web page

http://www.more.net/~charley/w02/nd_filtering_index.html

Missouri's DESE Filtering Project

From the Director's Desk
http://www.dese.state.mo.us/divimprove/instrtech/directorsdesk/index.htm

Filtering Cost Sheet
http://www.dese.state.mo.us/divimprove/instrtech/directorsdesk/filtering%20info/

Filtering%20Cost%20Sheet.html

FY03 Internet Filtering Solutions - Vendor Contact Information
http://www.dese.state.mo.us/divimprove/instrtech/directorsdesk/filtering%20info/ vendor%20contact%20info.html

Back to Top