-5

My state has a strict policy about porn. We blocked thousands of IPs (of Porn Sites) so that from within the state they can not be accessed. Which was working fine for like less than a month and then people discovered Hotspot Shield, Cyberghost VPN, UltraSurf, TunnelBear and various other proxy-tools by which they can now access all the blocked content.

Networks etc is not my field, I'm a Software Engineer and one hell of it and with the tag of a "great computer expert" on me, I've been assigned the job to find a solution for a problem.

I have a general of How these Proxy Tools work, they mask the user IP with a fake one and the request IP instead of being going to the destination goes to the tools server which SERVER the actual request back. Doing so bypasses the IP restrictions etc.

What is the solution for this problem. I don't even know where to start looking.

yu can Forget my scenario and just explain to me a fool proof way of blocking content in your region.

Junaid Saeed
  • 91
  • 2
  • 4
    `explain to me a fool proof way of blocking content` - There simply is no fool proof method. If you lock down the network enough to completely block all VPN technologies, then your network will be unusable. – Zoredache Nov 12 '13 at 18:17
  • 1
    There's no such thing as a foolproof method. If you want "good enough" (and that's all you're going to get) then I suspect that your next job as a great computer expert is to explain to your boss that no matter how great an expert one is, one cannot be expert in all computer matters any more than a doctor can be a specialist at every type of medicine. You need to be talking to a networking specialist, preferably one that further specialises in firewalling and filtering traffic. – Rob Moir Nov 12 '13 at 18:22
  • While I feel bad that you've been thrust into this position, I don't think that many people agree with a state enforcing this kind of morality on its citizens. I understand that you're just doing what you are told, but you'll likely get little help here. – MDMarra Nov 12 '13 at 18:22
  • 1
    The only "fool proof way" I can think of, is to use white listing instead of black listing, but there's ways around that too. What police state do you live in? So that I can make sure to NEVER go there. – Matt Bear Nov 12 '13 at 18:23

1 Answers1

2

The only "foolproof" way to block content is to disconnect from the rest of the network.
That means mirroring any content you want to serve to your people by carrying it over an air gap, and basically replicating a minuscule subset of "The Internet" that your population can access.

Clearly this is not practical (nor is it really "foolproof" -- nothing stops your citizens from going outside the country, downloading content onto removable media, smuggling it back into the country and putting it on your mini-internet, save a suitably oppressive and invasive border search program).

The next best option is whitelisting like Matt Bear suggested -- allow traffic over your country's edge only to specific known and trusted hosts.
For this to work you would be basically crippling the internet experience (for example, no search engines - they could leak information around your blocks. No public email providers like gmail/hotmail/etc. for the same reason.). A fully locked-down whitelist environment would be nigh unusable, and it's a virtual certainty that someone would eventually find a way around these blocks.

Everything else simply doesn't work - Even China, the worldwide acknowledged expert in content filtering has holes in their Great Firewall. Those holes could theoretically be closed, but like with a fully locked-down whitelist environment doing so would render the network nigh-unusable for legitimate purposes.

Community
  • 1
voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • If you were going to white list an entire country, I don't think it would be a huge leap to create a search engine that crawls the white list... – Matt Bear Nov 12 '13 at 19:10
  • @MattBear that's definitely possible, and if you're dealing with a tiny subset of the internet running your own Google [Baidu-style](http://www.baidu.com) is certainly an option. – voretaq7 Nov 12 '13 at 20:13