Jan 15 2008

The Internet Filtering Battlefield

Keep one step ahead of students and teachers by making your network safe from proxy servers.

Keep one step ahead of students and teachers by making your network safe from proxy servers.

There are many battles we fight daily in education IT shops. The most publicized one is the effort to prevent spam from drowning our e-mail servers. Another struggle that dates back even further pits IT administrators against viruses and spyware. But the conflict that is only whispered of in the hallways of our schools is what can happen when students or teachers bypass a school’s network safeguards by using a proxy server.

Many districts install an Internet filter and assume all is well. But a filter alone can’t deal effectively with the barrage of attacks made against a network on a daily basis. A multipronged defense needs to be in place to protect students and prevent inappropriate access to the Internet.

District IT administrators need to understand the problem, devise strategies to guard against proxies and then constantly man the watchtowers for new threats. From the day these filters were installed, people have been finding ways to get around them.

The History of Avoidance

User attempts to bypass Internet filters began more than 10 years ago. Since then, people and Web sites pushing alternate ways to avoid filters have been pitted against the filtering companies in a game of one-upmanship. Filtering improvements range from simply reducing inappropriate blocking to defeating and blocking encrypted proxies.

The reasons for someone to bypass an Internet filter are many, some legitimate and some outright malicious. In schools, the majority of people attempting to bypass a filter are students. As recently as five years ago, this was primarily motivated by a desire to view pornography and other inappropriate content. Most students now know this type of activity can carry a high price. Today, by far the most prevalent reason students give for trying to bypass Internet filters is to access social networking sites. Last year, a fifth-grader in Modesto (Calif.) City Schools tried to bypass the school’s Internet filter to visit MySpace (the site has a minimum age requirement of 14). And it’s not just students who are attracted to these sites; many teachers frequent them as well.

With this ongoing battle, filtering categories and techniques are constantly changing, and IT shops need to stay current with updates to combat the ever-changing techniques being used to bypass filters.

Proxy Moxie

The most basic circumvention technique is to target cached Web sites using Google or The Internet Archive (web.archive.org). Run a search on Playboy and you can go back to 1996 and browse online editions of the magazine using the Internet Archive’s Wayback Machine. Do virtually any search on Google and you will see an often overlooked hyperlink to “Cached” right after the actual URL for the searched site. This links to versions of the searched site stored on the hard drives of search servers, not on the host of the Web site. Most commercial filters now block this type of cached access. Run a test in your district to see if these gaps still exist. If they do, check your filtering software and contact the company immediately. Either get an update to fix the problem or start searching for a new Internet filter.

The next escalation on the battle front is the anonymous Web proxy. From various Web sites, including www.StupidCensorship.com, you can enter a URL into the search field and use a proxy server outside of the district network to access a blocked site. Because proxies are so public, most filtering companies are able to stay on top of them and update their databases within days after a new proxy comes online. Because of this, many Web sites act as clearinghouses for new anonymous proxy sites. In an effort to keep an even lower profile, most also offer e-mail lists for the distribution of new proxy sites to their communities. To push back these incursions filtering- company employees often infiltrate these mailing lists.

Again, a quick check of your server will let you know if these weaknesses exist in your district. A check of your school’s Internet log should tell you if students or staff are testing for proxies as well.

More recently, personal proxies invaded the Internet. Because a home computer is likely to draw less attention from the filtering companies than a high-traffic Internet site waving a red flag for circumvention, many sites sprouted up offering various open source and freeware personal proxy servers. Students were able to tunnel under the district filter to any Web site they desired and were also able to win friends and influence teachers by sharing their private gateways. This seemed almost too good to be true: How could the filtering companies possibly find these sneaky proxies in the vast landscape of the Internet?

Getting Help

IT directors can’t operate from behind enemy lines. While your Internet filters should catch these types of proxy attempts, you can’t assume that all your problems can be avoided electronically.

Because personal proxies are so hard to detect, IT directors need to have reconnaissance. Teachers and computer-lab staff can provide information on covert operations that can’t be detected by a district’s filter. Site personnel may spot odd behavior or strange URLs in the browser history of a computer, data that often can help to track this activity using access logs and the reporting features of the filter. Of course, careless individuals sometimes disclose their operations by bragging or leaving evidence of their evasive activity for others to find.

Once a problem is spotted, IT administrators should investigate aggressively. Modesto’s filtering software lets it recreate the path of every computer user in the district and trace their steps to learn how they arrived at a particular site. This type of information is handy when students or staff claim a certain site was a pop-up or that they don’t know how a personal proxy was accessed. A map of search- engine activity can dispel dishonest claims and get the word out to others that the loopholes are closing.

Several major filtering companies have countered the proxy threat by analyzing traffic patterns between clients and proxies using a technique known as proxy pattern matching. Dialogue between a Web browser and an anonymous proxy server follows a pattern, in much the same way that a network uses a series of handshakes between a client and a server to establish a connection. IT shops rejoiced when they were finally armed against this threat. But as for any anonymous conversation, encryption allowed stealth to be added to the proxies’ arsenal.

Encryption brings us to the frontline of today’s war on circumvention. Encrypted proxies have been a hard target to hit. Because encryption involves keys and algorithms, there’s nowhere near enough processing power in an Internet filtering server to decrypt secure communications between client and server on the fly. It’s also unreasonable to block all HTTPS traffic on a district’s network because many transactions that are part of the daily business of running a school are conducted through such secure sites.

Filtering companies are starting to deny access to HTTPS or SSL proxy-based sites that do not have a valid certificate. For the time being, this seems to be enough to turn the tide of battle in favor of the district IT shops. However, using the highest setting in most filters often exposes misconfigurations in other agencies’ legitimate certificates. In Modesto, we found almost immediately that some of the government agencies we do business with had their certificate services misconfigured and were blocked by our filter at its highest setting.

The battle cannot be fought in a vacuum. In any plan to protect students from inappropriate content on the Internet, districts need to blend policy, supervision and technology while continuing to comply with the Children’s Internet Protection Act. In almost every case that I’ve investigated, it was the computer in the corner of the classroom or in a back room that was the point of entry for a person seeking to bypass the filter. Com­puters need to be positioned so that it is easy for a teacher to walk through the classroom and monitor computer activity. Large computer labs should be equipped with screen-monitoring software that lets a single person see thumbnail images of what’s going on in the lab. All of these practices need to be backed up by strong school board policy and enforcement.

New Tools for Today

The filter Modesto now uses allows for “warn categories.” For teachers and staff, most filtering restrictions can be replaced with a warning. We have placed most content categories on warning status, with the exception of pornography, which is still blocked. When an adult attempts to access a questionable site, they are warned that the site may contain content that violates board policy. If they accept the warning and proceed, all subsequent access is flagged in the logs. If they then violate board policy, the discipline process can move along quickly. This is a great bend-but-don’t-break policy: Teachers have access to sites, such as YouTube, for educational content, and administrators have tools to discipline those who violate policy.

The importance of access logs and the ability to sift through millions of records to establish a pattern of bypass attempts is critical to the enforcement of district policy. Evidence is key in the discipline of anyone violating these policies. While many Internet filtering servers have built-in reporting capabilities, these often lack powerful search and reporting features. In Modesto, we use a filtering appliance that works in conjunction with a reporting appliance. Log files are dumped to the reporter every hour. The log files produced are not simply text files, but fully searchable databases. The Web client for the reporter allows for “canned” reports of top offenders, wizard-driven reports, and ad hoc reports for more savvy investigators.

Penalties for bypassing the district filter and violating district policy can run the gamut from a simple warning to expulsion or termination of employment. The punishment is relative to the severity of the violation. Any time CIPA categories are involved, particularly pornography, the district needs to take swift action not only to discipline the offender, but also to re-evaluate district filtering practices. If child pornography is involved, the district needs to involve local law enforcement immediately to avoid mishandling or corrupting evidence.

A comprehensive approach to effective Internet filtering and content management must employ a wide range of techniques. Robust filtering and reporting servers can minimize liability for your district and assist in the discipline process when policy is violated. However, filtering servers and appliances cannot do the job independent of old-fashioned school monitoring and management. An environment of trust and verification is often the best approach with adult staff and teachers. Improving filter libraries and filtering only content that absolutely must be blocked teaches students to be responsible users of Internet resources.

A Short History of Online Trouble

  • In 2005, 13 high school students in Kutztown, Pa., were caught using their school-owned notebook computers to view pornography, install instant messaging and file-sharing programs, and spy on their teachers’ computer screens. The school had password-protected the computers to prevent misuse, but students found a password taped to the back of each machine.
  • In 2005, three high school students in Massillon, Ohio, were arrested for sneaking into their school network to change their grades and access staffers’ Social Security numbers, the school sprinkler system, security cameras and the district’s e-mail server. The students found several ways to gain network access. One time, a teacher forgot to log out of the school’s grading system. Another time, the students watched a teacher type his user name and password.
  • In November 2007, three high school students in Snow Hill, N.C., were accused of using their school-issued notebook computers (equipped with built-in Web cameras) to create and send pornographic material.
  • In May 2007, a 17-year-old student in Golden, Colo., who hacked into his high school’s campus portal to change his grades, was sentenced to a year of probation and 80 hours of community service and ordered to pay restitution. Because teachers no longer keep hard copies of grades, each student was asked to bring back their tests and homework to prove they deserved the grades they received.
  • In June 2007, school administrators in Hilton Head Island, S.C., discovered that a student had hacked into a high school’s network to change attendance records for at least a dozen students, many of whom were failing their classes because of poor attendance.
  • Educators are finding they have to monitor students’ online activity off-campus to prevent bullying or gang activity. For example, in November, three students in Kennewick, Wash., were expelled for posting pictures of themselves flashing gang signs on their MySpace pages. (The photos were taken on-campus.)

—Wylie Wong

Great Firewall of China

While school districts try to filter Internet content and control what students can and can’t do on the Web, China is trying to do the same for an entire country — and it has been largely successful.

The Communist country, which had 137 million Internet users by the end of 2006, has built one of the world’s most sophisticated Internet filtering systems, according to a recent report by the OpenNet Initiative (ONI), an organization led by the University of Toronto, Harvard Law School, University of Cambridge and Oxford University to monitor Internet censorship.

China’s firewall, often dubbed “The Great Firewall of China,” uses techniques such as Internet Protocol (IP) blocking, URL blocking and Domain Name System (DNS) tampering to block access to IP addresses, Web pages and domains, ONI says. The country, whose Internet backbone providers are state-owned, also filters by keywords, which blocks access to Web sites based on words found in URLs, the report states. About 30,000 state security personnel monitor Web sites, chat rooms and private e-mail, according to Amnesty International.

Self-censorship is a big factor in the firewall’s success, ONI says. If citizens post prohibited content on topics such as human rights or political reform, they are subject to fines and arrest. In 2006, 14 major Web portals in China issued a joint statement calling for the Internet industry to self-regulate and censor “unhealthy” or “indecent” information. “The impact of self-censorship is likely enormous,” ONI’s report says.

Nevertheless, those who want to circumvent government censors can do so. According to ONI, China blocks some but not all proxy tools. Proxy servers located outside of China allow Chinese citizens to surf unimpeded.

PeaceFire.org, a Web site based in Bellevue, Wash., that defends Internet freedom of speech, hosts proxy servers — including the Web site stupidcensorship.com — that are not blocked by China, says its founder and Webmaster Bennett Haselton.

“China is pretty lazy in keeping up with proxy sites,” he says.

—Wylie Wong