Shawn McCarthy | Methods of avoiding censorship can be used for attack, too
- By Shawn McCarthy
- Mar 01, 2007
Shawn P. McCarthy
Most government network managers don't give much thought to the subject of international Internet censorship. After all, if a country located half a world away wants to restrict Internet traffic, it's not something the average U.S. IT manager can challenge.
But understanding how Internet censorship occurs, and how end users sometimes manage to circumvent censorship, can help you gain awareness of potential problems:
- When U.S. federal employees try to access information from Web sites in other countries, their access could be restricted.
- When citizens in other countries try to reach your Web sites, they might be prohibited, even if you aren't the one who is restricting them.
- Incoming international connections can be secretly re-routed, providing false information about your site without your knowledge.
- The tools that some people use to circumvent censorship also can be used to hide international criminal activity, or attacks on your network.
Packet filtering is a popular method of limiting data traffic. International gateway routers or firewalls can be configured to deny access to packets containing specific IP addresses or domain names, effectively stopping or re-routing selected data traffic based on how those packets are addressed.
More advanced implementations can look (sniff) for specific key words or concepts within groups of packets, then deny access only to those packets or to specific, targeted Internet resources. There's also geolocation filtering, which limits connections or content by geographic location, usually based on domain name or other known factors about how Internet traffic is routed.
To combat these limits, Web surfers can use shareware to build temporary virtual private networks. They use the public telecommunication infrastructure but establish a tunneling protocol, along with encryption and security procedures. Participants have to connect to other servers designed to support the VPN, often in temporary peer-to-peer networks.
Another solution is to use anonymous proxy servers. The servers can be configured so they don't transfer details about the IP address of the data passing through the proxy. This hides information about the end users, their Web surfing interests and the places to which they connect. Some proxy servers can even disguise the fact that a person is surfing through a proxy server.
On the flip side, temporary peer-to-peer VPNs and organized networks of pass-through proxy servers can be used to mask hacker activity. For this reason, it's important for government network administrators to pay attention to the international connections on their Web sites and other servers. Do the patterns look like someone exploring for legitimate news and information, or do they look like someone exploring for system vulnerabilities?
To understand how such tools work, network administrators may want to familiarize themselves with the following solutions:The Onion Router (Tor)
. Originally funded by the U.S. Naval Research Laboratory, then picked up by the Electronic Frontier Foundation. Provides good basic protected surfing, but if authorities are able to watch both ends of a connection, they may still be able to see where Tor requests originate.The Invisible Internet Project (now just I2P)
. A type of overlay network that allows TCP/IP-enabled applications to communicate by establishing secure data tunnels.Java Anonymous Proxy (JAP)
. An extended 'proxy system' that enables anonymous Internet browsing. It sends Internet requests through what it calls a cascade of encrypted mixes, which means a group of anonymous proxy sites. It also allows end users to decide which proxies they choose to trust and which they choose to avoid.Shawn P. McCarthy is senior analyst and program manager for IDC Government Insights of McLean, Va. E-mail him at email@example.com.
Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.