From  CertCities.com: Print Article Now

Link State Update

Link Free or Die
Caught in the censorship Web? Here are a few tricks to bypass restricted Internet access.

by Eric Quinn

1/15/2003 -- Internet censorship is nothing new to most people in the technology community. We read of China filtering access to parts of Google, and Germany and France threatening Yahoo for allowing access to Nazi artifact auctions. Some Arab states are known for filtering out what they consider objectionable materials. Censorship is something that much of the world has to live with, but what if you are subject to censorship? While the moral issues of filtering access to objectionable material at work and filtering access to news from the population of an entire country differ, they are the same from a technological standpoint.

This topic was brought to my attention by someone who works for a U.S. embassy to another country. I was rather surprised (although I shouldn't have been) to discover that high-level civil servants can get caught in the same web as other members of the public. While most U.S. missions have unfiltered access to the Internet to allow diplomats to do their jobs, those same diplomats might have restricted Internet access at home. There are several methods that can be used to get around any sort of censorship, all involving the use of a device outside the network that can get to the server you're trying to reach. In order to hide your activities, you'll need to use some form of encrypted tunnel.

Proxies/Anonymizers
An anonymizer service is a proxy server that you create a tunnel with. You then send your request to the anonymizer, it forwards your message to the destination, and the reply that's sent back is forwarded to you. While this will work with any proxy that allows an encrypted session, there are companies that allow anyone to connect to a Web anonymizer for anonymous surfing. The user just gets plastered with ads.

Terminal Access
A popular of getting around access controls in the U.S. is for someone to allow terminal services on a home PC and access the home machine from work or school. This same method can be used to get around government censorship as well, assuming terminal services aren't being filtered and you have a machine you can access in an area that doesn't censor the Internet. Rather than using pure Windows terminal services, consider third-party products that reduce bandwidth utilization.

What if the local ISP is on the ball and is filtering out all forms of IPSec, PPTP, L2TP etc.? There is a way that you can trick the filtering device into allowing your traffic: IPSec over TCP or UDP. The trick also works with ISPs in the U.S. that won't allow customers to use IPSec unless they pay for a corporate access package. IPSec over TCP or UDP can become your friend.

Here's how it works: The traffic you send to an Internet server gets encapsulated in an IPSec packet. The ISP looks for identifiers in the header that this packet is encrypted. With IPSec, the ISP can look for the ESP and AH protocols as well as blocking UDP port 500. What if you place the IPSec packet in a normal TCP packet as data? What if the destination port on the destination server is 80? HTTP, for a Web server, right? Not on this server! This server allows IPSec over TCP sessions to terminate at port 80. IPSec over TCP or UDP requires setup on both sides. Make sure that the port chosen isn't used by any other process on that server and make sure that the server you're connecting to can access the resources you want. Connecting from a PC in China to a server in North Korea would indeed be considered going backwards.

The Corporate Side
Corporate IT people don't have to worry too much about IPSec over TCP or UDP. First, a good security policy doesn't allow the average user to install new software whenever they please. More important, though, there is a way to filter IPSec over traffic. I'll cover that in a future column.


Eric Quinn, CCNP, CCDP, CCSI, is a security instructor and consultant. He is also co-author of the CCNP Remote Access Exam Cram by Coriolis Press. He writes the “Link State Update” column for TCPmag.com, and is a contributing editor for CertCities.com. Reach him at .
back to previous page
top
Copyright 2000-2003, 101communications LLC. See our Privacy Policy.
For more information, e-mail .