Good Morning, and Happy Tuesday! Welcome back to another weekly blog post!
Today, we will talk about internet filtering, or controlling access to sites and services on your network. There are many methods and types of filtering. Let’s list a few and we will go over them:
WHAT IS FILTERING: Internet filtering is the process of eliminating unwanted content while allowing the desired content to be accessed. Filtering ranges from small things, such as ad blocking, to as big as blocking access to entire sites and services.
METHODS OF FILTERING: There are a number of ways to implement filtering:
* BROWSER BASED: This type uses browser based plugins to enable filtering. Ad blockers are the most common form of browser-based filtering apps. Their functionality is limited to the browser it is installed in.
* DEVICE BASED: This type runs on the device itself, and covers all apps & browsers on the device. This is limited to just that device. Many device security suites come with their own forms of filtering, used mostly to prevent malware infections. These work either at the network stack level, or create a local VPN connection in order to operate.
* NETWORK BASED: This type operates on the network, usually within a router or firewall, but can also be a separate appliance. This form of filtering affects ALL devices that are connected to the network. This exists on all routers as a form of parental controls, and in other projects such as Pi-Hole and AdGuard Home. This, however, is limited to the immediate network, and does not provide filtering to devices using an external connection, such as mobile data.
* VPN BASED: This form of filtering requires a device to connect to a specific VPN server in order for the filtering to work. With certain apps, this VPN connection can be made mandatory in order to use the device. This type of filtering, while limited to the device it is on, works on any connection, even mobile data. This type is prevalent in most higher end parental control and monitoring apps. This type can also be useful for ad blocking on the go.
TYPES OF FILTERING:
* AD BLOCKING: This is by far the number one form of filtering. The purpose here is to prevent internet ads and trackers from being accessed. This greatly enhances both privacy and device security.
* PARENTAL CONTROLS: This is used mostly by parents to control what their children can and cannot do online. Parents can use this to block or restrict access to certain sites and services, or sites and services based on certain topics or keywords.
* MONITORING APPS: A more enhanced form of parental controls. Grants parents the abilities mentioned in Parental Controls, plus the ability to monitor and record what their child is doing on their device. Most will send an alert to the parents if the child tries to access something they are not allowed to. Higher end versions also notify the parents if the child tries to bypass the restrictions.
WATCH OUT: Parental Controls and Monitoring Apps cannot prevent a child from circumventing the protection through other means, such as using a friend’s device or computer.
* CORPORATE FIREWALL: This is normally used at a business level, and usually as a form of added security as well as to increase productivity.
FILTERING CATEGORIES: Now, let’s go over the common categories that undergo the most filtering:
* ADVERTISING/TRACKING: Inarguably, this is the number one thing that gets filtered out, usually through the use of browser-based ad blocker plugins.
* ADULT CONTENT: Pretty self explanatory.
* ALCOHOL/TOBACCO: Sites about drinking and smoking. Cessation assistance and addiction support programs, such as AA are often excluded.
* CURCUMVENTION/PROXY/VPN: Sites that allow users to evade filtering.
* DRUGS: Sites about illegal drugs. Sites regarding legal medications, as well as addiction recovery programs are often excluded.
* FIREARMS: Sites about guns and weapons.
* GAMBLING: Sites about casinos, online gambling, and lottery programs. Gambling addiction programs are often excluded.
* HACKING/CRACKING: Sites that talk about hacking or cracking into sites, services, etc. See ILLEGAL ACTIVITIES.
* HATE: Sites that promote hatred towards certain groups or minorities.
* ILLEGAL ACTIVITIES: Pretty self explanatory as well. Sites that talk about committing crimes or deal in stolen goods.
* NSFW: Short for “Not Safe For Work”. Sites here are usually similar to ADULT WEBSITES, but may contain other, non-pornographic content.
* PIRACY: Sites that promote and condone copyright infringement, theft of Intellectual Property (IP) or services. Torrent and illegal streaming sites fall in this category.
* SOCIAL MEDIA: Sites that allow people to communicate with one another, such as Facebook, TikTok, etc. This also includes messaging apps and platforms.
* VIOLENCE: Sites that promote acts of violence.
* WAREZ: See PIRACY
While we’re here, let’s list a few more categories that aren’t filtered as often, but are still included:
* FILE SHARING: See PIRACY – Often blocked to decrease bandwidth usage.
* GAMING: Sites and services devoted to gaming, both online and offline (NOT related to gambling)
* LGBTQ+: Sites regarding the LGBTQ+ community, including outreach programs.
* MAGAZINES: Sites dedicated to magazines, including sites with lingerie catalogs. Such publications also fall under adult content.
* NEWS: Online news sites, such as MSN, CNN, NBC, ABC, etc
* ONLINE SHOPPING/ECOMMERCE: Sites that are used for buying things online.
* POLITICS: Sites that talk about political issues in the world. Often includes sites about voting, and political parties.
* RELIGION: Sites regarding church and other religious materials. Includes online versions of the bible.
* SOFTWARE DOWNLOADS: Sites that allow users to download various programs. Blocked to enhance security and decrease bandwidth usage.
* SPORTS: Sites that discuss various sports and sporting events.
* STREAMING: Streaming sites such as Netflix, etc – Often blocked to decrease bandwidth usage. Includes online radio sites such as Spotify, etc.
FORCING SAFE VERSIONS OF SITES: Most internet filters also offer a way to redirect users to safer versions of websites. For example, Google has a Safe search feature that can be made mandatory through internet filtering. This prevents “NSFW” sites from appearing in search results. Youtube also has a safe version that prevents “NSFW” videos from appearing in searches. Users are also unable to directly access an unsafe video, even with the link. This can be enforced through browser policy or on the network as a whole.
CIRCUMVENTION METHODS: As you are determined to control the use of your internet connection, you will often encounter some savvy users who find ways to skirt around your filters, gaining unfettered access to otherwise blocked sites and services.
Here are a few ways that this can happen:
* ALTERNATE BROWSER: If your method of filtering is using a simple browser plugin, a user can get around this by simply installing and using a different browser. While you can block the installation of additional browsers, this does not stop someone from obtaining a portable version of a browser, which requires no installation. One way to stop this is to switch to external filtering software, which often will enforce the plugin across all browsers. The plugin can be made mandatory (ie, unable to be disabled or removed)
* ALTERNATE DNS: If you’re using DNS based blocking, a user can simply change the DNS server they are using to a public one, such as Google or Cloudflare. Web browsers also support an encrypted version of DNS, called DNS-over-HTTPS (DoH) that sends DNS requests through a normal HTTPS connection, same as a connection to a normal website. This can be prevented in many ways:
* Redirecting DNS: This involves having a firewall redirect UDP port 53 to your chosen DNS servers. Many firewalls will do this to enforce filtering.
WATCH OUT: In many cases, if you redirect to a server that is on the same network as the client, this may break DNS. Firewalls that do this to enforce filtering will often spoof the IP address in the reply to prevent this failure.
* Blocking outside DNS: This involves blocking access to outside DNS servers. Usually through blocking Port 53, and Port 853 for DNS-over-TLS (DoT). For DoH, you will need to block each IP and host name. Fortunately, many corporate firewalls already handle this through pre-defined settings.
* PROXY SERVERS: This allows a user to forward traffic from their browser through another server before getting to the internet. This renders most forms of filtering ineffective as the filters will not see any requests from that device. Browser plugins exist to allow a user to set up a proxy server within the browser. These can be tricky to block, but a good firewall with Deep Packet Inspection (DPI) can prevent proxy connections.
* PROXY SITES: These are websites that, while they may appear innocent, are running a web-based proxy browser that allows unrestricted access to otherwise filtered sites. These are most commonly used by students in schools to get around filtering. Sometimes, these proxies are very well hidden on the site, to prevent filtering services from catching on to them. The majority of filtering services already block these, but new ones always appear, as well as existing ones on new domains. Best way to spot this is through logging website access. Such a site will often stand out by how many times it was accessed. For example, it may seem very odd that someone is spending all day on a site about floor tiles.
* VPN TUNNELING: Same as a PROXY SERVER, but requires less configuration. This often requires admin privileges to install, so not allowing users to have admin rights on their workstation can prevent this. Browser plugins do exist for this as well, but web filtering can prevent them from working.
* SSH TUNNELING: Unlike VPN, an SSH client requires no admin rights to set up, and can be run in a portable manner. SSH clients can be used to create a local SOCKS proxy, allowing unfettered access to the internet. While blocking port 22 can solve this, it’s common to reconfigure SSH onto another port other than 22. In many cases, if the intent is for tunneling, port 443 is often used to mix it in with normal web traffic, but a good firewall with DPI can distinguish the difference between an HTTPS connection header, and an SSH connection header, thus preventing this method from working. Preventing USB access can also prevent this from being brought in on flash drives.
* TETHERING/HOTSPOT: Another less common, but still viable way to avoid filtering is to go off the network altogether. This involves either connecting a mobile device to the PC via a USB cable and enabling tethering, OR using the mobile hotspot feature. Here you may consider disabling USB port access, as well as locking down the wireless settings (Or remove wireless capability if it is not used)
ALL ABOUT DPI: DPI, or Deep Packet Inspection, is another weapon in your arsenal. High end firewall appliances will have the ability to perform DPI on any and all connections in and out of your network. DPI is used to inspect every single bit of data in a connection, including headers. In most cases, DPI can stop most all circumvention methods dead in their tracks by preventing the connection from being completed. This can be done in two ways:
* DROP: The firewall simply drops the request packets as they come in. While this is simplistic, it is also resource intensive, on both the firewall and the client, as it leaves a load of incomplete connections on the client side as it keeps retrying, because the client has no knowledge that the connection did not complete, so it will just keep retrying.
* DROP AND RESET: Here, the firewall not only drops the request packets, but also sends a RST packet to the client, often with the CONNECTION REFUSED flag. This causes the client to immediately abort the connection. This is the best to use as it does not consume loads of resources.
WATCH OUT: Running DPI is very resource intensive. You will end up sacrificing some network performance in the name of strict filtering enforcement. A good firewall appliance will have enough overhead to perform this task.
REASONS TO FILTER: There are a number of reason that someone may want to filter or modify access to the internet:
* PRIVACY AND SECURITY: This is one of the biggest reasons to filter. Ad blocking is the #1 form of it. Blocking ads and trackers can sharply enhance online privacy and device security.
* PERFORMANCE: Just like Privacy & Security, Performance is another reason to filter. By straining out the crud (Ads, trackers, etc), the result is a cleaner, much faster connection to the internet.
* COMPLIANCE: Filtering may be enacted for regulation compliance. For example, schools that receive any federal funding must enact web filtering on their networks. This is also true for HIPAA and PCI compliance.
* PRODUCTIVITY: Filtering can also enhance productivity by reducing access to distractions.
* BELIEFS: Some people also like to use filtering based on their beliefs, either religious or political. Religion-based filtering would block access to sites and services that do not align with one’s religious beliefs, and Political-based filtering would block access to sites and services that do not align with one’s political beliefs.
* SAFETY: Filtering is often used to block access to dangerous and harmful resources. This is especially true when children are given access to the internet.
* LEGAL REASONS: Filtering is also used for reasons of law. This is done in many countries outside of the US, for reasons ranging from copyright infringement (See PIRACY) all the way to religious and political matters. Fortunately, in the US, The 1st Amendment of the Constitution prevents such a system from being enacted. (This does NOT stop private filtering however!)
BLACKLIST VS WHITELIST: And here, there are two methods of filter implementation: Blacklisting, and Whitelisting. The most common method of filtering is blacklisting.
BLACKLIST: This method blocks access to a pre-determined list of sites and services, while allowing access to all others. This is the most common method and requires little maintenance as most blacklists are automatically updated. (You’ll need to keep an eye on any blocks you created.)
WHITELIST: This is the polar opposite of a blacklist. This only allows access to a pre-determined list of sites and services, while blocking access to everything else. This is useful in situations where a system only does one or two things, such as a Kiosk, or on a device used by a child.
INTERNET VS INTRANET: The internet is a worldwide interconnected network of computers and devices that share data between one another. An Intranet is an internal network of computers and devices that only has access to resources within itself. Often, an Intranet has no access in from the outside, and limited or no access to outside resources. This topic will be covered in another blog post down the road.
THE DOWNSIDES OF FILTERING: Just like it has it’s pros, internet filtering does also have it’s cons:
* FRIENDLY FIRE: This is one of the most common mishaps of internet filtering: The unintended blocking of sites and services that are necessary for access, or are not meant to be categorized as the filter has indicated it to be. False positives and overzealous blocking can interfere with access to legitimate resources. In rare cases, this can also interfere with updates for security software, or even operating systems! Friendly fire incidents are way more common on overfiltered networks.
* AD BLOCKER WARNINGS: Sites that have ad block detection may throw up warnings due to filtering. In most cases, however, this is usually patched around by ad blocker maintainers.
* MOBILE GAMES MAY NOT WORK RIGHT: Most mobile games rely on ads to keep them free, and even reward the player for watching ad videos. Ad filtering can prevent these rewards from being given. (If you don’t care about this, then it really isn’t a problem.)
* THERE IS SUCH A THING AS TOO MUCH FILTERING: While keeping your network clean is a good thing, having too much filtering is just as bad, if not worse than having too little, or even none. Too much filtering can severely cripple your network. In a business setting, this can cause a steep drop in morale. A little casual browsing is good for morale as it can prevent burnout. (Just make sure your employees remain as productive as possible without driving them into burnout!). Too much filtering can also drive someone to seek out and implement circumvention measures.
* ENDLESS CHORE: While filtering can require little maintenance, it does require lots of upkeep. While most will update their own lists automatically, you will still need to keep up with anything that either needs to be blocked but isn’t, or something that is blocked but should not be. Depending on how many users your network has, you’ll likely get an endless deluge of complaints, mostly about things being blocked, but you’ll also hear the occasional complaint about an unblocked site. Internet filtering is not exactly a set-it-and-forget-it thing. Keep that in mind! Again, if you’re one of those who overfilters, you’re going to be dealing with the fallout. Trust me.
* YOU WILL END UP IN A GEEK WAR: Overfiltering can lead to those with technical knowledge finding, or even inventing ways to get around your defenses. You can stop them, but they will always find a way to break out of the cage. Trust me, the last thing you want to do is annoy your local techies with too much network control. (In fact, it may benefit you to enlist their assistance with achieving a perfect balance!)
WHY FILTER: Filtering your internet connectivity has many positives, if done right, but what if……..you decide not to filter anything? Let’s find out! (NOTE: Most home internet connections lack filtering anyways unless you enable or set up some form of it)
* INCREASED SECURITY RISKS: Let’s face it. Cybercriminals are everywhere. One big place they like to hide is in advertisements. Malicious Advertising, or Malvertising, is where a spiked ad banner quietly downloads malware to your device, or even redirects you to one of those tech support scam pages. A simple ad blocker will suffice.
* ACCESS TO DANGEROUS SITES: With no filtering, an unwitting user could accidentally stumble onto a dangerous website, exposing your network to malware, ransomware, and even intrusions. This is a serious security risk, and depending on your operation, could be a violation of certain policies and guidelines.
* ACCESS TO UNWANTED CONTENT: With no filtering, your child could somehow manage to access an adult website just by hitting random buttons on your device, or worse, happen onto a fake website of dangerous content.
* CRIPPLED INTERNET: Just like too much filtering, no filtering can also cripple your connection to the world, especially if a bunch of your users are streaming music, videos, etc or are on social media. This much can slow down a connection in short order, putting a darn near stop to your productivity.
* ACCESS TO ILLEGAL CONTENT: With no filtering, users can gain access to illegal content, such as illegal streaming sites, piracy sites, or even worse. Last thing you want is a copyright notice from your ISP, or feds busting down your door.
* REDUCED PRIVACY: Without filtering, your privacy online is severely compromised. This is due to ads and trackers.
* DO YOU WANT CONTENT WITH YOUR ADS?: Access to sites can become painfully slow due to all the ad and tracker scripts, banners, etc that are loaded and running. It can make even the best fiber connection feel like you’re surfing on AOL in the 1990s, and good luck even trying to read your chosen content through the endless pile of cyber billboards, that is, if you’re lucky NOT to get an infected ad that does other screwy stuff! (Trust me. Load a page without an ad blocker, get an ad blocker, then reload that page. See how much faster and cleaner it is! Once you block ads, you’ll never go back to the old way! Read that blog post sometime.)
If you do take on the decision to filter your internet access, be sure you do it properly. Don’t go overboard, and don’t cheap out.