Download The Inexact Science of Internet Filtering for the K

GaETC 2007:
The Inexact Science of Internet
Filtering for the K-12
Environment
11/14/07
Jason Kau
Georgia Tech Research Institute (GTRI)
Georgia Tech Information Security Center (GTISC)
[email protected]
404-407-8806
GTRI_B-‹#›
About Me
• specialize in applied network security, design,
implementation, benchmarking, product evalution
• current/recent projects:
- [CISAnet] primary network and security engineer for the
Criminal Information Sharing Alliance Network (CISAnet), a
private network connecting ten state police agencies, the Drug
Enforcement Agency’s El Paso Intelligence Center (EPIC) and
the Regional Sharing Information Systems Network (RISSnet)
- [Jasper] consulting to Jasper County School District in
Monticello, GA
- [LETPP] Security analysis and scanning of the GA Dept of
Homeland Security Interoperable Communications network
- [PERPOS] Information assurance and security analysis for the
National Archives’ Presidential Electronic Records Pilot Online
System (PERPOS)
- [F3] member of GTRI Foundations for the Future (F3)
GTRI_B-‹#›
F3: Foundations for the Future
http://www.f3program.org
“a collaboration of Georgia Tech researchers working with
government and industry support to ensure universal K-12
technology access and effective use in Georgia…"
"focus of F3 is to help accelerate the application of
telecommunications technology for interconnecting K12
schools for collaborative learning, remote access to
educational facilities, and Internet-based resources…"
"the mission is to leverage existing investments and expertise
to promote powerful, effective, and feasible alternatives that
improve educational practice in Georgia through the
innovation applications in technology…”
GTRI_B-‹#›
F3: Foundations for the Future
F3 has been active in 80
county and city school
systems in the areas of:
• technical assistance
• professional development
workshops
• proposal writing assistance
• technology demonstrations
• conference sponsorship and
planning
GTRI_B-‹#›
Thanks
• Morad El-Jourbagy, Technology Coordinator at Jasper County
Schools, for allowing me to use Jasper County as a testbed for
ideas and technology.
• Claudia Huff, Georgia Tech Research Institute, for the funding
to work on this talk and guidance on all things K12.
• Bob Meecham, Rudy Hickman, John Miller, Sheila Cross
(AT&T) and Charlie Jackson (GaDOE) for answering questions
on the AT&T-GaDOE Crossbeam Firewall & Filtering Solution
GTRI_B-‹#›
So what is the purpose of this session?
• Part 1: Discuss Internet threats to the K12 environment, why
you should care how well they are blocked as a teacher, parent,
administrator, and how students are bypassing filters to
expose themselves to threats.
• Part 2: Discuss commercial and open source Internet content
control/filtering solutions/technologies and present an analysis
of their (in)abilities, including the AT&T-GaDOE solution.
• Part 3: Suggest implementation strategies on how to best use
these solutions/technologies to protect the K12 environment
including Jasper County School District as a case study.
• Part 4: Live Demonstration Circumventing the GICC Firewall
and GaDOE Filtering Solution
GTRI_B-‹#›
Part 1:
The Threats
GTRI_B-‹#›
Internet Threats to the K12 Student
• pornography (accidental access, intentional access)
• sexual activity (grooming by predators, hook-ups, harassment,
discussing sexual exploits)
• cyberbullying (flaming, harrassment, denigration, impersonation,
outing, exclusion, cyberstalking)
• unsafe/dangerous online communities
• online gaming, online gambling
• viruses/worms/trojans, spam, malware (fraud/identity theft/scams,
unsafe personal/financial disclosure)
• hacking, plagiarism, p2p (copyright violation/illegal downloads)
• information literacy, inability to focus/wasting time
GTRI_B-‹#›
Internet Threats to the K12 Adult
• pornography (accidental access, intentional access)
• sexual activity (grooming by predators, hook-ups, harassment,
discussing sexual exploits)
• cyberbullying (flaming, harrassment, denigration, impersonation,
outing, exclusion, cyberstalking)
• unsafe/dangerous online communities
• online gaming, online gambling
• viruses/worms/trojans, spam, spyware (fraud/identity theft/scams,
unsafe personal/financial disclosure)
• hacking, plagiarism, p2p (copyright violation/illegal downloads)
• information literacy, inability to focus/wasting time
GTRI_B-‹#›
Emerging Threats
• Internet-enabled devices that bypass the school network and
use Mobile Broadband/3G/4G (smishing, sms spam, mobile
viruses, worms)
• targeted scams (trojans combined with social engineering)
• students leverage anti-censorship software designed to
bypass State firewalls, e.g. Psiphon
• social/email networks for propagation of circumvention/proxy
sites, tools, methods, etc.
• new virus/malware distribution methods like serial variant
attacks and short-span attacks
• increasing number of high-bandwith home broadband
connections including larger upstreams: potential for stronger
DDoS attacks and faster proxies for students
• applications that have sophisticated firewall bypassing
capabilties
• steganography-based systems
GTRI_B-‹#›
Scale and Scope of the Threat
• 500,000 - 700,000 websites serving drive-by malware (Google,
2007)
• 5% of heavily trafficed websites host malware or adware
(Gartner Group, 2007)
• 260 new pornography websites go online each day (Good
Magazine, 2007)
• 33% of teenagers (ages 12-17) who use the Internet and 43%
of teenagers who use social networking sites reported having
by contacted by online strangers (Pew Internet and American
Life Project, 2007)
• 95% of all email is now spam and 8% includes malicious
URLs (CommTouch, 2007)
GTRI_B-‹#›
Why Should You Care About How Well
These Threats Are Blocked?
As a parent:
Duh! We want to raise happy and healthy kids
As a teacher:
Duh! We want happy, healthy, and safe classrooms. You may
be liable, responsible, scape-goated for dangerous content
children access in your classroom. Your productivity may be
hurt as your PC is taken away to be “sanitized”.
As an administrator:
Duh! We we want happy, healthy, and safe schools and school
systems. Your school system’s reputation, ability to operate as
a business, and teacher/student/staff’s productivity harmed.
GTRI_B-‹#›
Why You Should Care:
State of Conneticut v. Julie Amero
• Oct 19 2004: Middle-school substitute-teacher Julie Amero
used a computer during class that had been used by students
earlier; computer started showing pornographic images.
• Jan 5 2007: Julie Amero was convicted in Norwich Superior
Court on four counts of risk of injury to a minor or impairing
the morals of a child, carrying a maximum prison sentence of
40 years; sentencing hearing was repeatedly delayed.
• Jun 6 2007: New London superior court judge threw out the
conviction and she was granted a new trial; unclear if the
State’s Attorney will pursue.
- Cause: Symantec WebNOT filter was not licensed for updates
GTRI_B-‹#›
Techniques Kids are Using to
Bypass Filters
• web-based circumvention proxies (some of which install
malware), e.g. CGIProxy, PHPproxy
• censorship circumvention systems, e.g. Psiphon, Infranet
• live CDs/USB thumb drives to boot operating system free of
filtering software or other restrictions
• SSH port forwarding, tunneling/proxy software
• cached results from search engines, web syndication
services; web translations services
• killing the filtering software processes
GTRI_B-‹#›
Part 2:
The Filters
GTRI_B-‹#›
Firewall vs. Filter
Firewall
Traditionally, a firewall provides network access control, i.e. which
users ("who") are allowed to access which resources ("what").
• Newer “deep packet/application inspection" firewalls
"enumerate badness", i.e. user A is allowed to access resource B
as long as user A is not doing "something bad" to resource B.
"Something bad" is usually detected via updatable
signatures/capabilities.
• Newer “deep packet/application inspection" firewalls also
increasingly "enumerate goodness", i.e. user A is allowed to
access resource B as long as user A is doing “according to protocol
standards, allow protocol methods, or allowed application
functionality” to resource B. Awareness of protocol methods,
standards and functionality is usually updatable.
GTRI_B-‹#›
Firewall vs. Filter
Filter
A filter is a specialized product that provides fine-grained content
control over specific network applications. A firewall has given
network access to a resource but a filter inspects the content
requested of the resource, the content returned from the resource,
and/or the content known to be available from the resource and
determines its suitability for end-user consumption based on
policies
• Firewalls can act as content filters but rarely do content filters act
as firewalls. Melding of firewalls and filter functionality into single
platforms, e.g. Check Point VPN-1 UTM, Securiant SpiderISA, etc.
• Specialized content filtering solutions usually offer "deepest“ and
more "feature-rich“, and "flexible“ filtering especially when it comes
to email/messaging. Often don’t scale for large deployments.
GTRI_B-‹#›
Firewall vs. Filter
Filter
• Parental control software is a content filter designed for a specific
market: parents wanting to limit their children’s access to the
Internet on home computers. Offered as standalone product or as
an add-on to host-based firewall software.
GTRI_B-‹#›
Firewall vs. Filter
Examples of Firewalls
Host-based: ISS BlackICE (home) & Desktop Protector (enterprise)
Network-based: Cisco PIX/ASA/FWSM, Juniper Netscreen, Check
Point VPN-1, Microsoft ISA, Fortinet, Watchguard.
Examples of Filters
Mail: Barracuda Spam Firewall, Symantec Mail Security, SurfControl
Risk Filter, MailScanner
Web/P2P/Instant Messaging: Bluecoat ProxySG, FaceTime,
Barracuda Web Filter
Web/Mail: Aladdin eSafe Gateway
Web: DansGuardian + URLBlacklist.com
Examples of Firewalls + Filters
Host-based: Norton Internet Security (home) & Symantec Client
Security (enterprise)
Network-based: Check Point VPN-1 UTM, Securiant SpiderISA
GTRI_B-‹#›
What can these filters do?
• URL and IP address filtering via categories, e.g. “playboy.com
is Adult/Sexually Explicit, block it”
• dynamic categorization or rating of uncategorized websites,
i.e. “never seen this site before, what category does it look like
based on our profile/model for each of our categories?”
• prevent/allow downloads of certain file types (by extension or
mime) and block drive-by install techniques/methods
• virus file scanning directly or via external/off-box appliance or
software; BTW virus now == viruses, worms, trojans, malware,
adware, spyware, botnets,
• block known exploits for web browsers (but often just Internet
Explorer)
GTRI_B-‹#›
What can these filters do?
• force safe mode on search engines
• detection of tunneling/encryption/proxy protocols and
applications using non-standard ports
• detection of grooming/cyberbullying conversations (only
Crisp Anti-Grooming Engine currently)
• many, many, many things specific to email filtering (a subject
for a separate presentation)
• protocol/application restrictions/blocking, e.g. don’t allow
downloads via IM, restrict IM Buddies, don’t allow HTTP POST
uploads larger 1 MB, block peer-2-peer networks
GTRI_B-‹#›
What can these filters do?
• bandwith/traffic shaping/policing by category, user, group,
protocol, application, time of day, etc.
• phishing protections, e.g. don’t allow IP address URLs, block
or trick or non-matching (between displayed URL and actual
URL) spellings, e.g. www.wellsfarg0bank.com
NOT ALL FILTERS CAN DO EVERYTHING LISTED
ABOVE AND NONE OF THESE TECHNIQUES IS A
PANACEA.
GTRI_B-‹#›
What can’t these filters do?
• Ensure you configure or integrate them correctly; using the
AT&T-GaDOE solution allows you to outsource to experts.
• Consistently take a pessimistic strategy to filtering in their
user interfaces; instead, take mostly optimistic approach (or
steer you towards optimism) by assuming protection is
achieved by blocking X,Y,Z; pessimism/enumerating goodness
works best (i.e. only allow access, X, Y, Z)—more on this later.
• Unable to analyze the actual content to determine the
disposition or nature of IM/chat conversations (again, except
for Crisp Anti-Grooming Engine).
• Catch all viruses and malware. There is large variance in the
accuracy rates, signature update rates, and detection
techniques used by the URL filtering and anti-virus vendors
and even for the same vendor over time.
GTRI_B-‹#›
Variance in URL/Anti-Virus
Filtering Accuracy: Examples
• Cascadia Labs April 2006 URL Filter Accuracy Test of
Bluecoat WebFilter, McAfee Web Filter, SurfControl Web Filter,
Websense, and Trend-Micro Interscan found these products
had a high accuracy rate for identifing adult/sexually explicit
websites (most products over 90%) but struggled in the
malware, virus, and hacker categories with accuracy scores
sometime as low as 30-50%.
• AV-Test.org August 2007 Anti-Virus Accuracy test of 29 AntiVirus products showed an average accuracy rate of 91% with a
few products in the 70% range.
• The comparisons are just snapshots and could have very
different results the next time it is run. Need results tracked
over time (AV-Comparatives.org is doing this for anti-virus).
GTRI_B-‹#›
Problems With Using URL categories
• Category names and categorization policies vary from vendor
to vendor making changing vendors problematic.
• Websites are constantly re-categorized in response to
changes on the fluctuation of content on the site; historical
reputation of URLs would be more accurate (some vendors
now doing this).
• New categories are created causing re-categorization of sites
that have not changed in content resulting in dangerous sites
being allowed through because the new categories are now not
blocked in policy. New category creation lags behind the
advent of new types of sites.
• Some vendors still only support single category for each
website leading to policy mistakes (you think myspace.com is
blocked because it is Adult but its Social Networking).
GTRI_B-‹#›
Problems With Using URL categories
Myspace.com on June 1st 2006:
SurfControl WebFilter – Personals & Dating
Secure Computing SmartFilter – Dating/Socials
Bluecoat WebFilter – Newsgroups and Adult/Mature Content
Myspace.com on August 1st 2006:
SurfControl WebFilter – Personals & Dating
Secure Computing SmartFilter – Dating/Socials
Bluecoat WebFilter – Adult/Mature Content and Social
Networking
Myspace.com on August 1st 2007:
SurfControl WebFilter – Personals & Dating
Secure Computing SmartFilter – Dating/Social Networking
Bluecoat WebFilter – Social Networking
GTRI_B-‹#›
Which filter do you pick?
• It’s a competitive market; the market leaders/vendors with
larger market share all have similar functionality.
• Exogenous factors are more important: which products do
your IT staff have familiarity with, what technologies/solutions
are already deployed and require or support integration, what
is the size of your school district/system (eliminates many
vendors), your existing business contacts/relationships,
geographic location of vendor, level of expertise required to
operate the solution, other non-filter functionality needed, etc.
• Use the Gartner Group Magic Quadrant Reports for secure
web gateways and URL filtering.
• New UTM (unified threat management; latest buzzword)
products only scale to small schools.
GTRI_B-‹#›
Which filter do you pick?
• Ensure your vendor has or is working on a dynamic
categorization, tunnel/encryption/proxy detection, chat/IM
content disposition discovery, and integration with clientside/host-based technologies.
• My Opinion (not the opinion of GaDOE, GTRI, GaETC, Jasper
County, etc.):
Good: GaDOE CheckPoint, Bluecoat, Secure Computing,
IronPort, Websense, SurfControl, Trend-Micro, Sophos,
McAfee, Aladdin, Finjan, MessageLabs, FaceTime
Bad: I don’t want to be sued, thank you.
GTRI_B-‹#›
AT&T-GaDOE Firewall & Filtering Solution
What Platform?
Crossbeam Systems X-series network security platform
running Check Point VPN-1 Power VSX R65 firewall with
integrated URL filtering (based on SurfControl). Includes
Check Point SmartDefense services.
What can it do?
• “Deep inspection” border firewall for your system/district. No
delegated administration.
• Web filter that works by controlling access to URLs based on
predefined categories and manually defined whitelists and
blacklists. Delegated administration.
GTRI_B-‹#›
AT&T-GaDOE Firewall & Filtering Solution
Current Limitations
• Border solution only, i.e. deployed at border between school
system and the State of Georgia/AT&T—no intra-school system
protection.
• No virus/worm/trojan/malware scanning for web downloads.
• No ability to set policies on a per group or user-basis.
• No ability to rewrite web requests to enable site-specific
safety features, e.g. force Google and Yahoo safe search.
• No content caching to improve performance.
• Limited ability to control/limit IM/P2P (can block).
GTRI_B-‹#›
AT&T-GaDOE Firewall & Filtering Solution
Current Limitations Continued
• No true URL category detection for HTTPS URLs because
non-proxy solution—relies on reverse DNS for categorization
of HTTPS URLs because of encrypted nature of HTTPS. Only a
proxy solution can address this!
• Lack of delegated administration for firewall means no way to
know what new protections have been offered by
SmartDefense beyond its out-of-the-box capability without
consulting with AT&T.
• Limited ability to set file extension/mime type download
restrictions or prevent drive-by malware installations.
• No filtering for email. Not part of the GaDOE contract.
GTRI_B-‹#›
AT&T-GaDOE Firewall & Filtering Solution
So am I recommending the new AT&T-GaDOE solution?
YES!
Best-in-class firewall. Improvements to the URL filtering are
coming in Phase II.
Keep in mind AT&T has to deliver a solution that can scale to
hundreds of school districts (and thousands of their other
customers) and deliver delegated administrative interfaces that
can be used by a wide range of expertise levels.
Crossbeam platform allows AT&T to switch firewall/filtering
vendors in the future or supplement.
I likely would have picked the same solution myself.
GTRI_B-‹#›
Part 3:
Blocking the Threats
GTRI_B-‹#›
Change Your Perspective
“As soon as they find out they’re on the filtering
list, they relocate and make new names to get by
the filter. MySpace changes URLs so much. It’s
hard for us to stay 100 percent on it.”
-- Lloyd Brown, Director of Technology, Henrico
County Public Schools, VA (30,000 students)
Lloyd Brown’s technique and perspective is
completely wrong! Sorry to pick on you Lloyd.
GTRI_B-‹#›
Change Your Perspective
Assume the perspective of “what do people absolutely need to
access”:
• take a pessimistic view: “99.999% of the Internet is unsafe”
• enumerate goodness: define what websites, applications,
protocols, and application functionality is required
• create whitelists that capture the required access
After doing your best to create whitelists, supplement those
areas that couldn’t be whitelisted on technical, political or
resource grounds with blacklists, i.e. “enumerate badness”.
Yes, “enumerate goodness” is hard to define but can be
implemented gradually.
GTRI_B-‹#›
Implementation Strategies
• Stop using URL filtering to block bad categories. This is the
#1 mistake made in the K12 environment (and everywhere else
for that matter). Start blocking uncategorized URLs (or
preferably all URLs not explicitly allowed), allow the “very safe”
categories and supplement with your URL whitelists.
“Very safe” == Education, Kid’s Sites, etc.
Many other categories are borderline for wholesale allowing,
e.g. Blogs & Forums, Sex Education, Games, Hosting Sites,
Personal Websites, etc.
• Stop defining bad file types. With the advent of Flash, PDF,
Excel files as carriers of worms/malware, the bad file types
continue to grow. Start defining the good file types for
email/web.
GTRI_B-‹#›
Implementation Strategies
• Configure the firewall to “enumerate goodness”: only allow
specific protocols from specific hosts to specific destinations.
This includes protocols like DNS and NTP which can be used
for tunnels. If the word “any” appears if your firewall rules,
you’ve done something wrong (with the exception of HTTP/port
80 when using the AT&T-GaDOE solution). HTTPS sites should
always be whitelisted!
This Blocks: most P2P, IM, circumvention, proxy, outbound
hacking, propagation of worms, malware from phoning home
• Block “uncategorized” URLs or preferably all URLs not
explicitly allowed—assume they are dangerous (available in
the AT&T-GaDOE solution)
This Blocks: most circumvention, web-based proxies, new
websites with dangerous content
GTRI_B-‹#›
Implementation Strategies
• Turn on protocol enforcement if your firewall supports it (part
of SmartDefense in the AT&T-GaDOE solution); turn it off only
when it breaks something & only after you’ve tried to configure
to stop it from breaking the application
This Blocks: encrypted tunnels, some proxies on non-standard
ports
• Even if you already have URL category filtering in-house,
consider supplementing with the AT&T-GaDOE solution;
defense-in-depth strategy in case your URL filtering fails.
• Even if you have your own firewall consider using AT&TGaDOE’s firewall solution with an “all open” policy so you can
leverage its SmartDefense protections (assuming you have
non-deep packet inspection firewall)
GTRI_B-‹#›
Implementation Strategies
• Consider diversity of anti-virus (one vendor on email/web
filter and one vendor on desktops); some A/V products have
two engines now (e.g. AKV, AntiVir); diversity reduces risk of a
false negative due to lagged signature by one vendor.
• If political or technical restrictions prevent you from blocking
“uncategorized” URLs or all URLs except those explicitly
allowed, insist on a filter with dynamic categorization.
Dynamic categorization also useful for database subscription
snafu’s or URL database corruptions.
• After “enumerating goodness” in the firewall/filter to block IM
and P2P consider running internal/closed IM, email systems,
social networking system to reduce the incentive for students
to use un-monitored, outside systems. Large school systems
in doing this now (Chicago Public Schools, Rochester, NY
School District).
GTRI_B-‹#›
Implementation Strategies
• Turn on any fancy features in the filter such as the ability to
force Safe Search on search engines; if this is not available
only provide access to kid-safe search engines, e.g. Yahoo!
Kids.
• Use centralized policy management of workstations to restrict
modifications/changes to the OS/browser and to prevent
execution of unknown software, e.g. Microsoft Group Policy;
password-protect BIOS and disable booting from CD/DVD and
USB.
• Authenticate all users’ access to the Internet so logging and
monitoring can be tied to individual users rather than just
individual workstations.
• Suggestions from the audience?
GTRI_B-‹#›
Words of Warning
• Internet threat filtering is not a Ron Popeil Showtime
Rotisserie. You cannot “Set it and Forget it”. You must
constantly tweak and test your threat filtering solutions and
strategies based on evaluation of your monitoring logs and
feedback from teachers and staff.
• A specific vendor’s URL filtering is often not standardized
across various platforms. For example, they have a slightly
less sophisticated version for Cisco PIX vs. Microsoft ISA.
GTRI_B-‹#›
A Proposal: Future-Proof URL Filter
• Only allow certain categories and create whitelist for required
sites not in those categories.
• For each of those allowed categories and the whitelisted
sites, allow the option to turn on dynamic categorization.
• For each website visited that is in an allowed category with
dynamic categorization enabled or in your whitelist, compare
its category in the URL database with the category determined
through dynamic categorization. If the dynamic categorization
has a very high confidence, over-ride the categorization from
the URL database.
- Prevents a emerging technique: buying domains, populating
them with good content, then switching them to bad content
- Prevents old techinque: buying up expired good domains
GTRI_B-‹#›
Case Study:
Jasper County School District
GTRI_B-‹#›
• 2400 total users; architected for 500 simultaneous users
• Border Filter: Bluecoat Proxy SG800 (caching, block
IM/P2P/SOCKS/proxies over HTTP, file attachment download
restrictions, safe search enforcement, block IE exploits,
authenticate users against Active Directory) & AT&T-GaDOE
(URL blacklists, URL whitelists, block/allow URL categories)
• Border Firewall: Cisco PIX 515E (firewall; strictly “enumerate
goodness”) + AT&T-GaDOE SmartDefense (basic profile; plans
to expand)
• Email Filtering Framework: MailScanner on redundant RedHat
Enterprise Linux 4 AS PowerEdge 2850s running
SpamAssassin (shared heuristic, shared statistical filtering,
sender policy framework, some sender checks), Vipul's Razor
and DCC (collaborative checksum), several DNS RBLs
(blacklists), Postgrey (greylisting), DSPAM (per-user statistical
filtering with per-user quarantines)
• Anti-Virus/Anti-Malware Filtering: ClamAV, McAfee (email) and
Sophos (desktop)
GTRI_B-‹#›
Part 4:
Live Demonstration: Bypassing
The GICC Firewall and The GaDOE
URL Filtering
GTRI_B-‹#›