|
|||||||||||||
|
|||||||||||||
More Articles...
|
|||||||||||||
<< Start < Prev 1 2 Next > End >> |
|||||||||||||
Page 1 of 2 |
Technology
Watchdog International specializes in the implementation and integration of filtering technologies into networks to suit different applications. The choice of the correct technology for the task is critical to ensure that performance, effectiveness and budgetary criteria can be met.
Compare Filtering Technologies
DNS Poisoning
DNS Poisoning is a filtering method commonly used by ISPs to block access to a small list of blacklisted sites (in the thousands) such as ones containing images of child sexual abuse across their whole network.
It works by ISPs changing the DNS records of the blocked web sites to point to a dummy web server hosting a block page. It is relatively easy to set up and reasonably easy to maintain but has the limitation that it can only block a whole URL, not a page on a domain as more sophisticated filtering methods can. It is also very easy to bypass, as all a user needs to do is change his settings to use a DNS server outside of his ISP connection, and this can be done very easily by many children today.
It is currently in use by countries in Scandinavia for the blocking of Web sites containing child sexual abuse images (CSAI) which are illegal to access in most countries. The list of blocked sites is supplied by police authorities in the respective countries.
read moreIP Address Blocking
What is IP Address Blocking
This is a crude method of Web filtering that is sometimes used by ISPs wanting a quick solution using existing infrastructure such as routers.
Set Up
It is simple to set up for small lists of sites but is very problematical. It causes overblocking because innocent sites hosted at the same IP address as illegal sites will be blocked. It also causes additional loading on routers, and does not allow for web sites changing their IP address, as an unwanted site will no longer be blocked if its IP address changes.
Challenges
Commercial child pornography sites frequently change their IP addresses. It also means that sites all have to have their addresses looked up before being added to block lists, and sites that use additional mirrored servers such as those provided by Akamai would not be able to be blocked without blocking a large number of innocent sites.
read morePC-Based Software
A simple solution to blocking web sites at PC level is using software that is installed on each individual PC.
This has the advantage that each user can configure their own profile but this does require a level of knowledge that not all users posses. This software solution has disadvantages over server-based filtering in that updates need to be managed by the users, it can be bypassed by smart kids, and it can affect the performance of the computer. It also has a relatively high cost per user compared with server-based filtering that offers economies of scale. read moreClient-Server PC-Based Software
This is an advancement on PC software where a small program on a PC links through to a server hosted at an ISP that does most of the filtering. This offers the advantage of a more secure system. It is much simpler to install, all the updates are done at the server but it has less flexibility than just PC-Based software.
A typical installation of this type of filtering solution would be for school laptops where the school wishes the laptops to be filtered with the same policies that are in place for their in-house computers. An example of this is the 8e6 Client.
read moreProxy-Based Filtering Software
Who Uses Proxy Based Filtering?
This is commonly used by large organisations to introduce filtering policies for users and offers a high level of flexibility and granularity. It does require that the organisation has a server with enough capacity to run effectively as this software can add additional loading on the system.
How Do Proxy Servers Work?
Because a proxy server has to terminate web site requests and then regenerate them there is an amount of latency introduced in the data stream and thus performance is limited by available capacity. The servers also change the source IP address of the web request from the user to their own IP which can cause problems with some traffic types.
Should ISPs Use Proxy Based Filtering?
For these reasons this sort of solution is not suitable for ISPs and carriers.
An example of this type of filtering software is Websense.
Bluecoat is an example of a company that offer an appliance with proxy filtering. Using an appliance removes the requirement for a server but it still has the limitations of proxying in regards to performance, scalability and the changing of IP addresses on the web requests.
read morePass-By Filtering Appliance
This is a system used by large organisations and ISPs who wish to introduce filtering policies for users and offers a high level of flexibility and granularity.
It has the advantage of having no affect on the performance of the network due to the way it inspects traffic without breaking the data stream - unlike proxy servers. A typical installation would connect the filtering server to a mirrored port of a switch in the target network so that it can see the traffic through the switch. The filter is then able to monitor requests for web sites and block those that are required by the chosen profile.
A number of servers can normally be connected to the mirrored port via a hub or a load balancer to scale the filters for large networks where they exceed the capacity of a single filtering appliance.
An example of this technology is the Marshal8e6 R3000.
read moreAnalysis-based (Dynamic) Filtering Systems
Organisational Requirements
This form of filtering usually requires organisations to have a server with enough capacity to run effectively in the case of a software solution as it can add a considerable amount of additional loading on the system.
Advantages
The advantage of this system over other types of filters that use a blacklist or whitelist of web sites is that it can classify new sites on-the-fly should they not be present in the blacklist.
Challenges
However, this requires a considerable amount of processing power and introduces latency while this is taking place. Some filters employing this technology will allow unfiltered access for the first access to the uncategorised site while it is classifying it and subsequent accesses will be blocked should it meet the blocking criteria.
Should ISPs Use Analysis-based (Dynamic) Filtering Systems?
Because of the processing power required and subsequent latency introduced this sort of solution is not suitable for ISPs and carriers.
read moreHybrid BGP and URL Filtering System
The Hybrid BGP and URL Filtering System is designed for the installation in large networks where a traditional single step URL filtering system would be impractical.
Purpose of Hybrid BGP and URL Filtering Systems
Hybrid BGP and URL Filtering Systems are limited to a relatively small URL list (10,000 or so) so is more suitable for the blocking of illegal sites such as those containing child sexual abuse images.
How are Hybrid BGP and URL Filtering Systems Set Up?
The system is set up as a BGP neighbour to a router that connects to the external Internet connection on the target network. It looks up the IP addresses of the URLs on the blacklist and advertises host routes for these to the target network with the filter as the next hop. Thus any web requests on the target network that try to access a site on the blocklist will be routed to the filter which will then inspect the URL. If a match is made to the blacklist then a blocking page is sent back to the browser, terminating the web session. If a match is not made then the request is forwarded unaltered to the destination site.
Advantages of Hybrid BGP and URL Filtering Systems
The main advantage of this system is that the amount of filtering capacity required is relatively small due to the fact that only the traffic that is going to the IP addresses relating to the blacklist is being inspected. This means that the system can be installed in large networks such as those used by large national ISPs and international carriers. An early example of this technology was a system created by British Telecom called CleanFeed. This is used by them to block access to web sites containing child sexual abuse images on their network in the UK.
Since BT implementing CleanFeed, this technology has been developed by NetClean into a commercial system called the NetClean Whitebox. This has significant advantages over the Cleanfeed system in that it uses external BGP so can be hosted externally to the target ISP network and one filtering node can support multiple ISPs.
NetClean WhiteBox - The Latest Solution for Filtering at ISP and Carrier Level
The WhiteBox does not use proxying and therefore does not have the transparency and scalability issues that accompany BT's CleanFeed technology.Netclean Whitebox
read more