Content Filtering
10.1 Chapter objectives
Understanding critical protection offered by content filtering
Understanding the types of attacks
The types of filtering
What the future holds: Adaptability is key
Content filtering, defined, provides a level of network traffic exami-
nation that prevents harmful content from entering or leaving a
network. This content may be cloaked within seemingly harmless
HTTP traffic, it may be HTTP traffic, or it may be some other
hijacking attempt trying to socially engineer itself past firewall
defenses. It may be a full-blown Denial-of-Service (DoS) attack, or it
may be someone internally using a web site e-mail account to drop
sensitive documents. There are many types of content filtering and
many types of covert and overt attacks. This chapter explores
enough of them to establish a trailhead, with a map of known routes
and avenues. Learning them well ensures that when a new avenue
opens or emerges, recognition comes naturally.
10.2 Filtering out dangerous content
A solid firewall implementation will provide the ability to detect,
block, and filter application protocols. Many application protocols
represent extremely undesirable forms of traffic over a private
enterprise subnet for various reasons:
High bandwidth usage
Unpredictable routing
Frequent socially engineered hack attempts
Unsavory content (pornography, gambling, hate, racist, etc., web
Unfiltered content, in this author’s experience, offers the easiest
and most promising path to hackers. And let’s be crystal clear about
this: Hackers roam the Internet like mayflies on a windshield in
May. One only has to sit and observe a firewall filter for a few min-
utes to view a constant barrage of port scans, probes, and automated
tests that crawl all across the Internet, incrementing and decrement-
ing through all known private and public subnets, searching for an
opening. Why do they do this? Because they are finding holes—gaps
in security that allow them to download content from illegal sites,
gaps that allow them to run the code of their choice on remote com-
puters and gain control of those computers (imagine the sorts of
things you could do with a thousand slave computers at your dis-
posal). Gaps that allow them to feel powerful when, socially, they
may feel hurt and inadequate.
With control of a thousand networks, a criminal-minded hacker
can almost be guaranteed a payoff. Here’s a laundry list of fun activ-
ities for a hacker at 2 a.m. on a Saturday morning:
Hack into and download an entire, real web site
Make some slight alterations to the site’s commerce engines
Crack into a business network
Load stolen site onto local computer
Alter the host’s file, pointing the real domain name to the bogus,
internal site on the local computer
Spam all business users, and provide a link to the site with “free”
176 10.2 Filtering out dangerous content
Spam again, and again, and again, rotating out different hijacked
sites until credit cards are captured or network admin spots the
Drink a Mountain Dew, and eat some Fritos
Purchase additional network scanner equipment and order an
additional DSL line
Repeat, with various modifications to enhance automation
It’s almost laughable in its simplicity, yet heinous in its implica-
tions. Imagine ordering computers and office equipment from a
cleverly hijacked web site. Individual businesses spend thousands
of dollars a year in business-to-business (B2B) expenses on the
Internet. If a hijacker knows which sites a business frequents, and
has internal access to the business network, a hacker may unleash
any of a variety of socially engineered methods whereby to
gain easy, and unknown, access to business dollars. The majority
of hackers don’t go for the big payoff that will be discovered.
Rather, a steady trickle of income reaped from the harvest of
personal information and spending habits has greater appeal. In the
case of the hacker that loads large, and bogus, websites onto
local networks, content filtering could have halted this activity.
Simple quotas would have prevented the 2 a.m. loading of
300 MB of pornography web sites onto local computers. Content
filtering would have alerted or stopped FTP or shell types of
10.2.1 Scanning e-mail
A scanning e-mail filter scans e-mail for confidentiality breaches,
pornography, and missing or forged headers. This type of scanning
runs in both directions, analyzing Simple Mail Transport Protocol
(SMTP) and POP3 traffic in both directions. Unless an e-mail server
is running internally, SMTP traffic from WAN to LAN should be
blocked. POP3 from WAN to LAN should be blocked. Outbound
(LAN to WAN) SMTP and POP e-mail requests should be fully
filtered. More information on scanning e-mail is presented in the
following sections.
10.2 Filtering out dangerous content 177
Chapter 10

Get Firewalls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.