It’s that time of year again — the NCAA basketball tournament is upon us. This time of year always throws a spotlight on web filtering, as Enterprises are faced with the prospect of their employees frittering away time and valuable network bandwidth watching hoops.

The tools available on the Internet for following this year’s tournament are getting more varied and sophisticated, throwing open new security and bandwidth concerns, as well as raising the old specter of productivity problems.

Security

If you’re blocking your users from watching the tournament, then you’ve got to consider the ways that they might attempt to circumvent that policy. The key thing here is that video streaming isn’t just about web sites and media players anymore.

Read the rest of this entry »

On Tuesday, we took another step in broadening the Application Management functionality in our web filtering products. We released the first set of patterns for blocking network games, commonly called Massively Multi-Player Online Role Playing Games (MMORPGs). We wrote patterns for World of Warcraft, Legend and the Steam Network, which is used by many games.

We also block a number of games through simple URL filtering. Some games rely on HTTP or HTTPS access to certain domains, so they can be shut down that way. Second Life and Lineage II are good examples of these.

There are two obvious issues with online games that should be of interest to enterprise and education IT departments: productivity and bandwidth. Cumulatively, online games have more than 16 million subscribers, with World of Warcraft alone accounting for more than 10 million of those subscribers. Blocking these applications at the gateway provides a simple, centralized way to prevent employees and students from violating what is undoubtedly already a part of your acceptable use policy.

This is the first expansion of application management in the R3000 beyond IM, P2P and proxies, leveraging a feature in the recently released 2.0.10 version of the R3000 that allows us to extend pattern coverage to any category. In the near future, we will be expanding the scope of our pattern blocking to include remote access applications like Terminal Services (RDP) and VNC, as well as streaming media protocols like RTSP.

Please submit requests for pattern coverage of other games and applications to mudcrawler [at] 8e6 [dot] com.

As the average Internet user wises up to the the classic fraudster angles, criminals have to move to new targets. People are getting better at recognizing emails phishing for their Bank of America online banking credentials. We’ve all seen 419 scams in our inboxes, which are looking for you to front money for a bigger payout down the line (aka “advance fee fraud”).

As a result, the bad guys have had to turn their attention to new targets. In 2007, we saw attacks looking to get at employers’ Monster.com accounts, individuals’ MySpace and Facebook contacts as well as Salesforce credentials. There has also been a rise in classic phishing emails targeting smaller banks or banks in emerging economies, where the average end user isn’t as experienced at dealing with phish.

But in our hurry to stay on top of the latest trends, we can sometimes lose sight of the tried-and-true fraud techniques that still work.

And sometimes it’s easier to be fooled when the threat is directed at our employers.

I recently had the following two emails forwarded to me. Folks were asking: are these for real?

Read the rest of this entry »

The guys at OpenDNS made an interesting announcement yesterday. They’re building a community authored directory of web sites to enhance their DNS-based web filtering service. OpenDNS is a free DNS service that anybody can use simply by changing their computer’s DNS settings.

This is how a DNS-based filtering service works. You change your network settings (typically the one’s served up dynamically by your DHCP server) to use the DNS servers from OpenDNS. When a user types playboy.com into the address bar, the web browser attempts to find the IP address for playboy.com using DNS. But the OpenDNS servers don’t return the real IP address for playboy. Instead they return the IP address of a server that sends the user a block page. Hey presto, the user is blocked. Frankly, it’s brilliant in its simplicity. And the community categorization approach is extra brilliant.

A DNS-based filtering solution is great at snuffing out inadvertent browsing of bad web content. When my five-year-old uses our home computer and starts clicking around on stuff, I’d like to simply prevent him from accidentally viewing nasty sites that might come back in a Google search. A DNS-based approach will absolutely solve this problem.

But my five-year-old is not what I would call a determined attacker.

Read the rest of this entry »

PBS’s Frontline recently ran a special on kids and the Internet titled “Growing Up Online”. You can watch the entire show online — and I definitely recommend it for anyone involved in education: parents, teachers, administrators, IT.

They address some interesting issues, including:

The disturbing pro-anorexia phenomenon, which I had never heard of until I got into the Internet Filtering industry. Sometimes these sites attempt to walk the line between self-help and truly being pro-anorexia. 8e6’s categorization policy is for pro-ana sites to go into Obscene/Tasteless and anorexia disorder help sites to go into Health. Often, this is a surprisingly close judgment call.

Read the rest of this entry »

You’ve probably seen the news: MySpace has reached an agreement with 49 states to take steps to make their site a safer place for kids. I just have one quick comment.

I think the state governments are attacking this from completely the wrong angle. Governments can put all the pressure they want on MySpace, and as soon as MySpace has adequate controls and age verification, the kids will have moved elsewhere.

Now don’t get me wrong, MySpace certainly has an obligation to do what they can. I’m glad to see them cooperating, especially because they only have a PR incentive to do so. They actually have a disincentive from a business perspective.

The advertisers go to MySpace to reach kids of all ages, so MySpace needs to continue to make it easy for the kids to sign up. But you lose your street cred with the kids when you let the parents in.

Providing parents the controls they want while also giving advertisers the access they demand are objectives that are fundamentally at odds with each other.

Read the rest of this entry »

… so I’m going to make the case that you should simply be blocking them en masse. But first, a little background.

Dynamic Addressing by ISPs

Internet Service Providers (ISPs) own blocks of contiguous IP addresses (aka “netblocks”) that they in turn assign to the computers that connect to the Internet through their service. When you sign up for DSL, Cable or even dial-up service and connect your computer to the Internet, the ISP assigns your computer an IP address from within a netblock it owns.

Some ISPs provide static IP services, where your computer keeps the same IP address all the time. But the vast majority of home computers are signed up for less expensive dynamic IP services, where your computer gets a new address each time it connects to the Internet. The address is often different every time you connect. But it’s always from within the same netblock.

This allows the ISP to sign up more customers than IP addresses it owns, kind of like how a bank is allowed to loan out money it doesn’t actually have in the vault. Since only a percentage of the ISP’s customers are connected at any give time, this works fine.

How to tell if an IP is in one of these Netblocks

My personal DSL provider is DSLExtreme. When my home computer connects to the Internet (actually, it’s my router), it’s always assigned an address in the netblock 72.25.123.0/24, which includes a range of IPs from 72.25.123.0 to 72.25.123.255.

Read the rest of this entry »

We have just released the latest version of our core web filtering appliance - version 2.0.10 of the R3000. General availability of the patch is set for January 7th, but you can contact Tech Support and request it today if you like. We’re going GA after the Holidays to reduce the load on Tech Support, which always sees a spike in activity after a major patch release (despite our best efforts).

There is lots of great stuff in this release. However, in this post I’m going to focus on the changes that affect how we handle proxies: improvements in our HTTPS filtering and pattern-based blocking. I’m going to cover:

• Block page on a pattern block
• New options that enhance HTTPS Medium and tame HTTPS High
• Whitelist feature for pattern detection

Let’s take a look at the details.

Read the rest of this entry »

I am often asked about IPv6, especially as it relates to the 8e6 product line. For those that are unfamiliar with IPv6, it’s a new IP protocol that will replace the current IPv4 protocol at some point in the future. The major driver for the transition to IPv6 is the total number of available IP Addresses. With the current IPv4 protocol the total number of IP addresses available is 4,294,967,296 (2³²).

When IPv4 was originally envisioned the primary users of IP Addresses were research facilities and governments. As more business joined the online community, they of course needed IP Addresses as well. In the 90s there was an explosion in the number of IP Addresses allocated to home users for Internet access from home computers. Now we are seeing more devices using IP Addresses. Cell Phones, wireless e-Books, and wireless MP3 players are now using IP Addresses in order to communicate online.

The problem is that at some point in the future we will simply run out of available IPv4 Addresses. IPv6 on the other hand supports 2¹²⁸ (about 3.4×10³⁸) or (3.4 times 10 with 38 zeros following.) That would leave approximately 5×10²⁸ IP addresses for each and every person alive on our planet today. Needless to say, that’s a lot of addresses.

Read the rest of this entry »

Just like any normal Myspace user, I tend to browse my friends bulletins to see if there is anything of interest that might catch my eye. A Myspace bulletin is like an announcement message, it gets posted to all of your friends bulletin boards for them to see. So, a few days ago, I came across a bulletin from my Myspace “friend” and digg.com founder, Kevin Rose. (I don’t know Kevin, he’s my “friend” in the loosely connected, easily created Myspace way.)

The URL in the bulletin from Kevin takes you to hxxp://stalkertrack.com.

It’s highly unlikely that Kevin intended to send this bulletin. It should be noted that this was not an isolated incident.

This piqued my interest, so I decided to “digg” a little deeper to find out why a few web-savvy folks would openly give out their login credentials to a service that is not promoted or supported by Myspace itself, and is even actively discredited by the Myspace founders.

Read the rest of this entry »