The first line of defense in any network is a firewall between the internet and the internal network. The firewall functions as a traffic controller between the two networks. The firewall enforces the security policy and connectivity model that the network administrator has set up. Firewalls determine which content is allowable by various methods. The first is called packet filtering. Packet filters work by inspecting the “packets” of information between any two computers on the internet. The firewall inspects the packet, and if it passes the filters set of rules, the firewall will drop (discard) the packet and the packet will continue on its way to it destination. If the packet does not match the rules in the filter, it will be rejected, and an error message will be sent to the destination.
The second generation of firewall technology is called “stateful packet filters.” A stateful firewall records all records of connections passing through it, and is then able to determine if the packet is part of a current connection, or is the beginning of a new connection. Although there’s still a set of rules in this type of firewall, the state of the connection can become one of the criteria which trigger a set of specific rules. This type of firewall can prevent attacks which exploit existing connections, called denial of service attacks, one of which is called the SYN flood, which sends packets in improper sequence to consume resources behind firewalls.
The third generation of firewalls, named application layer firewalls, or proxy based firewalls, was introduced in 1991. The benefit of application layer filtering is that the firewall understands the applications and protocols used in internet data transfers, such as File Transfer Protocol, web browsing or DNS. This method can detect whether an unwanted protocol is trying to sneak though a non-standard port, or whether a certain protocol is being abused in a harmful way. Proxy servers can carry out this type of filtering, but if it is being carried out on a firewall, it is often referred to as deep packet inspection.
There are many methods for blocking certain websites or IP (Internet Protocol) addresses.
IP blocking is a common method, in which access to certain IP addresses is denied. If the offensive website is hosted on a shared hosting server, then every single site that is on that server will not be accessible from the internal network. This type of blocking affects all IP protocols, such as HTTP, FTP, and POP. One way to skirt this type of block is to use a proxy server, which redirects the traffic that is blocked through it and thus get the content past the blockade.
DNS (Domain Name System) filtering and redirection is another method of censorship. When this is implemented, the domain names (www.DomainName.com for example) are not returned to the computer that requested it. This type of filtering also affects all protocols (HTTP, FTP and POP). A circumvention method is to use a domain name server that resolves the requested domain names correctly, but an entire domain name server can be blocked as well. Other workarounds include getting the IP address from other sources and bypass DNS altogether. This can be done by modifying the Hosts file in windows, or typing in the IP address instead of the domain name in the web browser or other application.
URL filtering scans the requested URL (Uniform Resource Locator) string for blocked keywords regardless of the domain name in the URL. This method affects the HTTP protocol, but can be bypassed by using an encrypted protocol such as SSL (Secure Socket Layer) or VPN (Virtual Private Network).
Packet filtering terminates the TCP packet transmission when a certain number of keyword triggers are activated. This affects all TCP protocols, such as HTTP, FTP and POP, but also causes search engine pages to be censored. Encrypted connections such as VPN or SSL are effective at circumventing this filtering method.
Connection reset. If the filter blocks a previous TCP connection, then the filter will block future connection attempts from both sides of the filter for up to thirty minutes. This type of filter can affect other users or websites if the communications are routed through the same location as the block. One way to circumvent this method is to ignore the reset packet sent back by the filtering device.
Having all connections pass through one filtering device is an IT problem. In a small environment, such as a small office or company, the filtering device and firewall is placed between the router that directs the internal traffic of the network, and the outside connection to the Internet Service Provider (ISP). This ensures that all connections are filtered, and information deemed in appropriate is eliminated. What about in a large corporation, or an entire country, though? This case requires that all of the ISPs that operate in that country, or all of the outside connections to the corporation have filtering devices between them and the internet. This solution is easier to implement in a corporation because the entire company is working as one towards one goal, and having appropriate content available to the employees is a must.
In a country though, citizens may want to view content that is deemed inappropriate, and thus the government must put in place regulations that require filtering devices that meet their specifications to be placed at the front of the ISPs network. This is the only feasible way of controlling content to an entire nation, but not the only. Another way of filtering content to an entire country would be to pass all connections through one single point, and have a massive filtering system in place there. This is not a good idea because of the massive amount of bandwidth an entire country uses, and connection speeds and throughput of today do not have the capability to handle this amount of content.