An identifier for a computer or device on a TCP/IP Network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.
Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the internet requires using registered IP addresses (called Internet addresses) to avoid duplicates.
The four numbers in an IP address are used in different ways to identify a particular network and a host on that network. Four regional Internet registries ARIN, RIPE, NCC, LACNIC, APNIC assign Internet addresses from the following three classes.
· Class A - supports 16 million hosts on each of 126 networks
· Class B - supports 65,000 hosts on each of 16,000 networks
· Class C - supports 254 hosts on each of 2 million networks The number of unassigned Internet addresses is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of. An IP Address is the numerical address of a computer on the Internet. This means every personal computer on the Internet will be given a unique IP Address by their Internet Service Provider just as every web site is given an IP Address by their web site host.
Hosts and networks
IP addressing is based on the concept of hosts and networks. A host is essentially anything on the network that is capable of receiving and transmitting IP packets on the network, such as a workstation or a router. It is not to be confused with a server: servers and client workstations are all IP hosts.
The hosts are connected together by one or more networks. The IP address of any host consists of its network address plus its own host address on the network. IP addressing, unlike, say, IPX addressing, uses one address containing both network and host address. How much of the address is for the network portion and how much for the host portion varies from network to network.
An IP address is 32 bits wide, and as discussed, it is composed of two parts: the network number, and the host number [1, 2, 3]. By convention, it is expressed as four decimal numbers separated by periods, such as “200.1.2.3″ representing the decimal value of each of the four bytes. Valid addresses thus range from 0.0.0.0 to 255.255.255.255, a total of about 4.3 billion addresses. The first few bits of the address indicate the Class that the address belongs to:
| Class | Prefix | Network Number | Host Number |
| A | 0 | Bits 0-7 | Bits 8-31 |
| B | 10 | Bits 1-15 | Bits 16-31 |
| C | 110 | Bits 2-24 | Bits 25-31 |
| D | 1110 | N/A | |
| E | 1111 | N/A |
The bits are labeled in network order, so that the first bit is bit 0 and the last is bit 31, reading from left to right. Class D addresses are multicast, and Class E are reserved. The range of network numbers and host numbers may then be derived:
| Class | Range of Net Numbers | Range of Host Numbers |
| A | 0 to 126 | 0.0.1 to 255.255.254 |
| B | 128.0 to 191.255 | 0.1 to 255.254 |
| C | 192.0.0 to 254.255.255 | 1 to 254 |
Any address starting with 127 is a loop back address and should never be used for addressing outside the host. A host number of all binary 1’s indicates a directed broadcast over the specific network. For example, 200.1.2.255 would indicate a broadcast over the 200.1.2 network. If the host number is 0, it indicates “this host”. If the network number is 0, it indicates “this network” [2]. All the reserved bits and reserved addresses severely reduce the available IP addresses from the 4.3 billion theoretical maximum. Most users connected to the Internet will be assigned addresses within Class C, as space is becoming very limited. This is the primary reason for the development of IPv6, which will have 128 bits of address space.
IP FILTERING
Topic
The purpose of this white paper is to provide a general overview of IP filtering. The discussion focuses on the use of IP filters to block access to inappropriate sites.
Scope
The audience is presumed to have a general understanding of filtering software such as Cyber Patrol and Net Nanny and to be familiar with the term Internet blocking. This paper offers different options for implementing Internet blocking or IP filtering. The scope of this paper is driven by the need for educational institutions to protect minors from inappropriate material on the Internet. Filtering is used to provide content filtering, network security, and improved network performance. A variety of solutions will be discussed.
Research Objectives
 |
Discuss filtering needs. |
|
Discuss scalable options. |
|
Provide a list of software vendors. |
Probable Outcome
|
Adoption of local solutions that may be scaled on a statewide basis. |
|
Addition to MOREnet’s Product Support Matrix. |
|
Training and seminar presentations for the adopted solution. |
|
Informational documentation to assist customers with solving content filtering objectives. |
Introduction
Although Internet access is an important mainstay in the education of our youth, much unregulated content can be found on the World Wide Web. Parents want to be assured that their children are safe from “bad influences.” Because the Web is worldwide, it is impossible to create a global agreement on what material is inappropriate and how that material should be regulated. The problem we face is how to protect minors from inappropriate material on the Internet. What filtering solutions are available? How do we choose one that will work?
Filtering allows you to control what sites your children can and cannot visit. There are a variety of ways to filter access to the Internet, but none of these methods claim to block 100% of the inappropriate sites. However, third party services claim to cover the vast majority. For this reason it is necessary to develop a local Acceptable Use Policy (AUP) to compliment your filtering solution. Your AUP and filtering are effective tools to protect your children. Several good AUP links are provided at the end of this paper for further reference. The following pages will describe a variety of filtering options, their uses and limitations.
Filtering Needs
Filtering is a tool that helps control access to the Internet. With the Internet bringing the world to you, it is easy to stumble across sites with questionable content. Parents expect the public library and school system to protect their children from such controversial material. They expect these institutions to protect their children with the assumption of minimum standards for what types of material a child might encounter. Some organizations do not have the space or staff to monitor the student every minute. Therefore it is necessary to implement an AUP in schools and libraries where minors have Internet access without the direct supervision of a parent or faculty/staff member.
The impact of filtering is geared toward network administrators of large networked PCs, such as labs, libraries, and corporate offices. They need a tool that will protect their network data from outsiders and control which sites are accessible to persons using their system. Filtering offers firewall access to protect data and to provide control of Internet access, limiting the users’ access to the information needed and controlling what sites can and cannot be accessed.
Filtering network access to certain sites is accomplished using a variety of methods:
IP Filter Lists. IP filter lists in a router can block IP packets bound for a denied site and keep them from passing through the router.
IP Forwarding. IP forwarding, or NAT (Network Address Translation), between your router and your network prevents outsiders’ access to your network. It is a way to increase security on your network, but not necessarily secure your network.
Web Proxy Server. A Web proxy server can be used to block access to certain sites, allowing access only to chosen sites. It also caches the webpages you download so the next time you visit that site you get the page from your Web cache and not from the Internet.
Firewall. A firewall contains a variety of tools to secure your network from the outside Internet: NAT, IP filtering, encryption, and authentication, to name a few.
Content Filtering Services. Content filtering or third-party filtering services are for sale as server-based, stand-alone, or packaged online services. They are continually updated but do not promise to block 100%.
Filtering Options
Router Filters and Access Lists
Filtering IP addresses can be managed using a Cisco router. You can create a filter list that will deny access to a site and then apply that list to one of the router’s interfaces. This is fine for static lists and blocking IP packets from accessing certain ports on your network; i.e. to block access for certain machines to port 21 (FTP uses port 21). If you want to maintain a list on a daily or weekly basis, this is not a good solution. Use this for static access lists that are not likely to change much or to block unwanted services, like FTP, access to your network.
Firewall
This is an excellent solution for adding security to your network and preventing outsiders from accessing your internal devices. Firewalls come in a variety of packages, from server-based software applications to a stand-alone appliance with a turnkey installation. Early firewalls supported IP filtering and NAT. Currently most firewall providers offer tiered pricing for additional features like encryption, user authentication, web-proxy and dynamic packet filtering, to name a few.
Web Proxy Cache
A Web proxy cache allows your users to pool their Web browser cache on one server. With this tool, when a second user downloads the same file you just spent 20 minutes downloading, the file is retrieved from the Web-caching server and not the Internet. This method, integrated with third-party software that provides ongoing updates, is a complete and scalable solution. It allows a single point of management and provides a selection of filter categories to meet your needs.
IP Forwarding (NAT)
IP forwarding for Unix or NAT (Network Address Translation) by other vendors allows one server to act as the IP address for all the devices on your network. The device provides a gateway service for all devices on the network at the IP layer and hides your network from the outside world. Some NAT devices may include other services like static filtering or web proxy caching.
Third-party Filtering Software
This software solution involves a third-party developer who maintains and updates a site-content database, and continually provides the updated information to its customers for use in denying sites based on the content found on the site. Filtering software supports a wide range of platforms. You can run this filtering software on a stand-alone workstation or as a server-based solution. A server-based solution gives you a central point of control and offers the best solution for reducing expenses for support staff. Since third-party software provides ongoing updates, expect a yearly subscription fee.
Caveats
Contrary to the misconceptions of some critics, few (if any) of these products filter based on keywords alone. For example, blocking based on the term “sex” blocks out any sites that mention Middlesex, England as well as erotic websites.
Several companies now provide keyword searching by parsing documents on the fly, based on options selected by the customer. One approach lets users filter a site based on a list of forbidden words, then categorize the site based on criteria they have developed for acceptable use. This is not 100% reliable but has improved greatly from the early stages of this paper.
Another approach permits users to create their own Web search engine by restricting access to a strict list of acceptable sites. This guarantees quality searches but limits user searches to a finite set of sites. The administrator does have the ability to override the rule set to allow more exhaustive unprotected searches.
Scalable Options
There are two popular content-filtering options. The most popular is the integration of a third-party filtering list and a Web proxy caching service.
A second option is a turnkey, stand-alone box that sits on the local area network (LAN) and listens to the IP traffic. If the destination of the IP packet is in a list of denied sites, the filter box will deny access to the site and notify the client that the request has been denied.
Hierarchical Web Caching
Some web caching devices support the cascading of several caching servers in a hierarchical fashion. This allows a site to group their Web caching to better utilize their Internet traffic.
Summary
The tools we have discussed here are all very powerful. Managing a static IP access list may be an inexpensive approach, but this approach does not provide up-to-date lists for your network. It is also time consuming and prone to human error.
Filtering solutions that integrate with third-party filtering software work the best and scale well on a large network. They do not promise 100% protection, but they have made significant progress on filtering constantly changing Internet websites.
The AUP is a tool that should be included in any filtering strategy. It communicates a reasonable expectation to the user and sets boundaries for use of the Web. It should not be the only tool used, since enforcement requires constant supervision that may not be practical in all situations.
Managing your filtering solution from a single point should be considered. This solution should be server-based for larger networks and may be workstation-based for smaller businesses and libraries. Integrating IP filtering with third-party filtering software provides the ability to filter Web access to certain sites with a variety of options. Your AUP will compliment these filtering tools to provide a scalable solution for your system.
Popularity: 22% [?]
Dear Sir/Madam,
thanks to let me learn more about this issue, I wish to find more information about the layers and the the compairison between thid and the OSI model.
my great thanks