14.2 Content blocking


14.2    Content blocking

In the recent past, several approaches have been proposed to block content identified by some parties as illegal or offensive. According to a report published by the Australian government in 1998 [3], such content can either be blocked at the packet or application level (as further explained in Chapter 3):

  • In short, blocking content at the packet level requires (screening) routers to examine the source IP address of an incoming IP packet, compare it with a black list, and either forward (if the IP address isn t itemized in the black list) or drop (if the IP address is itemized in the black list) the packet.

  • Blocking content at the application level requires application-level gateways and proxy servers that examine resources or resource information in order to decide whether the corresponding application protocol request, such as an HTTP GET method invocation, should be served or not. For example, a common approach for blocking content at the application level is to specify URLs that should not be served and place them in corresponding black lists that are distributed and installed on proxy servers. Before serving an HTTP request, a proxy server would then make sure that the requested URL is not itemized in the black list. Obviously, the granularity of such blocking decisions can be made much finer than in the case of blocking content at the packet level.

According to this brief description, packet-level blocking is sometimes also referred to as IP address blocking , whereas application-level blocking is also called URL blocking. Both technologies as well as their advantages and disadvantages are overviewed and briefly discussed next .

14.2.1    IP address blocking

The technologies used to implement IP address- or packet-level blocking are similar to the ones discussed in Chapter 3, when we elaborated on packet filtering and stateful inspection technologies. In short, any kind of access control list (ACL) must be specified in order to distinguish packets that should be forwarded and packets that should be dropped. This distinction is mainly based on the information that is usually found in IP packet headers, such as source and destination IP addresses.

In general, IP address- or packet-level blocking could be carried out by any ISP. In practice, however, it is more efficient to have IP address- or packet-level blocking carried out by the relatively small number of Internet backbone service providers (BSPs). Since packet-level blocking involves a comparison of each IP packets source address with a supplied black list of IP addresses (the ones that are blocked), it can easily be implemented using ACL features of the screening routers operated by the BSPs.

As of this writing, the effectiveness of IP address- or packet-level blocking is a hotly debated topic. The proponents of the technology claim that it is a possible way to effectively block illegal or offensive content on the Internet or WWW. Contrary to that, the opponents of the technology refer to the four following technical issues that collectively limit its effectiveness:

  1. IP address- or packet-level blocking is indiscriminate in the sense that the decision to block an IP address actually means that all (virtual) Web sites configured to use this address are blocked and made invisible to Internet users and ISP subscribers. This poses some practical and legal problems for companies that host virtual Web sites. Positively speaking, it would also be an incentive for them to remove the offensive material.

  2. IP address- or packet-level blocking may also affect other TCP/IP services than HTTP. Note that a decision to block a particular Internet or Web site because of some illegal or offensive content generally means that all other services, such as FTP, SMTP, or NNTP, will also be blocked. The reason for that is that IP address- or packet-level blocking decisions are mainly based on IP addresses. Although it is possible to include port numbers (that specify services) in the decision rules, this is seldom done (mainly because it negatively influences the performance of the screening routers). Also, if it were done, the port numbers could be changed even more easily than IP addresses.

  3. IP address- or packet-level blocking devices can often be bypassed and circumvented. For example, it is possible for an Internet or Web site to regularly change its IP address, thereby bypassing the access control enforced by a black list entirely. Similarly, specific network technologies, such as IP tunneling, can be used to circumvent any IP address or packet-level blocking device.

  4. IP address- or packet-level blocking requires some computational power on the routing (and filtering) devices. Consequently, routers may need to be upgraded to implement IP address- or packet-level blocking. Note that a top-of-the-line router from Cisco, appropriately configured, can carry out packet-level blocking at line speeds, whereas some older style routers may need to be replaced or upgraded to meet the requirements of contemporary internet working performance.

In either case, support for IP address- or packet-level blocking complicates the packet filtering rules that are implemented and enforced by a firewall. Finally, there are also some nontechnical issues to consider. For example, not all Internet traffic passes through a BSP. Many multinational organizations have TCP/IP networks (i.e., intranets ) that use leased lines. The employees of these organizations would not be subject to IP address- or packet-level blocking as enforced by BSPs. Also, there are increased operational costs associated with the creation, maintenance, and distribution of black lists, as well as the configuration of the corresponding screening routers ACLs. As of this writing, there are only a few statistics available about these costs.

14.2.2    URL blocking

URL- or application-level blocking requires the existence of application-level gateways and HTTP proxy servers that examine resources or resource information to decide whether a specific request should be served or not. Consequently, ISPs prevent their clients from accessing the Internet directly for some application protocols, such as HTTP, by forcing them to access the Internet through a proxy server, which performs blocking and may store (or rather cache) frequently accessed material. This actually requires the user to configure his or her browser to make use of the ISP s proxy server (as discussed in Chapter 3). The proxy server can then compare requests from the browser with a supplied black list of Internet and Web sites.

As of this writing, URL- or application-level blocking is most commonly used in corporate intranets to control access to specific Web sites, such as www.playboy.com or www.penthouse.com. There are only a few countries that try to enforce URL- or application-level blocking technologies for their citizens .

Again, the discussion about the effectiveness of URL or application-level blocking is controversial . Proponents of the technology claim that it is a possible way to effectively block illegal or offensive content on the WWW, whereas opponents of the technology refer to the following technical issues that collectively limit the effectiveness of the technology:

  • First, URL- or application-level blocking can be bypassed or circumvented in many ways.

    • w For example, a user can access an Internet or Web site by specifying its descriptive DNS name , or its equivalent IP address. A black list that only checks DNS names can therefore be bypassed unless it also includes the equivalent IP address(es), which double (or multiply) the size of the corresponding black list.

    • w Similarly, it is possible to regularly change the IP address or DNS name of the computer system that hosts the Web server, or run several Web servers on a specific computer system and change the port number periodically. All of these and similar changes will cause a URL- or application-level blocking strategy to fail (since the URLs change). The changes can be made explicit and communicated to the users, or they can be made implicit by having corresponding URL translation services run on server machines. The latter approach is conceptually similar to the TAZ network introduced in Chapter 12 with regard to anonymous publishing on the WWW.

  • Second, push technologies bypass URL- or application-level blocking entirely, since content is delivered to users without specifically being requested. Note that a proxy server that implements URL- or application-level blocking generally filters requests for specific content. If the content is delivered without a corresponding request, it will not be blocked by the proxy server.

  • Third, the policy of forcing users to access the Internet through a single proxy server (that implements URL- or application-level blocking) reduces the reliability and decreases performance of Internet connectivity, as it introduces a single point of failure and bottleneck. There are also some application protocols that have problems working through a proxy server at all. For example, we saw in Chapter 3 that UDP-based application protocols are inherently difficult to handle with proxy servers (because they don t use connections in the first place).

Similar to IP address- or packet-level blocking, URL- or application-level blocking generally complicates the configuration of firewalls and causes some additional costs. Many ISPs, Web site hosting organizations, and educational institutions (e.g., universities) do not employ proxy servers at all, and a requirement to do so may be a financial burden for some of them. In addition to the hardware costs, there are the ongoing costs of maintaining and administering the proxy servers, and supporting the clients that are forced to use them. Finally, there is the enormous and expensive task of creating, updating, and distributing the black lists. In addition, the following two nontechnical issues must also be considered with care:

  1. ISPs may be placed in a dilemma. Note that if an ISP is asked to adopt the role of a moral arbiter, it will be placed in a difficult position by its subscribers for either going too far or not going far enough.

  2. A black list is a valuable commodity in its own right and black lists should be maintained in secure environments accordingly . Note that a black list is a valuable target for a hacker, and once uncovered will be published on the Internet, thereby creating a ˜ ˜must see list for curious users. This may have the negative side effect of publicizing the sites on black lists more widely than if the black lists did not exist at all.

An alternative to blocking content is deleting content. Blocking prevents an Internet or Web site from being accessed, whereas deletion refers to the physical removal of a resource after it has been published on the Web. The deletion of a resource (or a set of resources) can only be carried out by its (their) owner(s) or the corresponding Web site administrator(s) or law enforcement officers. Note, however, that after a resource has been deleted, it may still exist on the following locations:

  • Personal computers that have originally downloaded the resource and saved it;

  • Proxy servers that have served the download operation and have cached the corresponding resource;

  • Mirror sites that have downloaded the resource for further distribution.

In summary, both IP address- or packet-level blocking and URL- or application-level blocking are technically possible, but can easily be circumvented. Also, as mentioned above, mandating their use may result in black lists (either for IP addresses or URLs) becoming hot properties, with the net result and effect that the blacklisted Internet and Web sites may even become more popular than if they were not blacklisted at all. Note, however, that this is more a psychological problem than a technical one. Also note that the same argument can also be used to argue against content rating and self-determination (and to promote law enforcement as being the only practical solution).




Security Technologies for the World Wide Web
Security Technologies for the World Wide Web, Second Edition
ISBN: 1580533485
EAN: 2147483647
Year: 2003
Pages: 142
Authors: Rolf Oppliger

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net