The Internet Filtering Battlefield

There are many battles we fight daily in education IT shops. The most publicized one is the effort to prevent spam from drowning our e-mail servers. Another struggle that dates back even further pits IT administrators against viruses and spyware. But the conflict that is only whispered of in the hallways of our schools is what can happen when students or teachers bypass a school’s network safeguards by using a proxy server.

Many districts install an Internet filter and assume all is well. But a filter alone can’t deal effectively with the barrage of attacks made against a network on a daily basis. A multipronged defense needs to be in place to protect students and prevent inappropriate access to the Internet.

District IT administrators need to understand the problem, devise strategies to guard against proxies and then constantly man the watchtowers for new threats. From the day these filters were installed, people have been finding ways to get around them.

The History of Avoidance

User attempts to bypass Internet filters began more than 10 years ago. Since then, people and Web sites pushing alternate ways to avoid filters have been pitted against the filtering companies in a game of one-upmanship. Filtering improvements range from simply reducing inappropriate blocking to defeating and blocking encrypted proxies.

The reasons for someone to bypass an Internet filter are many, some legitimate and some outright malicious. In schools, the majority of people attempting to bypass a filter are students. As recently as five years ago, this was primarily motivated by a desire to view pornography and other inappropriate content. Most students now know this type of activity can carry a high price. Today, by far the most prevalent reason students give for trying to bypass Internet filters is to access social networking sites. Last year, a fifth-grader in Modesto (Calif.) City Schools tried to bypass the school’s Internet filter to visit MySpace (the site has a minimum age requirement of 14). And it’s not just students who are attracted to these sites; many teachers frequent them as well.

With this ongoing battle, filtering categories and techniques are constantly changing, and IT shops need to stay current with updates to combat the ever-changing techniques being used to bypass filters.

Proxy Moxie

The most basic circumvention technique is to target cached Web sites using Google or The Internet Archive (web.archive.org). Run a search on Playboy and you can go back to 1996 and browse online editions of the magazine using the Internet Archive’s Wayback Machine. Do virtually any search on Google and you will see an often overlooked hyperlink to “Cached” right after the actual URL for the searched site. This links to versions of the searched site stored on the hard drives of search servers, not on the host of the Web site. Most commercial filters now block this type of cached access. Run a test in your district to see if these gaps still exist. If they do, check your filtering software and contact the company immediately. Either get an update to fix the problem or start searching for a new Internet filter.

The next escalation on the battle front is the anonymous Web proxy. From various Web sites, including www.StupidCensorship.com, you can enter a URL into the search field and use a proxy server outside of the district network to access a blocked site. Because proxies are so public, most filtering companies are able to stay on top of them and update their databases within days after a new proxy comes online. Because of this, many Web sites act as clearinghouses for new anonymous proxy sites. In an effort to keep an even lower profile, most also offer e-mail lists for the distribution of new proxy sites to their communities. To push back these incursions filtering- company employees often infiltrate these mailing lists.

Again, a quick check of your server will let you know if these weaknesses exist in your district. A check of your school’s Internet log should tell you if students or staff are testing for proxies as well.

More recently, personal proxies invaded the Internet. Because a home computer is likely to draw less attention from the filtering companies than a high-traffic Internet site waving a red flag for circumvention, many sites sprouted up offering various open source and freeware personal proxy servers. Students were able to tunnel under the district filter to any Web site they desired and were also able to win friends and influence teachers by sharing their private gateways. This seemed almost too good to be true: How could the filtering companies possibly find these sneaky proxies in the vast landscape of the Internet?

Getting Help

IT directors can’t operate from behind enemy lines. While your Internet filters should catch these types of proxy attempts, you can’t assume that all your problems can be avoided electronically.

Because personal proxies are so hard to detect, IT directors need to have reconnaissance. Teachers and computer-lab staff can provide information on covert operations that can’t be detected by a district’s filter. Site personnel may spot odd behavior or strange URLs in the browser history of a computer, data that often can help to track this activity using access logs and the reporting features of the filter. Of course, careless individuals sometimes disclose their operations by bragging or leaving evidence of their evasive activity for others to find.

Once a problem is spotted, IT administrators should investigate aggressively. Modesto’s filtering software lets it recreate the path of every computer user in the district and trace their steps to learn how they arrived at a particular site. This type of information is handy when students or staff claim a certain site was a pop-up or that they don’t know how a personal proxy was accessed. A map of search- engine activity can dispel dishonest claims and get the word out to others that the loopholes are closing.

Several major filtering companies have countered the proxy threat by analyzing traffic patterns between clients and proxies using a technique known as proxy pattern matching. Dialogue between a Web browser and an anonymous proxy server follows a pattern, in much the same way that a network uses a series of handshakes between a client and a server to establish a connection. IT shops rejoiced when they were finally armed against this threat. But as for any anonymous conversation, encryption allowed stealth to be added to the proxies’ arsenal.

Encryption brings us to the frontline of today’s war on circumvention. Encrypted proxies have been a hard target to hit. Because encryption involves keys and algorithms, there’s nowhere near enough processing power in an Internet filtering server to decrypt secure communications between client and server on the fly. It’s also unreasonable to block all HTTPS traffic on a district’s network because many transactions that are part of the daily business of running a school are conducted through such secure sites.

Filtering companies are starting to deny access to HTTPS or SSL proxy-based sites that do not have a valid certificate. For the time being, this seems to be enough to turn the tide of battle in favor of the district IT shops. However, using the highest setting in most filters often exposes misconfigurations in other agencies’ legitimate certificates. In Modesto, we found almost immediately that some of the government agencies we do business with had their certificate services misconfigured and were blocked by our filter at its highest setting.

The battle cannot be fought in a vacuum. In any plan to protect students from inappropriate content on the Internet, districts need to blend policy, supervision and technology while continuing to comply with the Children’s Internet Protection Act. In almost every case that I’ve investigated, it was the computer in the corner of the classroom or in a back room that was the point of entry for a person seeking to bypass the filter. Com­puters need to be positioned so that it is easy for a teacher to walk through the classroom and monitor computer activity. Large computer labs should be equipped with screen-monitoring software that lets a single person see thumbnail images of what’s going on in the lab. All of these practices need to be backed up by strong school board policy and enforcement.

New Tools for Today

The filter Modesto now uses allows for “warn categories.” For teachers and staff, most filtering restrictions can be replaced with a warning. We have placed most content categories on warning status, with the exception of pornography, which is still blocked. When an adult attempts to access a questionable site, they are warned that the site may contain content that violates board policy. If they accept the warning and proceed, all subsequent access is flagged in the logs. If they then violate board policy, the discipline process can move along quickly. This is a great bend-but-don’t-break policy: Teachers have access to sites, such as YouTube, for educational content, and administrators have tools to discipline those who violate policy.

The importance of access logs and the ability to sift through millions of records to establish a pattern of bypass attempts is critical to the enforcement of district policy. Evidence is key in the discipline of anyone violating these policies. While many Internet filtering servers have built-in reporting capabilities, these often lack powerful search and reporting features. In Modesto, we use a filtering appliance that works in conjunction with a reporting appliance. Log files are dumped to the reporter every hour. The log files produced are not simply text files, but fully searchable databases. The Web client for the reporter allows for “canned” reports of top offenders, wizard-driven reports, and ad hoc reports for more savvy investigators.

Penalties for bypassing the district filter and violating district policy can run the gamut from a simple warning to expulsion or termination of employment. The punishment is relative to the severity of the violation. Any time CIPA categories are involved, particularly pornography, the district needs to take swift action not only to discipline the offender, but also to re-evaluate district filtering practices. If child pornography is involved, the district needs to involve local law enforcement immediately to avoid mishandling or corrupting evidence.

A comprehensive approach to effective Internet filtering and content management must employ a wide range of techniques. Robust filtering and reporting servers can minimize liability for your district and assist in the discipline process when policy is violated. However, filtering servers and appliances cannot do the job independent of old-fashioned school monitoring and management. An environment of trust and verification is often the best approach with adult staff and teachers. Improving filter libraries and filtering only content that absolutely must be blocked teaches students to be responsible users of Internet resources.