Transcript ArtyomChurilinSlides

Web Filtering and
Deep Packet Inspection
Artyom Churilin
Tallinn University of Technology 2011
Web filtering & DPI
• Web filtering (content control) is a way control
what content is permitted to a user.
• Deep Packet Inspection (DPI) is a form of
computer network packet filtering that examines
the data part (and possibly also the header) of a
packet as it passes an inspection point, searching
for protocol non-compliance, viruses, spam,
intrusions or predefined criteria to decide if the
packet can pass or if it needs to be routed to a
different destination, or for the purpose of
collecting statistical information.
Web filtering types
• Client-side filters (Cyber-Nanny)
• Content-limited or filtered ISPs
• Server side-filters, proxies (Squid), traffic
shapers
• Specialized hardware/software (commercial
off the shelf solutions)
Specialized systems:
• Websense
• McAfee Smart Filter
• Netsweeper
Web filtering techniques
•
•
•
•
•
IP
URL
Keyword
File type
Database (site categorization)
Websense categories
McAfee SmartFilter Categories
Web filtering use
• Parental control (block adult content from
minors)
• Content control (i.e. ISP blocking child abuse)
• Corporate environment, public libraries
• Commercial solutions
Deep Packet Inspection
DPI
• DPI has functionality of Intrusion Detection
System (IDS), Intrusion Prevention System
(IPS) and stateful firewall
• Advanced defense from threats
• More effective than DPI, DPS and FW
• Policies on many layers 3 -7 OSI
Symantec describes DPI
• Deep Packet Inspection promises to enhance
firewall capabilities by adding the ability to
analyze and filter SOAP and other XML messages,
dynamically open and close ports for VoIP
application traffic, perform in-line AV and spam
screening, dynamically proxy IM traffic, eliminate
the bevy of attacks against NetBIOS-based
services, traffic-shape or do away with the many
flavors of P2P traffic (recently shown to account
for ~35% of internet traffic), and perform SSL
session inspection
Use of DPI
•
•
•
•
Network management
Network security
“Lawful intercept”
Statistical data for network planning
Misuse of DPI
•
•
•
•
Commercial
Propaganda
Governments (Censorship)
Communist regimes (Censorship,
disinformation)
• Autocratic regimes (Censorship,
disinformation)
• Finding political dissidents
JUNE 22, 2009 Wall street journal online:
Iran's Web Spying Aided By Western Technology
• Nokia Siemens
• The monitoring center that Nokia Siemens Networks
sold to Iran was described in a company brochure as
allowing "the monitoring and interception of all types
of voice and data communication on all networks."
NOVEMBER 15, 2010 FORBES.COM:
Nokia Siemens Denies Lingering Ties To Iran
Surveillance
FEBRUARY 11, 2010 BBC:
MEPs condemn Nokia Siemens 'surveillance tech' in Iran
Google says its Gmail traffic has dropped sharply in Iran
Nokia Siemens told BBC News that it had provided
"very basic surveillance" capabilities to Iran Telecom
in 2008. The product is called Monitoring Centre and can
be used to monitor local telephone calls.
OpenNet initiative
• The OpenNet Initiative has documented
network filtering of the Internet by national
governments in over forty countries
worldwide.
• Filtering is particularly appealing to
governments as it allows them to control
content not published within their national
borders.
Pros of DPI
• Deep Packet Inspection is a promising
technology in that it may help to solve
security and many other problems.
Cons of DPI
• DPI adds complexity to an already complicated
solution - firewalls, IDSs, session border
controllers, and honeypots/nets etc…
• DPI is a powerful technology and is currently
insufficiently regulated by law. If unethically
and illegally used can bring awful
consequences.
https://www.accessnow.org/page/s/n
otonokia
Treedriver.com
• in Iran, you could not access postimees bbc
cnn facebook only Slõhtuleht