Isp level internet-content_filtering_trial-report
Upcoming SlideShare
Loading in...5
×
 

Isp level internet-content_filtering_trial-report

on

  • 685 views

 

Statistics

Views

Total Views
685
Views on SlideShare
684
Embed Views
1

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Isp level internet-content_filtering_trial-report Isp level internet-content_filtering_trial-report Document Transcript

    • Closed Environment Testing of ISP−Level Internet Content Filters Report to the Minister for Broadband, Communications and the Digital Economy June 2008
    • © Commonwealth of Australia 2008 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Commonwealth. Requests and inquiries concerning reproduction and rights should be addressed to the Manager, Communications and Publishing, Australian Communications and Media Authority, PO Box 13112 Law Courts, Melbourne Vic 8010. Published by the Australian Communications and Media Authority Canberra Central Office Melbourne Central Office Sydney Central Office Purple Building, Benjamin Offices Level 44, Melbourne Central Tower Level 15, Tower 1 Darling Park Chan Street, Belconnen 360 Elizabeth Street, Melbourne 201 Sussex Street, Sydney PO Box 78, PO Box 13112 Law Courts PO Box Q500 Belconnen ACT 2616 Melbourne Vic 8010 Queen Victoria Building NSW 1230 Tel: 02 6219 5555 Tel: 03 9963 6800 Tel: 02 9334 7700, 1800 226 667 Fax: 02 6219 5200 Fax: 03 9963 6899 Fax: 02 9334 7799 TTY: 03 9963 6948 Australian Communications and Media Authority iv
    • Contents EXECUTIVE SUMMARY................................................................................................................................. 1 Introduction to the trial.................................................................................................................................... 2 Project background.......................................................................................................................................... 3 Execution of the trial ....................................................................................................................................... 3 Results ............................................................................................................................................................. 4 Conclusions ..................................................................................................................................................... 5 CHAPTER 1: INTRODUCTION ...................................................................................................................... 8 Terms of reference........................................................................................................................................... 8 Previous technical studies.............................................................................................................................. 10 How filtering technologies operate................................................................................................................ 12 Identification techniques............................................................................................................................ 12 Blocking techniques................................................................................................................................... 14 Outline of the report ...................................................................................................................................... 16 CHAPTER 2: PROJECT BACKGROUND.................................................................................................... 17 Appointment of test agency........................................................................................................................... 17 Selection of filter products ............................................................................................................................ 18 Compilation of test data................................................................................................................................. 20 Selection of test site....................................................................................................................................... 22 CHAPTER 3: EXECUTION OF THE TRIAL ................................................................................................. 23 Performance ............................................................................................................................................... 23 Operation of an ISP’s network............................................................................................. 23 Network performance metrics.............................................................................................. 25 Test network and hardware .................................................................................................. 27
    • Test methodology.................................................................................................................29 Calculation of results............................................................................................................34 Effectiveness.............................................................................................................................................. 35 Test network and hardware ..................................................................................................35 Test methodology.................................................................................................................36 Calculation of results............................................................................................................37 Scope.......................................................................................................................................................... 37 Adaptability ............................................................................................................................................... 38 CHAPTER 4: RESULTS ............................................................................................................................... 39 Performance................................................................................................................................................... 39 Effectiveness ................................................................................................................................................. 43 Scope ............................................................................................................................................................. 44 Adaptability ................................................................................................................................................... 45 Summary ....................................................................................................................................................... 46 CHAPTER 5: CONCLUSIONS ..................................................................................................................... 47 Performance................................................................................................................................................... 47 Effectiveness ................................................................................................................................................. 49 Scope ............................................................................................................................................................. 51 Adaptability ................................................................................................................................................... 51 Current state-of-the-art .................................................................................................................................. 52 APPENDICES ............................................................................................................................................... 54 Appendix A: The Ministerial Direction......................................................................................................... 54 Appendix B: The tiered hierarchy of ISPs..................................................................................................... 56 Appendix C: Types of network filter products not assessed ......................................................................... 58 Filter products targeting illegal content only ............................................................................................. 58 Enterprise-level filter products .................................................................................................................. 59 Appendix D: Specifications of the hardware used. ....................................................................................... 60 Network Performance Test ........................................................................................................................ 60 Accuracy Test ............................................................................................................................................ 60 Appendix E: Baseline network performance characteristics of the test network .......................................... 61 Appendix F: Individual product performance ............................................................................................... 62
    • Alpha.......................................................................................................................................................... 62 Beta ............................................................................................................................................................ 63 Gamma....................................................................................................................................................... 64 Delta........................................................................................................................................................... 65 Theta .......................................................................................................................................................... 66 Omega........................................................................................................................................................ 67 GLOSSARY................................................................................................................................................... 69 BIBLIOGRAPHY ........................................................................................................................................... 78
    • Executive summary Executive summary This report has been prepared by the Australian Communications Media Authority (ACMA) in response to a ministerial direction received in June 2007 to conduct closed environment testing of internet service provider (ISP)-level internet content filters. The purpose of the trial was to assess the current maturity of commercial filtering products that are suitable for deployment by internet service providers. The direction is at Appendix A. A detailed assessment of the ACMA considers that, under the conditions created for the trial, the state-of-the-art of ISP-level state of ISP-level filtering technology has significantly advanced, filtering technology is at and stands in contrast with the state of this technology evidenced in pages 52—53. the previous trial of filter products commissioned by NetAlert Ltd in 2005. The main indicators of the increasing maturity of ISP-level filtering technology are: ● the number of filter products that are specifically designed to be deployed by ISPs; ● availability of a number of filter products that produce moderate to nearly nil performance degradation; ● improvements in accuracy—the products tested exhibited high levels of successful blocking and low levels of overblocking (that is, blocking access to content that is intended to be accessible); ● availability of the capability to offer different filtering options to ISPs’ customers or for customers themselves to customise filtering; and ● actual deployments of filter products by ISPs in other countries. The one area which showed little sign of advance was reflected by the absence in this trial, for the most part, of any capability of filtering content carried via non–web protocols. The findings of this report and the assessment of the state-of-the-art of ISP-level filter products reflect testing in a controlled laboratory environment. In particular, the testing simulated a Tier 3 network (the lowest level of the ISP network hierarchy); different results might be observed in a real−world Tier 3 network or in networks at Australian Communications and Media Authority 1
    • Executive summary higher levels in the ISP network hierarchy. This is due to variations in architecture, including hardware used, size and complexity of the network and traffic demands. Introduction to the trial The purpose of the trial was to assess the capability of available technology to filter illegal or inappropriate content at ISP-level and advances in filtering technology since the previous trial in 2005. The report commences with definitions of the four criteria against which the capability of ISP-level filtering technologies was assessed: ● performance−whether the products degrade internet performance; ● effectiveness−the extent to which the products correctly identify and block illegal content, content that may be inappropriate for minors and innocuous content; ● scope−whether the products are capable of filtering non-web internet traffic; and ● adaptability−whether the products can be customised to apply different levels of blocking according to the preferences of the user. ACMA was not asked, as part of the trial, to assess the capability of ISP-level filtering technologies that filter only illegal content. ACMA was also not asked to investigate the balance of costs and benefits associated with implementing ISP-level filtering, including: ● capital and operating costs associated with implementing filter products; ● costs associated with any upgrading of an ISP’s network to address performance degradation associated with a particular filter product; and ● the nature and implications of the implementation of ISP-level filtering for ISPs’ customers. ACMA also did not assess other matters that may be of relevance to the efficacy of ISP-level filters in a real-world context, such as; ● the extent to which a filter can be circumvented; and ● the ease with which it is installed, deployed and implemented. Chapter 1 summarises the findings of previous technical studies of filtering for the Australian Government and concludes with an explanation of the different types of filtering techniques. Australian Communications and Media Authority 2
    • Executive summary Project background Chapter 2 describes the selection of six filter products for testing, following a public call for expressions of interest from filter vendors. The method of compiling the In accordance with the ministerial direction, the trial was required to Category 1, 2 and 3 lists of test the capability of filter products to distinguish between illegal, URLs is described at pages inappropriate and innocuous content. To test this capability, three 20—22. lists of URLs were created as test data: 1. Category 1 was intended to test the extent to which the selected filter products blocked content on the ACMA prohibited content list. 2. Category 2 was intended to test the extent to which the selected filter products underblock, by allowing access to content that may be regarded as harmful or inappropriate for children but is not illegal. 3. Category 3 was intended to test the extent to which filter products overblock by blocking access to content that may be regarded as innocuous. Execution of the trial Chapter 3 describes how an isolated purpose-built network was established to test performance, simulating both the function of the internet as a source of content and the function of end users requesting content. The test network was analogous to a Tier 3 ISP. Details of the methodology Testing of the effect on network performance of each filter product used in testing performance involved measuring: are provided at pages 29— ● baseline performance of the test network with no filter installed; 35. ● performance of the test network with each filter connected, in turn, but with no active filtering occurring; and ● performance of the test network with each filter connected, in turn and actively filtering. Three indices representing the performance of each filter product were calculated from the results of these tests. Details of the methodology Testing of effectiveness involved measuring: used in testing effectiveness ● the effectiveness of a filter in blocking content corresponding to are provided at pages 35— Categories 1 and 2—that is, content that was intended to be 37. blocked; and ● the effectiveness of a filter in distinguishing content from Category 3—that is, content that was not intended to be blocked. Australian Communications and Media Authority 3
    • Executive summary Two indices representing the effectiveness of each filter product were calculated from the results of these tests. Chapter 3 concludes by describing the methodology used to assess the scope and adaptability, which involved an expert review of product documentation and interviews with suppliers of the products to identify specific features of each product. Results Chapter 4 sets out the measurements from the quantitative performance and effectiveness tests for the filter products and lists the capabilities of the filter products with for scope and adaptability. Details of the performance For the performance test, the percentage results showing the degree results are at pages 39—43. of degradation introduced by a filter connected to the test network but not actively filtering (where a low figure indicates a lesser degree of performance degradation) were: ● below 30 per cent for all products; and ● below 10 per cent for five of the six products. The percentage results showing the degree of degradation introduced by a filter connected to the test network and actively filtering (where a low figure again indicates a lesser degree of performance degradation) were: ● nearly nil (two per cent) for one product; ● in the range 22 to 30 per cent for three products; and ● in excess of 75 per cent for two products. Details of the effectiveness For the effectiveness test, the results showing the degree of success results are at pages 43—44. in blocking content corresponding to each of the URLs listed in the Category 1 and 2 lists (where figures fall in the range of 0 to 1 and a high figure indicates a greater degree of success in blocking content that was intended to be blocked) were: ● above 0.88 for all products; and ● 0.94 or above for three products. The results showing the degree of success in not blocking content corresponding to each of the URLs listed in the Category 3 list (where figures fall in the range of 0 to 1 and a low figure indicates a greater degree of success in not blocking content that was intended to be blocked) were: ● below 0.08 for all products; and ● below 0.03 for four products. Australian Communications and Media Authority 4
    • Executive summary Details of the scope results Each of the filter products is able to block traffic entirely across a are at pages 44—45. wide range of non-web protocols, such as instant messaging and peer-to-peer protocols. However, a capability to identify illegal content and content that may be regarded as inappropriate carried via such protocols was not found, excepting: ● two products that can identify particular types of content carried via one email protocol; and ● one product that can identify particular types of content carried via one streaming media protocol. Details of the adaptability Chapter 4 concludes by reporting that all of the products allow the results are at pages 45—46. customisation of filtering policies for groups of users, for individual customers of an ISP and for individual users. Conclusions The specific findings for performance and effectiveness in this trial are substantively different to those of the previous trial. A comparison of the results The previous trial reported that, when filters were connected to the for performance in this trial test network and actively filtering, performance degradation ranged with those of the previous from 75 per cent to a very high 98 per cent between the best-and­ trial is at pages 47—49. worst performing filter products. In the current trial, the corresponding performance degradation varied across a greater range—from a very low two per cent to 87 per cent between the best­ and-worst performing filter products. Network degradation as a percentage 100% 90% of baseline throughput 80% 70% 60% 50% 40% 30% 20% 10% 0% Previous trial Current trial Although the performance of two of the six products tested in the current trial was relatively poor, one product generated almost no network degradation and the remaining three products exhibited low to moderate levels of degradation in network performance. The median network degradation of the tested filters significantly dropped indicating a significant improvement in network performance in the current trial compared with that of the Australian Communications and Media Authority 5
    • Executive summary previous trial. ACMA considers that this improvement in the performance of filters tested in the current trial compared with the previous trial represents a profound advance in ISP-level filtering technology. A comparison of the results The previous trial reported a difference in the level of successful for accuracy in this trial blocking (that is, the proportion of content that should have been with those of the previous blocked that was actually blocked) between the least and the most trial is at pages 49—51. accurate filter products in the range 70 to 100 per cent. The corresponding levels measured in the current trial varied across a smaller range, between 88 and 97 per cent, with most achieving over 92 per cent. The median rate of successful blocking was improved from the previous trial. 100% Percentage of Category 1 and 2 content successfully blocked 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Previous trial Current trial The previous trial reported a difference in the level of overblocking (that is, the proportion of content that was blocked that should not have been blocked) between the most and the least accurate filter products in the range six to 62 per cent. The corresponding levels measured in the current trial varied across a significantly smaller range—between one and eight per cent, with most falling under three per cent. The median overblocking rate was significantly improved from the previous trial. Percentage of Category 3 content 100% 90% 80% 70% overblocked 60% 50% 40% 30% 20% 10% 0% Previous trial Current trial Australian Communications and Media Authority 6
    • Executive summary An assessment of the ability Despite the general nature of advances in ISP-level filtering of ISP-level filters to control technology between the current trial and the previous trial, most non-web content is at pages filters are not presently able to identify illegal content and content 44—45. that may be regarded as inappropriate that is carried via the majority of non-web protocols, although development work by filter vendors is underway in this area. This is despite developments in the use of internet technologies that have led to increased use of non-web protocols such as instant messaging and file-sharing.1 1 See Chapter 2 of Australian Communications and Media Authority, Developments in Internet Filtering Technologies and other Measures for Promoting Online Safety, February 2008. Australian Communications and Media Authority 7
    • Chapter 1: Introduction Chapter 1: Introduction Overview Chapter 1 sets out the terms of reference for the trial and specifically describes the criteria against which the filter products tested in the trial were evaluated − performance of filters in an ISP’s network, effectiveness of the filters in blocking particular content, scope or range of internet content on which filters were able to operate and adaptability to the specific requirements of ISPs or their customers. The purposes served by evaluating ISP-level filtering products against these criteria are set out. The chapter goes on to outline the previous Australian Government technical studies on internet filtering and presents a summary of their respective findings and concludes by providing an overview of the contents of each of the following chapters. This report sets out the results of a study into the maturity of products for filtering internet content that are suitable for deployment by internet service providers (ISPs). The study was informed via a technical, laboratory-based trial of a sample of commercial filter products available to ISPs, conducted in the first half of 2008. The study was undertaken at the direction of the former Minister for Communications, Information Technology and the Arts for the purpose of assessing: ● the capacity of available technology suitable for deployment by ISPs to filter internet content that is illegal and inappropriate for minors which consumers may access through their internet connection; and ● the extent of advances made since a previous trial of ISP-based filter technologies that was carried out during 2005. Terms of reference The Protecting Australian Families Online Direction No. 1 of 2007 (Appendix A) was made under subsection 14(1) of the Australian Communications and Media Authority Act 2005 in relation to ACMA’s functions under paragraph 8(1)(d) of that Act (dealing with, reporting to and advising the Minister in relation to matters affecting consumers of carriage services). The direction instructed ACMA to conduct a trial of one or more commercial filter products that provide the capability of filtering of internet content that is illegal and inappropriate for minors at the ISP-level and to report the findings of the trial to the Minister by 30 June 2008. Specifically, ACMA was directed to test the products against the following criteria: 1. Performance−whether the products cause delays or otherwise degrade internet performance. 2. Effectiveness−the extent to which the products distinguish illegal content, content that may be inappropriate for minors and innocuous content. 3. Scope−whether the products are capable of filtering internet traffic other than web content, such as peer-to-peer file transfers, chat and instant messaging. Australian Communications and Media Authority 8
    • Chapter 1: Introduction 4. Adaptability−whether the products are capable of being customised to apply different levels of blocking appropriate for children of different ages and to target different categories of content. The performance criterion is intended to quantitatively measure whether ISP-level filtering products, when deployed and operational within an ISP’s network, adversely affect the performance of the network such that it would be necessary for an ISP to upgrade its network sooner than forecast in order to restore performance to a satisfactory level. The effectiveness criterion is intended to quantitatively measure the extent to which ISP-level filtering products satisfactorily perform their essential role − that is, successfully identifying and preventing the delivery of illegal internet content and internet content that is inappropriate for children, while permitting innocuous internet content. The scope criterion is intended to indicate the ability of ISP-level filtering products to identify and block illegal and inappropriate internet content that is transmitted and delivered across the internet using non-web protocols (for example, instant messaging, file transfers) in addition to web content. The adaptability criterion is intended to indicate whether ISP-level filtering products can offer a range of filtering options that enable a filtered service supplied to an ISP’s customers to be tailored to meet specific requirements of the ISP or of the customer, as opposed to a ‘one-size fits all’ filtering solution. Accordingly, the assessment of ISP-level filtering products against these four criteria seeks to update knowledge about the overall maturity of ISP-level filters, not to identify a ‘best buy’ product. There are some other matters that may also be relevant to the efficacy of a filter in a real-world context, but which were outside the terms of reference and not assessed by ACMA. These include the following. Filters may vary in their resistance to circumvention. Table 1 illustrates some common methods of how filters can be circumvented and how these methods may apply to both PC−based filters and ISP−level filters. Method PC−based filters ISP−level filters Administrator passwords Can be circumvented Cannot be circumvented Boot disks Can be circumvented Cannot be circumvented Anonymisers Low probability of circumvention Translation software Moderate probability of circumvention Search engine caching Low probability of circumvention Mirrors Low probability of circumvention Additional domain names Low probability of circumvention Table 1: Common methods of circumventing filters Unlike PC−based filters, which are open, ISP−level filters lie on the internal network of an ISP which is generally firewalled off from public access and are therefore less open to attack. Filters may also vary in the administrative complexity of installation, deployment and implementation. Factors such as the compatibility of existing hardware in the ISP’s network in Australian Communications and Media Authority 9
    • Chapter 1: Introduction which the product is installed, the availability of skilled personnel and degree of change that such a device brings into a network make it impossible to assess in a closed trial of this nature. Previous technical studies This report is the latest in a series of Australian Government technical studies of internet content filtering, which are summarised below. BLOCKING CONTENT ON THE INTERNET: A TECHNICAL PERSPECTIVE, CSIRO, JUNE 1998 Commissioned by the National Office for the Information Economy, this report examined the technical aspects of the internet that allow particular content which has already been identified as illegal or offensive to be blocked, particularly by ISPs and content hosts. The report explored the technical issues associated with different methods of blocking content, as well as some non­ technical issues and evaluated the pros and cons of each method. The primary observations of the report were that: ● ISPs could offer differentiated services, including a walled-garden service that provides access to a limited subset of websites and a filtered internet access service; and ● international cooperation would be needed in order to deal with hosting of illegal (or offensive) content outside Australia. EFFECTIVENESS OF INTERNET FILTERING SOFTWARE PRODUCTS, CSIRO, SEPTEMBER 2001 Commissioned by NetAlert Ltd and the former Australian Broadcasting Authority, this report presented the findings of testing on 14 filter products for: ● ease of installation, configuration and use; ● ease of bypassing or disabling filter; ● ability to stop access to undesirable content; ● ability to avoid blocking desirable content; and ● ability to track access. The majority of the products tested were client-side desktop applications, but a number of server- side solutions suitable for enterprise environments were also tested. None of the products were specifically intended for deployment by ISPs. The primary observation of the report was that almost all the products were effective in blocking undesirable content, but all blocked some portion of desirable content. INTERNET CONTENT FILTERING, OVUM, APRIL 2003 Commissioned by the then Department of Communication, Information Technology and the Arts to evaluate the state−of−the−art internet content filtering technologies, this study provided: ● technical advice on the emergence of new blocking or filtering methodologies since the commencement of the online content co-regulatory scheme set out in Schedule 5 to the Broadcasting Services Act 1992, in 2000; Australian Communications and Media Authority 10
    • Chapter 1: Introduction ● information about financial costs and administrative requirements associated with ISP-level filtering and the potential impacts on the performance and efficiency of the internet; and ● an overview of the application of filter technologies and other access management techniques in government−administered schemes overseas. The study was undertaken using a combination of secondary and primary research, including interviewing leading content filtering vendors, ISPs in Australia and Singapore, government officials and interested parties involved in internet content filtering in countries covered in three case studies. No filter products were actually tested in the study. The major observations of the study were that no major technological developments had occurred since the commencement of the online content co-regulatory scheme in 2000 and that ISPs who had adopted filtering had seen a limited impact on throughput. It also noted, however, that the costs associated with such an implementation at the ISP-level made it unattractive for ISPs. A STUDY ON SERVER−BASED INTERNET FILTERS: ACCURACY, BROADBAND PERFORMANCE DEGRADATION AND SOME EFFECTS ON THE USER EXPERIENCE, RMIT IT TESTLAB, APRIL 2005 Commissioned by NetAlert Ltd to provide a quantitative analysis of the performance impact of applying server−based internet content filtering applications and appliances to an internet feed in both live and controlled environments, this technical trial provided information on: ● the extent of degradation of internet access speed and performance; ● the accuracy of filtering; and ● the effect of filtering on the user experience when using broadband internet services. RMIT IT TestLab encountered difficulties in finding products for the trial that were specifically designed for ISP−level filtering; consequently, all the products tested were designed for enterprise- level content filtering but had the capability of being deployed in an ISP’s network. The primary findings of the trial were: ● a reduction of between 18 and 78 per cent in network performance when accessing the internet through a content filter; ● the filters performed significantly better when blocking pornography and other adult content but performed less well when blocking other types of content; ● of the filters tested, the most effective in terms of accuracy blocked 76 per cent of the URLs used in the testing and only one filter blocked 100 per cent of URLs on ACMA’s prohibited content list; ● only one in six users noticed any degradation in network performance, but this degradation was regarded as minor and acceptable; and ● all users reported a measure of over-blocking. The present report updates the body of evidence about the state−of−the−art of ISP-level filtering technologies in 2008, recognising both the possible developments in filtering technologies and the changes in internet use since the reports described above. Australian Communications and Media Authority 11
    • Chapter 1: Introduction How filtering technologies operate In order to put the nature of the products tested in the trial in context, the following is an overview of the ways in which different filtering technologies operate. Filter products perform two basic functions in order to limit users’ access to content − they identify content that is to be excluded (or included) and then block (or allow) access to that material. Identification methods are common to most filter products, while blocking methods vary depending on the type of location a filter is deployed; for example, a home computer, ISP network or mobile phone network. Terminology describing different methods of filtering is imprecise and is rarely used among filter vendors in a standard manner, while several terms often exist to describe the same filtering methodologies. The following section provides a description of the most common filtering methods. IDENTIFICATION TECHNIQUES The two basic methods for identifying content to be filtered are: 1. Index-based filtering−material is included in a list of either ‘good’ or ‘bad’ content. 2. Analysis-based filtering−on examination of the content, it is found to meet a set of criteria intended to determine its acceptability. Australian Communications and Media Authority 12
    • Chapter 1: Introduction Index-based filtering is the process of permitting or blocking access to web pages on the basis of their inclusion on a list (or index) of web resources. Such filtering can be based on ‘whitelists’ (exclusively permitting specific content while blocking all other content) or ‘blacklists’ (exclusively denying specific content while permitting all other content). Indexes may be developed manually, by human searches and analysis of content, by category indexes (most commercial filter vendors provide a database of URLs classified by the nature of the content) or automatically by analysis-based filtering, as discussed next. Figure 1 illustrates the architecture of index-based filtering. Figure 1: Index-based filtering process Australian Communications and Media Authority 13
    • Chapter 1: Introduction Analysis-based filtering refers to the dynamic classification of content using computer software and has emerged in response to the shortcomings of index-based filtering—that is, that the latter is only applicable to web pages that have previously been assessed. Such analysis may be based on key word, profile, image analysis, file type, link analysis, reputation and deep packet inspection among other criteria. Such classification may be in real-time or offline. Figure 2 illustrates the implementation of analysis-based filtering. Step 2: Request for content is forwarded to web server Web server hosting requested content Step 3: Web server returns content Internet Step 1: User requests content Step 4: Filter assesses content Filter Step 5: If content is assessed as inappropriate, it content is User blocked; otherwise it is delivered Figure 2: Analysis-based filtering process BLOCKING TECHNIQUES Common blocking techniques used are: ● packet filtering; ● DNS poisoning; ● caching web proxies; ● port blocking; ● pass-by filtering; and ● pass-through filtering. Packet filtering involves a router or other device determining whether to allow or deny the passage of a request for content by examining the headers2 of the packets3 as they pass through. Packet filtering examines the destination IP address in the header and determines whether that IP 2 Header refers to the information contained at the beginning of a packet, which contains information about the handling of the packet. Analogous to an envelope around a letter, header information includes, among other things, the destination and source IP addresses. 3 A packet is a formatted block of data that can be transmitted over a network. It includes both header information and the content to be delivered. Australian Communications and Media Authority 14
    • Chapter 1: Introduction address is to be blocked according to an index. Where an IP address is to be blocked, the router will not forward the request for data to the content host and therefore no connection will be made with the host computer. This method blocks all traffic associated with an IP address. DNS poisoning (also referred to as DNS tampering) involves changing the information returned to a particular user within their DNS server4 when responding to a query of a blocked domain. Users attempting to request blocked websites will not be directed to the correct IP address. Caching web proxies are used in networks to acquire web content from a host on behalf of a user and deliver it to the user’s web browser. They provide a perceived increase in web browsing speeds and reduce bandwidth usage by holding copies of frequently requested material so that a request does not need to be made to the content host every time a user in the network wants to view the content. The same technology can be used to precisely block the content that is deemed to be inappropriate, usually on the basis of URL. The content retrieved and stored in the local cache is inspected and classified offline. Based on the classification of the cached content, proxies may then modify the communications between user and content host, usually to block requests for content hosted at a URL on a blacklist, often replacing the returned content with an ‘Access Denied’ (or similar) message to filter out inappropriate sections.5 Some filters use port blocking to close ports through which particular data is transferred. Different classes of programs or services on a computer use different ports to send and receive data. For example, some email programs use port 110, while web traffic is received through port 80 by default. By blocking the ports that various programs use to access the internet, filters aim to prevent use of those programs to access content on the internet. Used primarily with analysis-based filtering, pass-by filtering allows a requested web page to load and marks it for later analysis. The page will later be added to the filter vendor’s index of categorised material and therefore blocked, where appropriate, for users who subscribe to a filtered service. This means there is no delay to the user in accessing requested material, but that inappropriate content may be viewed by a user once. Used primarily with analysis-based filtering, pass-through filtering is often referred to as ‘proxying’. Delivery of a requested website is not permitted until analysis of its content is complete, introducing a certain amount of delay6 that depends on the processing power of the hardware on which the filter software is installed. Most commercial filter products employ both index-based filtering and analysis-based filtering. This is to provide a robust filtering solution by minimising the respective limitations of each approach; that is, filtering that relies exclusively on an index may not appropriately deal with newly created internet content and filtering that relies exclusively on analysis may consume an excessive amount of processing resources on the computer or other hardware on which it operates. 4 The domain name system is the system that translates internet domain names such as ‘acma.gov.au’ into IP addresses. A DNS server is a server that performs this kind of translation. ISPs generally have DNS servers. 5 Dornseif, M. (2003) ‘Government Mandated Blocking of Foreign Web Content’, in von Knop, J., Haverkamp, W. and Jessen, E. (Eds) Security, E-Learning, E-Services: Proceedings of the 17th DFN-Arbeitstagung über Kommunikationsnetze, Düsseldorf, available at: http://md.hudora.de/publications/200306-gi-blocking/200306-gi­ blocking.pdf, accessed 10 October 2007. 6 Ovum (2003) Internet Content Filtering. A Report to DCITA, p.17, available at: http://www.dbcde.gov.au/__data/assets/file/10915/Ovum_Report_-_Internet_content_filtering.rtf, accessed 15 October 2007. Australian Communications and Media Authority 15
    • Chapter 1: Introduction Outline of the report The remainder of this report is structured as follows. Chapter 2 describes the preparation for the trial, including the appointment of a test agency, the selection of a sample of ISP-level filtering products for testing and the compilation of test data comprising URLs linking to content that is illegal, inappropriate for children or innocuous. Chapter 3 sets out the manner in which the testing of the sample of ISP-level filtering products was conducted. The methodologies used for testing the performance and effectiveness of the sample filter products are described, including the design of the test network, the test procedures and the derivation of several measures of filter performance and effectiveness. Chapter 3 also describes the manner in which the scope and adaptability of the sample filter products was assessed. Chapter 4 provides the detailed results for the sample filter products in relation to performance, effectiveness, scope and adaptability. Chapter 5 sets out the findings of the trial and provides an assessment of the current state-of-the­ art of ISP-level filtering technologies, both by reference to the capabilities of the sample of filters tested in this trial and by comparison with the previous trial undertaken by NetAlert Ltd in 2005. Chapter 5 concludes with observations suggesting the standard that presently available ISP-level filters are capable of achieving. Australian Communications and Media Authority 16
    • Chapter 2: Project background Chapter 2: Project background Overview Chapter 2 describes the initial steps taken in establishing the trial, which began with the appointment of Enex TestLab to conduct the trial. It describes the process by which a sample of six filter products was selected for testing, outlines the range of filtering techniques employed by the selected filters and provides an overview of the characteristics of each of the filters. Also covered in the chapter is the process of creating test data for the trial, in the form of three separate indexes of URLs. The first index, which corresponded to the ACMA prohibited content list, was for the purpose of assessing the extent to which the selected filters successfully block content on this list; the second index was for the purpose of assessing the extent to which the filters fail to identify content that is intended to be blocked; and the third index was for the purpose of assessing the extent to which filters block content that is intended to be accessible. The chapter concludes with a description of the selection and establishment of a test facility. Appointment of test agency ACMA selected Enex TestLab to conduct the trial following a competitive tender process. The tender process commenced with the issue of a request for tender, accompanied by the posting of a notification on the AusTender website7, publication of an advertisement in The Australian and issuing of a media release by ACMA drawing attention to the request for tender. Three tender bids were received in response to the request for tender. These were subjected to a careful and thorough evaluation in order to select the company that best met the following criteria specified in the request for tender: ● capability of meeting ACMA’s requirements; ● extent to which the tender bid meets the requirements set out in the request for tender for setting up and configuring the trial, conducting the testing and reporting the results; ● degree of overall compliance with the request for tender, including with the draft contract; ● price; and ● experience and past performance of the tenderer, including the skills and experience of specified personnel or subcontractors. 7 Link: https://www.tenders.gov.au/?event=public.advert.showClosed&AdvertUUID=520E6196-AFB3-4A6F­ 774BAF8F2E23144F Australian Communications and Media Authority 17
    • Chapter 2: Project background Enex TestLab is an established provider of information and communications technology testing and benchmarking services. Selection of filter products In order to conduct the trial, it was necessary to acquire a selection of filter products that exhibited a broad spectrum of available internet filtering technologies. Enex TestLab placed an advertisement in the IT section of The Australian seeking filter vendors interested in participating in the trial. Vendors were asked to submit completed expressions of interest packages for each individual product that they proposed to offer for testing. Twenty-eight expressions of interest, representing 26 products, were received from vendors (two products were each represented by two expressions of interest from separate vendors). The expressions of interest were considered by an evaluation panel established by Enex TestLab. The purpose of the evaluation was to arrive at a selection of six products, where the selection: ● included a minimum of two hardware filter products; ● included a minimum of two software filter products; ● included a minimum of one filter product that was a hybrid solution (that is, a combination of software and hardware); and ● covered as wide a cross-section of filtering technologies as possible. The first phase of the evaluation assessed if each product was: ● suitable for deployment in an ISP environment; and ● either a software or a hardware solution that was not a vendor-managed service.8 During this initial evaluation phase, nine products were eliminated as they were vendor-managed solutions. Vendor-managed solutions were excluded from the trial because the bulk of their functionality generally resides in the facilities of the filter vendor itself; hence there is no way to test such solutions in a closed environment. The remaining 17 products progressed on to the second phase of the evaluation, involving a detailed technical assessment of each product. During this phase, individual products were scored on the following criteria: ● the product being suitable for an ISP environment; ● the product being generally available (that is, currently in commercial use as opposed to being an experimental product); ● the product being either a hardware and/or a software product, while not being a vendor- managed service; ● the product having realistic hardware specifications to be deployed in an ISP; 8 For internet content filtering, a vendor-managed service is a third-party service, hosted on the internet, which is offered as a subscription. Such a service does not provide the transport to access to the internet, but filters the content that an internet subscriber receives. Subscribers of this service use a managed service to either proxy off of, or establish VPN through which they retrieve their internet content. Such a service cannot be tested in a closed environment. Australian Communications and Media Authority 18
    • Chapter 2: Project background ● the product being able to filter content other than web content (that is, internet protocols other than HTTP and HTTPS); ● for software products, the product vendor being able to supply the recommended hardware configuration on which they would pre-install their product9; and ● the vendors being able to provide support for their products during the trial. The six products that were selected comprised two hardware solutions, three software solutions and one hybrid solution. Vendors for four of the six products were able to cite examples of current implementations of the products by overseas ISPs. The six products offered the following filtering methodologies: ● index-based filtering; ● analysis-based filtering; ● use of proxies to substitute content that is to be blocked with warning messages; ● filtering of non-web content; ● restriction of access based on user profiles and time of day; ● IP address-based blocking; and ● URL-based blocking. Table 2 records the multiple filtering techniques employed by each filter product. It specifically illustrates the range of filtering methodologies offered by the selected filter products and more generally illustrates the broad spectrum of filtering methodologies used in currently available filter products. With a few exceptions, commercial filter products do not exclusively use a single filtering technique, but use a combination of two or more methodologies. Specifically, most commercial filtering products and all of the selected filter products, employ a combination of index-based filtering and analysis-based filtering. Similarly, none of the selected products only targeted illegal content. This is because the testing required under the terms of reference involved assessing the accuracy of the filters in blocking inappropriate content, which comprises a significantly broader range of material than illegal content. However, it is possible to configure all of the selected products to filter illegal content only, using a blacklist such as ACMA’s prohibited content list and allow access to all other types of content. The characteristics of illegal content filtering are discussed further in Appendix C. In accordance with non-disclosure agreements with the suppliers of the selected filter products, names of the individual products have been withheld; the products have instead been represented by the Greek letters Alpha, Beta, Gamma, Delta, Theta and Omega. 9 This requirement was to eliminate any suggestion by software vendors that their products were installed on incorrectly configured hardware. Australian Communications and Media Authority 19
    • Chapter 2: Project background Product Identification Filtering techniques technique Packet filtering DNS poisoning Pass-through Port blocking Caching web Analysis Pass-by filtering filtering proxies Index Alpha 9 9 9 9 9 Beta 9 9 9 9 9 9 Gamma 9 9 9 9 9 Delta 9 9 9 9 9 9 9 Theta 9 9 9 9 Omega 9 9 9 9 9 Table 2: Features offered by individual selected filter products A detailed description of each of the selected products follows: Product Alpha is a hybrid software solution offering both hardware and software components. It operates as an Ethernet bridge, connecting multiple segments of a network within an ISP. The product employs index-based filtering, analysis-based filtering, packet filtering, port blocking and pass-through filtering. Product Beta is a software solution. It is installed within the core network. The vendor also offers an option where the application is sold as an appliance. For the purpose of this trial, the vendor provided the software solution pre-installed on its own hardware. The product employs index- based filtering, analysis-based filtering, packet filtering, port blocking, pass-by filtering and pass- through filtering. Product Gamma is a software solution. It is installed within the core network. The vendor provided its product pre-installed on its own hardware. The product employs index-based filtering, analysis-based filtering, packet filtering, DNS poisoning, port blocking and pass-by filtering. Product Delta is a software solution. It is placed within the core network. The vendor also offers an option where the application is sold as an appliance. For the purpose of this trial, the vendor provided the software solution pre-installed on its own hardware. The product employs index- based filtering, analysis-based filtering, packet filtering, DNS filtering, caching web proxies, port blocking and pass-by filtering. Product Theta is a hardware appliance. It is a gateway device. The product employs index-based filtering, analysis-based filtering, packet filtering and pass-through filtering. Product Omega is a hardware appliance. It is a gateway device. The product employs index-based filtering, analysis-based filtering, caching web proxies and pass-by filtering. Compilation of test data As set out in the minister’s direction, the trial was required to test the ability of filter products to distinguish between illegal, inappropriate and innocuous content. To this end, a set of URLs needed to be compiled as test data. Australian Communications and Media Authority 20
    • Chapter 2: Project background Three indexes of URLs containing illegal, inappropriate and innocuous content were created for the purpose of the trial, based on: ● classification categories under the National Classification Code; and ● the ACMA prohibited content list.10 The first URL index, Category 1, was intended to test the extent to which the selected filter products blocked content on the ACMA prohibited content list. The second URL index, Category 2, was intended to test the extent to which the selected filter products underblock, by allowing access to content that may be regarded as harmful or inappropriate for children but is not illegal. The third URL index, Category 3, was intended to test the extent to which filter products overblock, by blocking access to content that may be regarded as innocuous. Under the National Classification Code, content for films is classified in categories G − General, PG − Parental Guidance, M − Mature, MA15+ − Mature Accompanied, R18+ − Restricted, X18+ − Restricted and RC Refused Classification. The National Classification Code provides a nationally uniform and well-defined standard for rating content and is the standard that is applied under Schedule 7 of the Broadcasting Services Act 1992 to classification of internet and mobile content. The Category 1 index of URLs was created from the ACMA prohibited content list. In accordance with Schedule 5 to the Broadcasting Services Act 1992, this list contains URLs that link to internet content hosted outside Australia for ACMA is satisfied is prohibited or potentially prohibited. Prohibited and potentially prohibited content is defined in clauses 20 and 21 of Schedule 7 to the Broadcasting Services Act 1992 and may include content in the range MA15+ to RC. The ACMA prohibited content list was provided to Enex TestLab, which checked whether each URL was still live. ACMA approved the Category 1 index, containing 1000 URLs, before it was employed in the trial. For Categories 2 and 3, a distinction needed to be made between inappropriate and innocuous content. The National Classification Code provides a helpful distinction between content that is legally restricted—MA15+ through to X18+—and that which is not—G through to M. Accordingly, for the purpose of the testing, this distinction was used to separate inappropriate content from innocuous content. In a real-world application, filters may allow more granular distinctions to be made. The Category 2 index of URLs was drawn from an existing database of URLs held by Enex TestLab. The content from this list of URLs was intended to be rated in the range from MA15+ to X18+. A proportion of content rated as strong M, which was regarded as close to the MA15+ classification, was also allowed in this category. To verify that the content assembled in this list fell into this range, ACMA checked the range of content accessed via the URLs. ACMA approved the Category 2 index, containing 933 URLs, before it was employed in the trial. The Category 3 index of URLs was also drawn from an existing database of URLs held by Enex TestLab. The content from this list of URLs was intended to be rated in the range from G to M. To verify that the content assembled in this list fell into this range, ACMA checked the range of 10 The ACMA prohibited content list is a list of URLs that have been reported by internet users to ACMA and have been categorised by ACMA’s Content Assessment team as prohibited content. This list includes content rated RC 1(b)—Child Pornography—as well as other content rated RC, X18+ and R18+. Australian Communications and Media Authority 21
    • Chapter 2: Project background content accessed via a sample of the URLs. ACMA approved the Category 3 index, containing 1997 URLs, before it was employed in the trial. Selection of test site As set out in the minister’s direction, the trial testing was required to be conducted in Tasmania. For this purpose, Enex TestLab secured the premises of the Telstra Broadband eLab in Launceston. Under the agreement between Enex TestLab and Telstra for use of the Telstra Broadband eLab, neither Telstra nor its employees nor any of its affiliates were permitted to have any input or influence on the trial conducted within these premises. Australian Communications and Media Authority 22
    • Chapter 3: Execution of the trial Chapter 3: Execution of the trial Overview Chapter 3 describes the methodologies used to evaluate the selected filter products for performance, effectiveness, scope and adaptability. In order to appreciate the relationship between the particular methodology followed in measuring performance and the real-world manner in which ISP networks operate, this chapter includes an outline of the architecture of a typical ISP network. The configuration of the test network used for measurement of performance and effectiveness is then described. For measuring performance, this chapter describes how, in order to assess the extent to which a filter introduces any changes to the throughput of an ISP’s network, the trial collected data to enable comparison of the performance of the test network with no filter installed, with each filter product installed but not actually filtering content (passive mode) and with each filter product actively filtering content (active mode). For measuring effectiveness, this chapter describes how, in order to assess the accuracy of a filter in identifying and blocking content from categories 1 and 2—while similarly identifying but allowing access to content from category 3—the trial collected data on whether each URL in the three indexes described in the previous chapter was correctly identified by each filter product, either for blocking or permitting access to the corresponding content. For measuring scope and adaptability, this chapter describes how, in order to evaluate the capabilities of filters in filtering non-web traffic and in customising filtering policies in accordance with the specific requirements of an ISP or one of its customers, an expert review captured details of various capabilities of the selected filter products. PERFORMANCE Evaluating the performance impact of filters meant determining the extent to which the operation of a particular filter product in the test network introduced degradation in network performance. Before indicating how performance impact was measured in the trial, it is necessary to describe the typical architecture of an ISP’s network in order to appreciate where and how performance of the network can be affected. Operation of an ISP’s network Figure 3 illustrates a typical layout for the network of an ISP offering ADSL broadband services (it is not an actual representation of any particular ISP’s architecture). The links among the various network elements are shown using lines of varying widths and colours. The thickness of each line is representative of the bandwidth of the link represented by it. Links within the ISP’s internal network are of higher bandwidths (and are accordingly shown with Australian Communications and Media Authority 23
    • Chapter 3: Execution of the trial lines of greater thickness) than the link between the end user and the local exchange digital subscriber line aggregation module (DSLAM). Legend: Line Speeds OC48: 2.488Gbps OC12: 622Mbps OC3: 155Mbps Internet DS3: 44.736Mbps ADSL: 1.5Mbps ‘Prime’ network Central exchange multiplexer Internet gateway Domain name server (DNS) Billing server Core router Local exchange DSLAM News server Mail server Edge router Content filter Database server Typical ISP internal network architecture End user (usually co-located in a central exchange) ‘Access’ network Figure 3: A typical ISP's architecture from the ISP to the end user There are usually multiple users (in the order of hundreds to a few thousand) connected to a local exchange and multiple local exchanges (in the order of tens to a few hundred) connected to a central exchange. ISP networks are typically designed in this manner as it offers a scalable and cost-effective solution for the network demand likely to be generated by end users. In this typical ISP network, an end user on an ADSL connection is connected via their local exchange11 DSLAM, through their central exchange multiplexer12, to their ISP, which then routes their traffic back and forth to the internet via an internet gateway. The bandwidth of the network links decreases as one gets further away from the internet gateway. Figure 3 illustrates that the segment that is the ISP’s core network constitutes the ‘prime13’ network, as connections among its respective network elements are assigned a high bandwidth. By contrast, the segment between the end user and the local exchange DSLAM constitutes the ‘access14’ network. The peak network throughput to the end user is limited to the subscriber’s bandwidth, which is usually no more than a few megabits per second. Consequently, a slowdown in performance on the access network does not necessarily indicate any end-to-end congestion in the network. For example, such degradation in network performance may 11 When dealing with internet traffic, a local exchange is often referred to as a Point of Presence or POP. 12 A multiplexer is a telecommunications device used to break large bandwidth links into smaller links, while keeping them synchronised. 13 In networking terms, this is often referred to as the ‘fast’ network. 14 In networking terms, this is often referred to as the ‘slow’ network. Australian Communications and Media Authority 24
    • Chapter 3: Execution of the trial be the result of a large demand on bandwidth, such as an end user downloading a video file, which exceeds the bandwidth of the access network. Similarly, any actual congestion in the prime network segment that is small or moderate in degree typically has a less pronounced effect on an end user on the access network. This is because there is a significantly larger amount of bandwidth on the ‘prime’ network than what the access network can demand. In the example shown in Figure 3, the bandwidth of the access network is 1.5 megabits per second, whereas that of the prime network is 622 megabits per second—over 400 times greater. As a result, the access network representing the segment between the ISP and the end user has little bearing on the effect of an ISP-level filter on the overall ISP scalability. Measurements conducted on the prime network provide a quantitative gauge of the effect on network performance of a filter within the ISP’s core network. These measured quantities express the number of transactions per second and the data rate within the network (measured in megabits per second) that the ISP’s network is capable of supporting. The effect of a filter on an ISP’s network is best reflected by the performance seen within the prime network. The measurements conducted in this trial focus on this area. The network architecture applicable for ISPs offering connections other than ADSL—for example, dial-up, cable, satellite or mobile connections to the internet—is broadly similar to that described above, although the bandwidth available on the access network may differ significantly. Network performance metrics In order to understand the metrics used in the trial, a number of concepts that are central to network performance measurement are clarified below. Networks are rated based on both: ● bandwidth—a measure of the potential rate that data can be transmitted over a network15; for example, when an ISP advertises a 1.5 megabits per second internet service, it means that, in peak conditions, the internet connection will transmit data at 1.5 megabits per second; and ● throughput—the actual speed at which data will be transferred from one point on the network to another at a particular time16; it can be regarded as the rate at which ‘useful’ data is transferred. Users rarely experience throughput higher than 80 per cent of the rated bandwidth.17 This is due to the inherent design of network protocols – the set of rules by which data is transferred across networks. Various network protocols are in common use; for example, the IEEE 802.3 standard for Ethernet and ATM.18 Irrespective of the standard of protocol that is used, data is split into ‘packets’ before transmitting. Each packet is assembled into a pre-defined format (as specified in the protocol), called a ‘frame’, before being transmitted. A frame typically contains elements such as the following: ● the header or preamble, which defines the type of protocol being used; 15 Tannenbaum, Andrew S. (2002), Computer Networks 4th Edition, Prentice Hall 16 http://www.support.psi.com/support/common/networking/diff.html. 17 Spurgeon, Charles E. (2000), Ethernet: The Definitive Guide, O'Reilly 18 ATM: Asynchronous Transfer Mode is a cell relay, packet-switching network and data link layer protocol that encodes data traffic into small (53 bytes; 48 bytes of data and 5 bytes of header information) fixed-sized cells. This differs from other technologies based on packet-switched networks (such as the Internet Protocol or Ethernet), in which variable sized packets (known as frames when referencing Layer 2) are used. Australian Communications and Media Authority 25
    • Chapter 3: Execution of the trial ● the start of frame delimiter, which indicates the start of the frame; ● the destination address—the IP address to which the packet is headed; ● the source address—the IP address from which the packet originates; ● the length of the packet, which allows the receiving device to correctly separate one packet from another; ● the data or payload—the actual useful information that needs to be transmitted, such as the contents of a web page; ● padding—any dummy bytes required to fulfil minimum frame size requirements; and ● the checksum, which is used for error-checking and correction. Length SOF Figure 4: The IEEE 802.3 Ethernet frame format19 Figure 4 shows the frame format for 802.3 Ethernet. The ‘SOF’ field denotes the ‘Start of Frame’ and is 1 byte. This sample frame format will use at least 27 bytes and up to 73 bytes in overhead; that is, the preamble, destination and source address, length and checksum. There are two primary factors that affect network efficiency: 1. The amount of overhead, as seen in the above example. 2. The number of retransmissions required to transfer an error-free packet. Considering Ethernet and the frame format illustrated in Figure 4, a regular MP3 file of approximately 4MB (or 4,194,304 bytes) would require a total of 2,797 frames, each of which would contain 27 bytes of overhead. This equates to a network efficiency of 98.23 per cent, assuming that the 4MB MP3 file is divided into 1500-byte packets and there are no retransmits20 as a result of packet loss in transmission. In reality, however, data communications without retransmissions rarely occur. If such a transmission required a single instance of retransmission, the efficiency would fall to 49.11 per cent. Routing devices attempt to balance overhead and number of retransmissions by adapting packet sizes, in order to obtain optimum network performance. As a result, the theoretical efficiency is rarely obtained. As a result of the balancing of overhead and number of retransmissions, the throughput of networks increases with increasing network load until the network reaches a state of saturation; that is, the network is carrying as much traffic as its theoretical bandwidth. For Ethernet networks, this is about 80 per cent of the available bandwidth. Beyond this point, as network load increases, the network efficiency begins to plateau. This characteristic is illustrated in Figure 5. Similar characteristics have also been observed for other protocols. 19 Tannenbaum, Andrew S. (2002), Computer Networks 4th Edition, Prentice Hall 20 A retransmit is where the same packet is transmitted more than once to overcome a scenario where the original packet may have been lost when initially transmitted. It is analogous to repeating oneself in a conversation when the recipient fails to interpret one’s statements the first time. Australian Communications and Media Authority 26
    • Chapter 3: Execution of the trial 100% 90% 80% 70% % throughput 60% 50% 40% 30% 20% 10% 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 110% 120% 130% 140% 150% 160% % load applied Figure 5: Load versus throughput graph for various protocols21 The performance characteristics of a network are also influenced by the nature of the traffic being transmitted. Networks exhibit better efficiency when the traffic being transmitted is of a predictable nature; for example, streaming media. This is because routing and switching devices require less time to determine the optimum packet size. The performance of Ethernet traffic degrades as traffic becomes increasingly ‘bursty’; that is, where packet size becomes random.22 Traffic generated by internet chat and games, where packet sizes vary without a predictable pattern, are examples of such traffic. Network throughput is also measured in the number of transactions per second. A transaction is defined as a complete cycle of data interexchange. For the purpose of this trial, a transaction starts with the initiation of a web request and ends when the requested web content is delivered. Test network and hardware An isolated test network to simulate an ISP’s network was built to observe the effect of each filter product on network performance. The network architecture is shown in Figure 6. The network architecture seen here is analogous to a Tier 3 ISP; that is, an ISP that purchases outbound transport from other networks in order to reach the internet (see Appendix B for details). 21 The percentage load applied is a measure of the network demand placed on a network as a percentage of the total bandwidth available. An array of 20 machines each demanding 10Mbps equates to 200Mbps; such an array would place a network with an available bandwidth of 100Mbps under a load of 200 per cent. 22 Mazraani, T.Y.; Parulkar, G.M. (1992), Performance analysis of the Ethernet under conditions of bursty traffic, Global Telecommunications Conference, 1992. Conference Record, GLOBECOM Communication for Global Users., IEEE Volume , Issue , 6-9 Dec 1992 Page(s):592 - 596 vol.1 Australian Communications and Media Authority 27
    • Chapter 3: Execution of the trial Legend: Load Generation Array Content return path Content Request Path Traffic statistics information Gigabit ethernet WebBench client simulates load generated from web requests from 0 to 6 users Web server simulates internet content WebBench client Gigabit switch simulates load generated from web acts as edge router requests from 0 to 6 users Vendor supplied content filter filters internet content WebBench client simulates load generated from web requests from 0 to 6 users DNS performs IP address lookup WebBench client simulates load generated from web requests from 0 to 6 users WebBench client simulates load generated from web requests from 0 to 6 users WebBench controller controls WebBench tests; compiles and collects test results WebBench client simulates load generated from web requests from 0 to 6 users Figure 6: Test network for evaluating network performance of internet content filters As the network was an isolated one, two core network functions were simulated: 1. The function of the internet as a source of content. 2. The function of end users requesting content. Simulating the internet The internet was simulated using a high-end web server. This web server hosted a range of content from both Category 2 and Category 3 indexes replicated from active web sites published on the internet. The nature of the content included, but was not limited to: ● static web content in the form of HTML documents; and ● images complementing web content in the form of GIF and JPEG files. The web server acted as a target host for web requests generated by the array of client machines (described below), individually processing the requests and delivering the resultant content back to the requesting client. Simulating end users To measure the effect of individual filters on network performance, the function of end users requesting content was simulated using a tool called WebBench 5.0, a benchmarking and testing software program developed by VeriTest that measures the performance of web servers and networks under different load conditions. 23 WebBench 5.0 operates using a client-server architecture. The controller manages the execution of the tests and compiles the statistics collected by the client machines at the end of a test cycle. This machine was connected to an array of client machines that generated the web requests. The client load-generation array comprised six machines, each running the WebBench client software in 23 http://www.veritest.com/benchmarks/webbench/home.asp. Australian Communications and Media Authority 28
    • Chapter 3: Execution of the trial order to generate web requests to the web server within the controlled environment. Since the environment used was an isolated environment, the total network bandwidth remained in a controlled and stable state. The entire network was connected and switched using a gigabit switch. An array of automated load-generating clients, as described above, is a standard method of generating web requests within a closed environment for testing of this nature. A similar load- generation array was used in the pervious trial conducted for NetAlert Ltd in 2005. The hardware specifications for the web server, the WebBench controller and the WebBench clients are listed in Appendix D. Test methodology The performance testing involved a series of web requests generated by the client machines under the direction of the controller. The controller instructed the clients to generate a defined sequence of transactions consisting of web requests varying in volume, as well as the interval at which they were generated. The sequence of these transactions was as follows and is shown in Figure 7: 1. A web request was initiated from a client machine. 2. The web request was passed to the DNS server. 3. The DNS server returned a DNS lookup response. 4. The request was routed to the web server at the address specified in the DNS lookup response. 5. The web server responded and returned the requested content back through the content filter. 6. The filter responded by either blocking or permitting content through to the requesting client machine. 7. The client machine terminated the web request cycle. Web server simulates internet content Step 7: Client terminated the web request cycle Gigabit switch Step 1: Web acts as edge router request initiated from client machine WebBench client Step 4: Request routed to simulates load generated from web Step 5: Web server responded web server requests from 0 to 6 users and returned requested content through filter Vendor supplied content filter Step 6: Filter responds by either blocking or permitting content filters internet content through to the requesting client machine Step 3: DNS server returns a DNS lookup Step 2: Web request passed to the DNS server DNS performs IP address lookup WebBench controller controls WebBench tests; compiles and collects test results Figure 7: Sequence of generation of a transaction A mix is defined as a specified number of clients simulating a specified number of end users generating a specified number of transactions at a specified interval. Australian Communications and Media Authority 29
    • Chapter 3: Execution of the trial Each test set for an individual filter comprised nine ‘mixes’ where a mix consisted of six clients each simulating between zero and six users generating transactions at defined intervals. Each transaction generated in a mix followed the below sequence: 1. Upon receiving a message from the controller with a specified mix, each client initiated a web request directed at the web server. This generated web request was the beginning of a transaction. The initiating client continued to track elapsed time before receiving a corresponding response back from the web server, which in turn signified the end of the transaction. 2. The elapsed time for the transaction was recorded by the client machine before it proceeded to the subsequent transaction. 3. At the end of a sequence of mixes, the data recorded for all the transactions by each of the clients was transmitted back to the controller. It was necessary to structure the testing in this manner to bring the network into saturation. This is discussed below. The controller compiled the statistics captured by each client to compute the number of transactions per second occurring within the network over the sequence of mixes and the throughput exhibited during each sequence. The presence of the controller machine remained a constant throughout all the tests. No content was exchanged between the client machines and the controller between the beginning and the end of a test cycle. Hence, the controller had no influence on the test results. For the purpose of conducting this performance test, it was necessary to bring the network into a state of bandwidth saturation. In a network in which spare bandwidth exists, any network latency caused by a client machine demanding additional bandwidth would go unnoticed. However, in a bandwidth-saturated network, demands for additional bandwidth lead to packet loss and therefore increased network latency and degradation in overall throughput. Each client machine running the WebBench client was capable of simulating multiple end users. Preliminary network load tests conducted on the test network revealed that the network reached a state of bandwidth saturation when six end users were simultaneously generating web requests on the one gigabit per second switched network. This corresponds to a network saturation occurring at a little in excess of 9,244 transactions per second (the threshold for network saturation) which in turn corresponds to a throughput a little in excess of 55,807,057 bytes per second or 425 megabits per second24 (the throughput threshold for network saturation). A detailed graph of the network characteristics is shown in Appendix E. Having established the point of network saturation, the network performance test required measurements to be taken with the network in a prolonged state of saturation. It was seen that simulating 30 end users sufficed to generate and maintain this persistent state of network saturation (that is, where the network is carrying as much traffic as its bandwidth permits). 24 Conversion: 1 byte = 8 bits (b); 1kilobit (kb) = 1,024 bits; 1 Megabit (Mb) = 1,048,576 bits. Australian Communications and Media Authority 30
    • Chapter 3: Execution of the trial The clients in the load-generation array were accordingly programmed to simulate 30 end users. Mix number 1 2 3 4 5 6 7 8 9 Number of clients 1 4 5 6 4 6 6 6 6 End users per client 1 1 1 1 2 2 3 4 5 Mix duration (seconds) 90 90 90 90 90 90 90 90 90 Table 3: WebBench test sequence The WebBench controller coordinated all the mixes in a test sequence while keeping the client machines synchronised. Each mix of the WebBench test sequence defined: ● the number of web requests initiating individual transactions; ● the types of web requests; ● the interval at which requests are generated; ● the duration of a test sequence; and ● the variance (increase or decrease) of the rate of web requests generated. Table 3 provides a detailed description of how WebBench requests were generated within the test network. The parameters used have the following significance: ● Number of clients—the number of physical client machines used in the test; ● End users per client—the number of users that each physical client machine simulated; and ● Mix duration—the duration for which each mix of the test executed; for example, mix #6 consisted of six clients simulating two end users each for a total of twelve end users over a period of 90 seconds. These clients ran on a one Gbps network, generating up to 30 end users. This would scale to up to 20,000 end users each on a 1.5 Mbps connection, which is the typical end user bandwidth of ADSL connections. The evaluation of the effect on network performance of each internet content filter involved three steps: 1. Establishing a baseline with no filter connected to the network. 2. Recording network performance with the filter connected to the network but with no active content filtering occurring. 3. Recording network performance with the filter connected to the network and actively filtering requested content. Australian Communications and Media Authority 31
    • Chapter 3: Execution of the trial Establishing a baseline Legend: Load Generation Array Content return path Content Request Path Traffic statistics information Gigabit ethernet WebBench client simulates load generated from web requests from 0 to 6 users Web server simulates internet content WebBench client Gigabit switch simulates load generated from web acts as edge router requests from 0 to 6 users WebBench client simulates load generated from web requests from 0 to 6 users DNS performs IP address lookup WebBench client simulates load generated from web requests from 0 to 6 users WebBench client simulates load generated from web requests from 0 to 6 users WebBench controller controls WebBench tests; compiles and collects test results WebBench client simulates load generated from web requests from 0 to 6 users Figure 8: Network diagram for network performance test while establishing a baseline The network configuration used to establish a baseline is illustrated in Figure 8. This test network architecture replicated an ISP without a filter installed. A set of simulations was executed on this network using WebBench. The traffic generation parameters in Table 3 were used to generate web requests. The network performance statistics were collected by the controller at the end of each test cycle. To minimise any statistical variances, this set of simulations was executed five times. A statistical average of the number of transactions per second and the network throughput observed was calculated and provided the baseline. Network performance with a filter installed with no active filtering occurring A filter product is a network element. Every additional network element introduced into a network may introduce a change to the performance of a network. This second step involved evaluating the effect on network performance of a network filter being introduced into the network without actively filtering content. Figure 9 shows the network configuration used for this set of tests; Figure 6 differs from Figure 5 in that a filter is installed between the gigabit switch and the web server. This test served two purposes: 1. It provided a quantitative measure of the change in the transactions per second and throughput that occurred in the network for the filter product being tested. 2. It provided a reference point for the subsequent measurement of the difference in network performance observed when the filter actively filters content (as distinct from when it is installed into a network as a transparent network element and is not active). Australian Communications and Media Authority 32
    • Chapter 3: Execution of the trial Legend: Load Generation Array Content return path Content Request Path Traffic statistics information Gigabit ethernet WebBench client simulates load generated from web requests from 0 to 6 users Web server simulates internet content WebBench client Gigabit switch simulates load generated from web acts as edge router requests from 0 to 6 users Vendor supplied content filter filters internet content WebBench client simulates load generated from web requests from 0 to 6 users DNS performs IP address lookup WebBench client simulates load generated from web requests from 0 to 6 users WebBench client simulates load generated from web requests from 0 to 6 users WebBench controller controls WebBench tests; compiles and collects test results WebBench client simulates load generated from web requests from 0 to 6 users Figure 9: Network diagram for network performance test with a filter installed but no active content filtering A second set of WebBench tests was executed using the same traffic generation parameters described in Table 2. Once again, to minimise any statistical variances, this set of tests was executed five times. The statistical average of both the number of transactions per second seen on the network and the network throughput provided a measure for the influence of the filter product on the network performance when merely placed within the network. Network performance with a filter installed and actively filtering content The third step involved evaluating the effect on network performance exhibited by a filter when actively filtering content. Figure 10 shows the network configuration used for this test. Figure 10 differs from Figure 9 in that a filter is not only installed but is now actively filtering web requests initiated by the load-generation array. Each filter product was configured to block content from categories 1 and 2 while permitting content from category 3. This third set of tests provided a quantitative measure of the effect on network performance of a filter actively filtering content. The comparison of the measures obtained in this set of tests and the previous two steps provided a quantitative measure for the overall change in network performance introduced by a device performing filtering (from an unfiltered network to an actively filtered network) and the stability of the filter product over increasing network loads. Australian Communications and Media Authority 33
    • Chapter 3: Execution of the trial Legend: Load Generation Array Content return path Content Request Path Traffic statistics information Gigabit ethernet WebBench client simulates load generated from web requests from 0 to 6 users Web server simulates internet content WebBench client Gigabit switch simulates load generated from web acts as edge router requests from 0 to 6 users Vendor supplied content filter filters internet content WebBench client simulates load generated from web requests from 0 to 6 users DNS performs IP address lookup WebBench client simulates load generated from web requests from 0 to 6 users WebBench client simulates load generated from web requests from 0 to 6 users WebBench controller controls WebBench tests; compiles and collects test results WebBench client simulates load generated from web requests from 0 to 6 users Figure 10: Network diagram for network performance test with a filter installed and actively filtering content A set of WebBench tests was executed on the test network using the traffic generation parameters in Table 3. Statistical variances were minimised by executing this set of tests five times to obtain a statistical average of both the number of transactions per second seen on the network and the network throughput. Calculation of results From these three tests, the following figures were obtained for each filter: ● X = the baseline network performance expressed in transactions per second; ● Y = the network performance expressed in transactions per second when a filter was installed on the network without actively filtering content; and ● Z = the network performance expressed in transactions per second when a filter was installed on the network while actively filtering content. From these figures, three indexes were calculated to provide measures of performance as specified below. Passive Performance Index (PPI) of the filter This number expresses the percentage change in network performance when a filter is installed in a network without actively filtering content. It was calculated using the following formula: PPI = Y/X × 100 The PPI falls in the range of 0 to 100 and is a percentage. A higher PPI indicates a better performance for a filter in passive mode. The PPI for each product is calculated as a statistical average across increasing loads generated in the WebBench tests specified in Table 3. Australian Communications and Media Authority 34
    • Chapter 3: Execution of the trial Active Performance Index (API) of the filter This number expresses the percentage change in network performance when a filter is installed in a network while actively filtering content. It was calculated using the following formula: API = Z/X × 100 The API falls in the range of 0 to 100 and is a percentage. A higher API indicates a better performance for a filter in active mode. The API for each product is calculated as a statistical average across increasing loads generated in the WebBench tests specified in Table 3. Change in Performance Index (CPI) of the filter This number expresses the percentage change in network performance when a filter is installed in a network without actively filtering content compared with when a filter is installed in a network while actively filtering content. It was calculated using the following formula: CPI = Z/Y × 100 The CPI falls in the range of 0 to 100 and is a percentage. A higher API indicates a better processing performance of the filter. Ideally, the CPI should equal 100. The CPI for each product is calculated as a statistical average across increasing loads generated in the WebBench tests specified in Table 3. The results of the performance tests for the selected filter products are presented in Chapter 4. EFFECTIVENESS Evaluating the effectiveness of filters involved measuring each filter product’s ability to appropriately distinguish between different categories of content, as represented in the three indexes of URLs described in Chapter 2. In essence, this involved assessing the accuracy of each filter product in blocking content from categories 1 and 2 and allowing access to content from category 3. Test network and hardware A new test network simulating an ISP’s network was built to observe the effectiveness of each filter product in accurately filtering content. The network architecture is shown in Figure 11. To ensure that all the filter products were tested under uniform conditions, all the filters were tested concurrently. This was necessary because URLs in the Category 1 index (which corresponds to the ACMA prohibited content list) link to content, some of which frequently moves from one location on the internet to another. To facilitate concurrent testing, each filter product was simultaneously integrated into mutually separated subnets, where each subnet represented an independent ISP. All of the subnets were connected, via a gigabit Ethernet switch, to a common live unfiltered internet feed. The logical separation of the filters into their own subnets ensured that the filtering capabilities of one did not influence and remained unaffected by, any of the others. Each filter served as an access point for a client machine. Each client machine ran a copy of URL Test Professional V1 (UTP). UTP is an automated test tool that automatically executes web requests using a configured list of URLs and records the responses. The use of an automated test tool such as UTP eliminated any element of human error or fatigue and accelerated the testing process. Australian Communications and Media Authority 35
    • Chapter 3: Execution of the trial Internet Content filter Omega Content filter Alpha UTP client UTP client DNS server Content filter Theta Content filter Beta Gigabit switch acts as a core router UTP client UTP client Content filter Gamma Content filter Delta UTP client UTP client Figure 11: Network diagram for accuracy test The full details of the hardware used in this test are listed in Appendix D. Test methodology Each client machine was set up to emulate an end user sequentially requesting content from each of the 3,930 URLs listed in the three indexes of URLs at 10-second intervals. For each requested executed, UTP recorded the responses from the destination web servers. A response from the destination web server containing an HTTP status code of 200 indicated that the content was retrieved successfully. By contrast, the receipt of responses from the filter rather than the web server containing HTTP status codes of ● 400—Bad request; ● 401—Authentication required; ● 403—Access forbidden; ● 404—Not found status, missing web page; or ● 200—Successful (typically a page displayed by the filter that indicates that the content is blocked) indicated the failure of the requesting client machine to receive the requested content and the successful blocking of the content. It is worth noting that the status code alone was not sufficient to confirm that content had been successfully blocked. When generated from the filter, these codes indicated that content had been successfully blocked. However, when generated from the destination web server, the same code Australian Communications and Media Authority 36
    • Chapter 3: Execution of the trial either indicated that content was successfully retrieved and delivered, or that the content had been moved and no longer existed on the destination server (for example, as a result of the transient nature of the content in Category 1). For a filter to exhibit ideal characteristics: ● one of the above HTTP status codes should have been generated by the filter when content corresponding to each of the URLs in the Categories 1 and 2 indexes was requested, indicating access was successfully blocked; and ● an HTTP status code of 200 should have been generated by the destination web server when content corresponding to each of the URLs in the Category 3 index was requested, indicating that access was successfully permitted. Calculation of results From this testing, the following figures were obtained for each filter: ● X1 = the number of URLs in the Category 1 index blocked; ● X2 = the number of URLs in the Category 2 index blocked; and ● X3 = the number of URLs in the Category 3 index blocked. From these figures, the following indexes were calculated to provide a measure of effectiveness, as specified below: Blocking rate index (BRI) The blocking rate index is a ratio that provides a measure of the effectiveness of a filter for blocking content from categories 1 and 2. It falls in the range of 0 to 1. There were 1,000 URLs in the Category 1 index and 933 URLs in the Category 2 index, or a total of 1,933 URLs, for which the corresponding content ideally should have been blocked. The blocking rate index is calculated as: BRI = (X1+X2)/1933 A higher BRI indicates a more accurate filter in blocking content from categories 1 and 2. Ideally, the BRI should equal 1. Overblocking index (OBI) The overblocking index is a ratio that provides a measure for the effectiveness of a filter for distinguishing content from category 3. It falls in the range of 0 to 1. There were 1997 URLs in the Category 3 index for which access to the corresponding content should have been allowed. The overblocking index is calculated as: OBI = X3/1997 A lower BRI indicates a more accurate filter in allowing access to content from category 3. Ideally, the BRI should equal 0. The results of the effectiveness test for the selected filter products are presented in Chapter 4. SCOPE Assessing the scope of filters involved identifying what kinds of traffic each filter product is capable of filtering. In addition to web content, internet traffic includes, but is not limited to, email (POP3, SMTP and IMAP protocols), file transfer protocol, voice over IP, instant messaging, telnet and various peer-to-peer file sharing applications such as BitTorrent. Internet traffic using these Australian Communications and Media Authority 37
    • Chapter 3: Execution of the trial protocols is ignored by internet filters targeted exclusively at web traffic. It also involved assessing additional features (such as anti-virus, anti-spam and anti-malware) that the products offered. Methodology Information to assess the scope of the selected filter products was obtained from an expert review. This involved the detailed examination of vendor-provided product documentation, product research and interviewing vendor representatives to further explore the capabilities of their products. Specifically, the expert review obtained, for each filter product, details of the particular protocols for which the filter is capable of identifying and blocking content. The capability of individual filter products to filter internet traffic other than web content was not, however, evaluated via testing in the trial’s test network. The observations of the scope of the selected filter products are presented in Chapter 4. ADAPTABILITY Assessing the adaptability of filters involved identifying the level of control that each filter product offers for tailoring filtering for users of different age groups. A common objective for filtering is support of multiple filtering policies, corresponding to different levels of filtering; for example: ● the availability of different policies that apply different levels of filtering for children of ages 0—10, 11—15 and 15—17; or ● the capability to create a unique filtering policy for each customer (or for each individual user in a household). Methodology Information to assess the adaptability of the selected filter products was also obtained as part of the same expert review. The expert review obtained, for each filter product, its detailed ability to offer a range of customised filtering options; for example, whether a product supported: ● an ability to create different filtering policies for users of different ages; ● different filtering policies for individual customers or users; or ● changes in filtering policy according to time of day. The expert review also obtained details of the ease of implementation and ISP administration of separate filtering policies. The adaptability of individual filter products was not, however, evaluated via testing in the trial’s test network. The observations of the adaptability of the selected filter products are presented in Chapter 4. Australian Communications and Media Authority 38
    • Chapter 4: Results Chapter 4: Results Overview Chapter 4 sets out the results obtained from the assessment of each of the selected filter products against the test criteria. The performance results for each of the products installed but not actually filtering content (passive mode) and for each product actively filtering content (active mode) are presented relative both to a baseline and to one another. The results demonstrate variability of performance between the products, but reveal one product producing almost no network degradation. The effectiveness results for each of the products are presented relative to one another. These results across the six products are more uniform and demonstrate high levels of accuracy in appropriately identifying and blocking content. The scope results for each of the products are presented relative to one another. The results reveal that all products are able to block non-web content, but mostly without identifying particular content from categories 1 and 2. The adaptability results for the products are uniform, with all products offering a wide range of filtering options that can be customised to meet filtering requirements specified by the ISP or by its customers. The parameters measured in this trial for each filter product have been described in Chapter 1; the methods used to measure these parameters have been described in Chapter 3. Performance The performance test evaluated the extent to which individual filter products affected the throughput of the test network under two separate conditions: 1. Passive mode—where the network filter was connected to the test network without actively filtering content. 2. Active mode—where the network filter was connected to the test network and actively filtered content. Both measurements are made with reference to a baseline throughput measured on the test network in the absence of any filtering product. The results of the passive mode network performance test show a mostly consistent pattern for all the filters. The passive network performance characteristics are shown in Figure 12. The baseline characteristic curve for the test network while no filter was installed is indicated by the thick black Australian Communications and Media Authority 39
    • Chapter 4: Results line and the performance characteristics for individual filter products are represented with thin coloured lines. 10000 9000 8000 Transactions per second 7000 6000 5000 4000 3000 2000 1000 0 0 5 10 15 20 25 30 35 Number of users Baseline Alpha Beta Gamma Delta Theta Omega Figure 12: Network characteristics for passive network performance The network characteristics observed in this test provided measurements for calculation of the Passive Performance Index (PPI) for each filter, which expresses the performance, relative to the baseline, after the introduction of a filter in passive mode. The index is expressed as a percentage and is linearly correlated to network performance of the filter. A high PPI indicates that a filter degraded network performance less while in passive mode. The comparative PPIs are illustrated in Figure 13. Alpha Beta Gamma Delta Theta Omega 0% 20% 40% 60% 80% 100% Figure 13: Passive Performance Indices (PPI) for tested filters The results of this test yielded the following observations: ● performance degradation for the filters in passive mode was less than ten per cent for five of the products—i.e. the passive network performance for five of the six products was in excess of 90 per cent; Australian Communications and Media Authority 40
    • Chapter 4: Results ● performance degradation for all of the filters in passive mode was less than 30 per cent—i.e. as Figure 13 shows, the passive network performance was above 70 per cent for all products. A similar test was executed on the filters operating in active mode. The active network performance characteristics are shown in Figure 14. The baseline characteristic curve for the test network while no filter was installed is again indicated by the thick black line, while those for the individual filter products are represented with thin coloured lines. 10000 9000 8000 Transactions per second 7000 6000 5000 4000 3000 2000 1000 0 0 5 10 15 20 25 30 35 Number of users Baseline Alpha Beta Gamma Delta Theta Omega Figure 14: Network characteristics for active network performance These characteristics provided measurements for calculation of the Active Performance Index (API) for each filter. The API expresses the performance, relative to the baseline, after the introduction of a filter in active mode. The index is expressed as a percentage and is linearly correlated to network performance of the filter. A high API indicates that a filter degraded network performance less while in active mode. The corresponding values are illustrated in Figure 15. Alpha Beta Gamma Delta Theta Omega 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Figure 15: Active Performance Indices (API) for tested filters Australian Communications and Media Authority 41
    • Chapter 4: Results The following trends are evident: ● performance degradation for one product in active mode was only two per cent—i.e. as Figure 15 shows, the active network performance for one product was nearly indistinguishable from the baseline performance; ● performance degradation for three products in active mode was in the range of 22 to 30 per cent—i.e. as Figure 15 shows, the active network performance of these filters was 70 per cent or more. Each of these products used different methods to filter content from each other; and ● performance degradation for the final two filters in active mode was in excess of 75 per cent— i.e. as Figure 15 shows, the active network performance for the final two products was less than 25 percent. The measurements from both of the above two tests can be combined to present the Change in Performance Index (CPI) for each filter product. The CPI provides two key pieces of information: 1. The degree of change in network performance when a filter changes from passive to active mode. This change is represented by the numerical value of the index, which is expressed as a percentage and is linearly correlated to network performance of the filter. A high CPI indicates that a filter degraded network performance less. Ideally, the CPI should be 100 per cent. 2. The stability of the product when operating under varied loads. This is seen in the line diagram for individual filters in Figure 16, which exhibits the CPI measured for each filter under increasing loads. Ideally, the line representing the CPI for a filter should either be ascending or flat. 100% 80% 60% CPI 40% 20% 0% 0 5 10 15 20 25 30 Number of users Alpha Beta Gamma Delta Theta Omega Figure 16: Change in Performance Index (CPI) for tested filters The trends observed are: ● Two products displayed little difference between their active mode and passive mode performances; ● Four products exhibited less than 30 per cent degradation from their passive mode characteristics; ● Two products exhibited more than 75 per cent degradation from their passive mode characteristics; and Australian Communications and Media Authority 42
    • Chapter 4: Results ● All the products exhibited low variance and, consequently, a high degree of stability across increasing generated loads. Effectiveness The effectiveness test evaluated the filter products on their ability to distinguish Category 3 content from categories 1 and 2. The percentage of content from each category blocked by each of the filter products is illustrated in Figure 17. Alpha Beta Gamma Delta Theta Omega 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Category 1 Category 2 Category 3 Figure 17: Comparative blocking rates of each category of URLs This provided measurements for calculating the following two indexes, expressing the degree of effectiveness of each filter: 1. The blocking rate index (BRI), which expresses the ratio of the number of Category 1 and Category 2 URLs that the filter correctly identified and blocked, with reference to the total number of URLs in both Category 1 and Category 2. The BRI falls between 0 and 1. A high BRI indicates a more accurate filter; ideally, the BRI should be 1. 2. The overblocking index (OBI) expresses the ratio of Category 3 URLs that the filter correctly identified and did not block, with reference to the total number of URLs in Category 3. The OBI falls between 0 and 1, and has an inversely proportional relationship to the accuracy of the filter. A low OBI indicates a more accurate filter; ideally, the OBI should be 0. Australian Communications and Media Authority 43
    • Chapter 4: Results Alpha Beta Gamma Delta Theta Omega 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 BRI OBI Figure 18: Comparative BRIs and OBIs for tested filter products The trends observed are: ● all products blocked in excess of 86 per cent of content from Category 1. Three products exceeded 95 per cent; ● all products blocked in excess of 84 per cent of content from Category 2. Three products exceeded 94 per cent; ● all products exhibited a BRI of above 0.88, indicating blocking of a high proportion of content from categories 1 and 2; and ● all products exhibited an OBI of below 0.08, indicating blocking of a low proportion of content from category 3. Four products exhibited overblocking below 0.03. Scope The assessment of the scope of each selected filter product was conducted by an expert review, involving research of product documentation and a questionnaire completed by providers of the selected filter products. The assessment addressed whether each filter product is capable of filtering internet traffic other than web content (such as peer-to-peer file transfers and instant messaging) and any special cases that are associated with each protocol. An example of such a special case occurs when considering instant messaging clients—some filter products are capable of permitting text-based communications while blocking voice and video communication. Specifically, it examined the range of protocols that each individual product is capable of filtering. The results of the assessment are presented in Table 4. Australian Communications and Media Authority 44
    • Chapter 4: Results The scope exhibited by the filter products showed the following characteristics: ● all are capable of filtering25 HTTP traffic and five of the six products are capable of filtering HTTPS traffic; ● all are capable of blocking26 traffic on certain other protocols, such as instant messaging and peer-to-peer protocols; ● no products are capable of distinguishing illegal content and content that may be regarded as inappropriate on non-web protocols, excepting two products that can identify particular types of content carried via one email protocol, and one product that can identify particular types of content carried via one streaming protocol; ● five products offer the capability to define custom protocols to enable blocking of applications that may evolve in the future; ● all the products tested offer the integration of anti-virus and anti-malware functionality. Scope: Protocols covered Product Web Secure Instant Peer-to- Custom web Email Newsgroups protocol (HTTP) messaging peer (HTTPS) definition Alpha 9 9 [ [ [ [ [ Beta 9 9 [ [ [ [ [ Gamma 9 9 9 Delta 9 [ [ [ [ [ Theta 9 9 [ [ [ Omega 9 9 [ 9 [ [ 9 indicates that content is filtered A blank cell indicates that traffic is neither [ indicates that content is blocked or rate limited blocked nor filtered Table 4: Scope of individual filter products Adaptability The assessment of the adaptability of each selected filter product was recorded as part of the same expert review that examined the scope of the products. The assessment addressed the capability of each product to be customised to offer different levels of filtering suitable for children of different ages and to target different categories of content. The assessment specifically looked at the extent to which each product enabled its filtering policy to be customised at a group-level, subscriber-level and user-level. These levels are defined as follows: ● Group-level—An ISP’s customers assign themselves to one of a (usually) limited set of groups, set up by the ISP, to each of which a specific filtering policy applies. An example of a set of group-level filtering policies is as follows: 25 The product inspects traffic being transmitted using the given protocol and either permits or denies access to the traffic based on the existing filtering policies. 26 The product restricts access to the traffic using the given protocol altogether, without inspecting the contents of the traffic. Australian Communications and Media Authority 45
    • Chapter 4: Results • Child group—The filtering policy is designed to create a safe browsing experience for younger children and may be based on a whitelist index, which limits subscribers in this group to accessing designated websites; • Adolescent group—the filtering policy is designed to create a browsing experience suitable for older children who may use the internet for study and for social interaction and which therefore blocks only that content that features stronger themes related to sex, nudity and drug use; • Adult group—the filtering policy is designed to create an open browsing experience for adults and blocks only illegal content. ● Subscriber-level—Each customer of an ISP is able to establish a bespoke filtering policy for his or her internet service by specifying the types of content that are to be blocked. A subscriber-level filtering policy applies to all users in a family or household using that internet service. ● User-level—Each customer of an ISP is able to establish a bespoke filtering policy for each member of his or her family or household by specifying the types of content that are to be blocked for each member. A user-level filtering policy applies only to a specific user and is activated when that user logs in. Multiple users may use a single subscriber’s internet service. All of the selected filtering products offer group-and-subscriber-level customisation. Additionally, all offer user-level customisation, though one of the products limited this level of customisation to one particular user operating system. All products offer the ability to create multiple user profiles, offering at least 20 pre-defined profiles and, in the case of one product, an unlimited number of user-defined profiles. All of the products require integration with an existing ISP customer database (typically a RADIUS or LDAP server) from which to obtain customer information and accordingly execute customised filtering policies. Summary Performance characteristics across the selected filter products show significant variation, with some products degrading performance notably less than others and one product producing almost no network latency. Effectiveness characteristics are more uniform, with all of the selected filter products exhibiting high degrees of accuracy in identifying and blocking prohibited and potentially prohibited content and low rates of overblocking. The scope of the selected filter products covers a wide range of protocols, though actual filtering of content of such traffic remains mostly confined to web content, with filter products generally offering no more than allowing access to other types of internet traffic to be blocked entirely. All the products offer integration with third-party anti-virus and anti-malware capability. The selected filter products offer a high degree of adaptability, as all support the capability of customising filtering policies at group-level (by the ISP) and at subscriber and user-levels (by an ISP’s customers). The details of the observations and measurements are available in Appendix F. Chapter 5 provides an interpretation of these observations. Australian Communications and Media Authority 46
    • Chapter 5: Conclusions Chapter 5: Conclusions Overview Chapter 5 interprets the results presented in Chapter 4 for performance, effectiveness, scope and adaptability, including by reference to the results of the previous trial. The state-of-the-art of ISP- level filtering is then assessed and the conclusion made that, under the conditions created for the trial, this technology can be regarded as having significantly advanced. Performance The trial of the selected filter products against the performance criterion sought to identify the extent to which ISP-level filtering products, when deployed and operational within an ISP’s network, adversely affect the performance of the network such that it would be necessary for an ISP to upgrade its network sooner than forecast in order to restore performance to a satisfactory level. This same criterion was assessed in the previous trial of ISP-level filtering products undertaken for NetAlert Ltd in 2005, where a similar methodology to the one used in this trial was employed to evaluate network performance. Note that variations in architecture between a real-world ISP’s network and the test network created for this trial (and that created for the previous trial) mean that differences in performance may occur in real-world deployments of filter products from that observed under test conditions in this trial. Such variations will relate to: ● the hardware used in an ISP’s network and its compatibility with particular filter software or hardware; ● the complexity of an ISP’s network derived from how the particular network is designed; ● the demand on bandwidth in an ISP’s network, often related to the demographics of the ISP’s customer base; and ● the size of an ISP’s network and how well the deployment of a filter product can be scaled accordingly. For the last point, the test network created for this trial simulated a Tier 3 ISP—that is, an ISP that purchases outbound transport from other networks in order to reach the internet—and filter products were configured for this type of network. It was not feasible in this trial to assess how the performance results for the selected products might scale to a Tier 2 ISP—that is, an ISP which directly peers, or connects on the same level of hierarchy, with some networks but must purchase outbound transport from other networks in order to reach some portions of the internet—or a Australian Communications and Media Authority 47
    • Chapter 5: Conclusions Tier 1 ISP—that is, an ISP which directly peers with every other network to reach the internet. (A discussion of the tiered hierarchy of ISPs is at Appendix B.) The raw data from the previous trial was used to calculate the indexes defined in Chapter 3 to draw a like-for-like comparison. The findings from the performance tests in the current trial exhibited substantive differences from those of the previous trial. Under similar test conditions, the previous trial reported that performance degradation ranged from 75 per cent to a very high 98 per cent between the best­ and-worst performing filter products. Performance degradation measured in the current trial (by reference to the Active Performance Index) varied across a significantly greater range—from a very low two per cent to 87 per cent between the best-and-worst performing filter products. This is illustrated in Figure 19. 100% Network degradation as a percentage of baseline 90% 80% 70% throughput 60% 50% 40% 30% 20% 10% 0% Previous trial Current trial Figure 19: Range of performance degradation for filter products in 2005 trial compared with current trial The median level of network degradation of the tested filter products also significantly dropped indicated a significant improvement in network performance in the current trial compared with that of the previous trial. ACMA considers that this improvement in the performance of filters tested in the current trial compared with the previous trial represents a profound advance in ISP-level filtering technology. Although the performance of two of the products tested in the current trial was relatively poor, one product generated almost no network degradation and another three products exhibited low to moderate levels of degradation in network performance. Were the latter result to be typical of most currently available ISP-level filtering products, this level of performance degradation would require low to moderate efforts by ISPs to bolster performance in their networks. For example, in a scenario where an ISP had forecast that its network would require upgrading in four years to meet the demand of a growing customer base, the deployment of a filter that introduced a 25 per cent degradation in network performance would, from a parametric extrapolation of the variables, lead to a decrease of one year in the time before which the network would require the upgrade. Australian Communications and Media Authority 48
    • Chapter 5: Conclusions However, ACMA considers that the standard achieved by the one product that produced almost no performance degradation is a standard to which manufacturers of ISP-level filter products should aim in their product development. All of the products in the current trial performed stably across increasing loads; that is, there was no abrupt degradation of network performance as a consequence of sudden increased network demand. Instead, performance was mostly even under different traffic loads. The performance of a filter product is dependent on a proper configuration in accordance with the particular architecture of the ISP network in which it will operate. A filter product that is poorly configured in any network may cause high performance degradation that could be avoided by correct configuration. This was seen in the current trial where, following the initial configuration of certain products by technicians supplied by the vendors, very high levels of performance degradation were experienced. After being reconfigured by more experienced technicians provided by the vendors, the same products showed improvements in network performance. Effectiveness The trial of the selected filter products against the effectiveness criterion sought to identify the extent to which ISP-level filtering products satisfactorily perform their core role—to successfully identify and prevent the delivery of illegal internet content and internet content that is inappropriate for children, while allowing access to innocuous internet content. The findings from the effectiveness tests in the current trial exhibited substantive differences from those of the previous trial. The methodologies used in the two trials were, however, different. The previous trial evaluated effectiveness by reference to both: ● content prohibited under Schedule 5 to the Broadcasting Services Act 1992 (in the form it existed at the time of the previous trial); and ● content contained in 27 categories typical of those used in filter products—for example, categories such as abortion, racism, sexuality, terrorism, and violence. The test data used in the previous trial comprised 96 URLs drawn from ACMA’s prohibited content list and 461 URLs corresponding to content spread across the 27 content categories. The results reflected the effectiveness of the tested filter products in blocking prohibited content and content corresponding to a selected set of categories. The current trial evaluated each of the selected filter products on its ability to distinguish between three separate lists of test URLs containing a total of 3,930 URLs. This methodology sought to assess the effectiveness of the selected filter products in a manner that simulated a practical application of filtering that also related to Australian content classification standards. The raw data from the previous trial was used to calculate the indexes defined in Chapter 3 to draw a like-for-like comparison. Using the first effectiveness testing methodology described above, the previous trial reported a difference in the percentage of successful blocking (that is, the proportion of content that should have been blocked that was actually blocked) between the most and the least accurate filter products in the range 70 to 100 per cent. The percentage of successfully blocked content from categories 1 and 2 measured in the current trial, using the second effectiveness testing methodology described above, varied across a significantly smaller range—between 88 and 97 per cent—with most achieving above Australian Communications and Media Authority 49
    • Chapter 5: Conclusions 92 per cent. The median overblocking rate was improved from the previous trial. This is illustrated in Figure 20. Percentage of Category 1 and 2 content successfully 100% 90% 80% 70% 60% blocked 50% 40% 30% 20% 10% 0% Previous trial Current trial Figure 20: Underblocking range for filter products in 2005 trial compared with current trial For the level of overblocking (that is, the proportion of content that was blocked that should not have been blocked), the previous trial reported a difference between the most and the least accurate filter products in the range six to 62 per cent. The level of overblocking measured in the current trial varied across a significantly smaller range—between one and eight per cent—with most falling under three per cent. The median overblocking rate was significantly improved from the previous trial. This is illustrated in Figure 21. 100% Percentage of Category 3 content overblocked 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Previous trial Current trial Figure 21: Overblocking range for filter products in 2005 trial compared with current trial For content on the ACMA prohibited content list, however, only three of the filter products blocked greater than 95 per cent and none blocked 100 per cent. In the previous trial, only one Australian Communications and Media Authority 50
    • Chapter 5: Conclusions product succeeded in blocking 100 per cent of such content. ACMA considers that blocking of content on the ACMA prohibited content list should be relatively straightforward for any filter product that employs index-based filtering and consequently there should be no obstacle to configuring such a filter product to block 100 per cent of content on this list. Blocking of content on this list could be enhanced by manufacturers of filter products incorporating updates from the ACMA prohibited content list into their own indexes on a regular and more frequent basis. Scope The trial of the selected filter products against the scope criterion sought to identify the extent of the capability of ISP-level filtering products to recognise and block illegal and inappropriate internet content that is transmitted and delivered across the internet using non-web protocols (for example, instant messaging and file transfers), in addition to web content. An evaluation of the scope of internet content filters fell outside the requirements of the previous trial. In the three years since the previous trial, however, analyses of global internet traffic indicate that non-web protocols—especially peer-to-peer traffic—contribute an increasing proportion of internet traffic.27 All of the filter products have the ability to either block (turn off completely) or rate limit (slow down) a range of specific protocols. Some products offer control over a greater assortment of non- web content than others. None of the products have the ability to actively filter content transmitted using non-web protocols, except: ● two filter products that were capable of detecting and blocking illegal and inappropriate content contained in email transmitted via the SMTP protocol; and ● one filter product that was capable of detecting and blocking illegal and inappropriate content contained in streaming media transmitted via the RTSP protocol. ACMA considers that, given the evolving nature of internet use, there would be benefit in manufacturers of ISP-level filter products addressing online risks associated with non-web content by developing methods of identifying and blocking illegal and inappropriate content that is carried via non-web protocols. Consistent with trends in security software for personal computers, most of the selected filter products also have the ability to integrate the filtering functionality with anti-spam, anti-virus and anti-malware capabilities. Adaptability The trial of the selected filter products against the adaptability criterion sought to identify the extent to which ISP-level filtering products offer a range of filtering options to which a filtered service supplied to an ISP’s customers can be tailored to meet specific requirements of the ISP or of the customer. This is opposed to a ‘one-size fits all’ filtering solution. An evaluation of the adaptability of internet content filters fell outside the requirements of the previous trial. 27 For example, see iPoque, Internet Study 2007, http://www.ipoque.com/news_&_events/internet_studies/internet_study_2007. It is worth noting that iPoque is a major provider of internet traffic management solutions. Australian Communications and Media Authority 51
    • Chapter 5: Conclusions All of the products offer a substantial degree of granularity in creating filtering profiles through integration with an ISP’s subscriber directory. This granularity now closely resembles that which is offered by desktop internet content filters. Current state-of-the-art ACMA considers that, under the conditions created for the trial simulating a Tier 3 ISP, the state of ISP-level filtering technology has significantly advanced, and stands in contrast with the state of this technology evidenced in the previous trial. The key areas of change demonstrating this increasing maturity are discussed below. AVAILABILITY OF FILTER PRODUCTS DESIGNED FOR ISP DEPLOYMENT The number of available filter products that are designed for deployment by ISPs has increased. As noted in Chapter 2, 17 of the filter products for which expressions of interest in participating in the trial were received were assessed as suitable for deployment in an ISP environment. During the previous trial, by contrast, no filter products specifically designed for deployment by ISPs were identified and that trial proceeded only by testing products designed for enterprise deployment. The range of features and the service level expected by end users make enterprise-level filtering substantively different from ISP-level filtering (these differences are described further at Appendix C). MODERATE TO NEARLY NIL PERFORMANCE DEGRADATION IS POSSIBLE While there is a significant variability in performance across the selected filters, it is evident that a number of available ISP-level filter products cause a lesser degree of performance degradation than that observed in the previous trial. Indeed, it is feasible to avoid almost all performance degradation. Moreover, the availability of a number of filter products designed for ISP deployment suggests that an ISP is able to choose from a range of filter products in order to find the one that introduces the minimum performance degradation in its particular network. HIGH EFFECTIVENESS IS POSSIBLE ISP-level filter products are relatively accurate and overblock and underblock to a lesser degree than that witnessed in the previous trial. This conclusion is reinforced by the small variance between products in terms of their accuracy, compared with the previous trial. CUSTOMISABLE FILTERING POLICIES ISP-level filter products allow different filtering options to be offered to different customers of an ISP and even enable ISPs’ customers to customise the filtering operating on their internet connection to their specific needs or the needs of individual users within a family or household. The extent to which available ISP-level filter products can be customised is now broadly equivalent to that available from most desktop filters. Because implementation of this feature requires integration with commonly used directory services within ISPs, it may come at a cost for ISPs due to increased complexity in managing their networks. Australian Communications and Media Authority 52
    • Chapter 5: Conclusions ACTUAL DEPLOYMENTS Commercial viability is demonstrated by implementation of several of the selected ISP-level filter products by overseas ISPs over a number of years. LIMITATIONS ON SCOPE One area which showed little sign of advance in the current trial is the scope of ISP-level filter products. Apart from web content, no products were able to identify and block content from categories 1 and 2 carried via non-web protocols (with the exception of two products that offer limited capability over email, FTP and RTSP). Capabilities of non-web protocols were limited to blocking traffic using a particular protocol in its entirety, or rate-limiting the traffic. Where such protocols are used to carry legitimate traffic and are widely used by children for study and social interaction, ACMA regards the absence of a more targeted capability as a deficiency. However, vendors of several of the selected ISP-level filter products cited development efforts under way to extending active filtering to non-web protocols. Such capabilities may become available in the next few years. MATTERS NOT CONSIDERED This conclusion about the state-of-the-art of ISP-level filtering technology does not, given the scope of this trial, consider the balance of costs and benefits associated with implementing ISP- level filtering. In particular, ACMA was not asked and was not able in this trial, to assess the capital and operating costs associated with implementing any of the selected filter products, nor did ACMA examine the costs associated with any upgrading of an ISP’s network in order to address any performance degradation caused by installation of a filter product. Similarly, ACMA was not asked and was not able in this trial, to examine the nature and implications of the implementation of ISP-level filtering for ISPs’ customers, including any associated costs. Australian Communications and Media Authority 53
    • Appendices Appendices Appendix A: The Ministerial Direction COMMONWEALTH OF AUSTRALIA Australian Communications and Media Authority Act 2005 PROTECTING AUSTRALIAN FAMILIES ONLINE DIRECTION NO. 1 of 2007 I, HELEN LLOYD COONAN, Minister for Communications, Information Technology and the Arts, make the following Direction under subsection 14(1) of the Australian Communications and Media Authority Act 2005 (‘the Act’) in relation to ACMA’s functions under paragraph 8(1)(d) of the Act and its powers under subsection 12(1) of the Act. Dated 2007. HELEN LLOYD COONAN Minister for Communications, Information Technology and the Arts 1 Name of Direction This Direction may be cited as the Protecting Australian Families Online Direction No. 1 of 2007. 2 Definitions In this Direction: ACMA means the Australian Communications and Media Authority; Internet service provider (‘ISP’) means a carriage service provider that supplies a service that enables end-users to access the Internet. Carriage service provider has the same meaning as in section 87 of the Telecommunications Act 1997. Australian Communications and Media Authority 54
    • Appendices 3 Direction to test product Pursuant to subsection 14(1) of the Act, ACMA is directed to conduct a trial of one or more commercial products (‘the Product’) in accordance with the following constraints: 3.1 Purpose The purpose of the trial is to determine: 3.1.1 the capacity of available technology to filter at ISP-level illegal or inappropriate internet content that consumers may access through an ISP; and 3.1.2 advances made since previous trials of such filter technologies were carried out. 3.2 Selection 3.2.1 The Product selected must be intended to provide the capability of ISP-level filtering of Internet content that is illegal and Internet content that is inappropriate for minors. 3.2.2 Other criteria for selection of the Product may be determined by ACMA. 3.3 Criteria The trial will test the Product against the following criteria: 3.3.1 Performance - whether the Product causes delays or otherwise degrades Internet performance; 3.3.2 Effectiveness - the extent to which the Product blocks: • illegal content; • content that may be inappropriate for minors; • innocuous content; 3.3.3 Scope - whether the Product is capable of filtering Internet traffic other than web content, such as peer-to-peer file transfers, chat and instant messaging; 3.3.4 Adaptability - whether the Product is capable of being customised so as to apply different levels of blocking appropriate for children of different ages and to target different categories of content. 3.4 Location of tests All tests required will be carried out in Tasmania. 3.5 Time Frame and Report ACMA is to commence the trial by 30 June 2007 and deliver a report on the findings of the trial to the Minister for Communications, Information Technology and the Arts no later than 30 June 2008. Australian Communications and Media Authority 55
    • Appendices Appendix B: The tiered hierarchy of ISPs ISPs operate at one of three different tiers: ● Tier 1, where the ISP directly peers with (or connects on the same level of hierarchy) every other network to reach the internet; ● Tier 2, where the ISP directly peers with some networks, but must purchase outbound transport from other networks in order to reach some portions of the internet; or ● Tier 3, where the ISP solely purchases outbound transport from other networks to reach the internet. The topology of the hierarchy of ISPs is shown in Figure 22. Figure 22: Tiered hierarchy of ISPs Tier 1 ISPs have a direct connection to the internet while peering with other Tier 1 Autonomous Systems.28 Tier 2 and Tier 3 draw their outbound internet transport from these Tier 1 ISPs. Note that in the situation where one ISP implements content filtering and a second ISP at a lower tier in the hierarchy purchases outbound transport from the first ISP, it is possible that internet content received by the second ISP via the first ISP will automatically be filtered, unless the first 28 An Autonomous System (AS) is a network or group of IP networks operated by one or more network operators that has a single and clearly defined policy for inbound and outbound routing to other Autonomous Systems. Exterior routing protocols are used to exchange routing information between Autonomous Systems (see Asia Pacific Network Information Centre: http://www.apnic.net/info/faq/as_faq.html). An ISP will need to establish itself as an AS if it connects to more than one AS using different routing policies. Australian Communications and Media Authority 56
    • Appendices ISP has made provision to separate its wholesale customers from its retail customers in the implementation of its filtering architecture and policies. Australian Communications and Media Authority 57
    • Appendices Appendix C: Types of network filter products not assessed FILTER PRODUCTS TARGETING ILLEGAL CONTENT ONLY The filter products assessed in this trial are all designed to provide flexible filtering solutions capable of identifying and blocking a diverse range of offensive or inappropriate content. In practice, this means that all of the products can be configured to block a particular set of content types and allow access to others, in accordance with the requirements of an ISP or its individual customers. The criteria that define what may be offensive or inappropriate differ among societies, socio­ demographic groups and individuals. This means that commercial filter products of the type assessed in this trial cannot treat all content as falling into either a ‘good’ category or a ‘bad’ category, but must undertake more complex analysis in recognition of the multiple and diverse standards that define what is ‘good’ and ‘bad’ content. Consequently, an individual piece of content may be identified as falling into more than one of a large number of categories. The techniques used by the selected filter products to identify the nature of content from across the billions of web pages that now exist, and the millions of pages that are created or updated daily, are necessarily highly sophisticated. When considering the performance and effectiveness results of this trial, it is useful to recognise the magnitude of the task that filter products must perform and the complex but rarely perfect nature of the algorithms that are employed to meet this challenge. Nevertheless, as demonstrated in the effectiveness results, all of the selected filter products exhibited high levels of accuracy in blocking the relatively small set of Category 1 content. However, the trial did not assess any products that are especially designed to perform the specific task of blocking illegal content only. A number of commercial filter products of this nature exist (the Cleanfeed filtering system implemented in the UK by BT, which is frequently referred to as an example of this specific form of filtering, is not a commercial product). None of these were selected for this trial because the testing required under the terms of reference involved assessing the accuracy of the filters in blocking inappropriate content. This comprises a significantly broader range of material than illegal content. Products designed to specifically block illegal content alone typically operate differently to the filter products assessed in this trial: ● they use simplified algorithms and employ index-based techniques, but either use no analysis- based techniques or simplified and computationally less intensive analysis-based techniques; and ● they employ relatively small indexes containing a few thousand URLs at the most. These differences are due to the relatively simple nature of identifying illegal content by a filter product, which is less processor-intensive to execute. Filter products targeting illegal content only may also be more closely integrated with the core routing functions within an ISP’s network. Consequently, all other factors being equal, a filter product designed to perform the specific task of identifying and blocking illegal content only will cause less performance degradation and be more accurate than a filter product targeting a significantly broader range of content. Australian Communications and Media Authority 58
    • Appendices ENTERPRISE-LEVEL FILTER PRODUCTS ISP-level filtering has much in common with enterprise-level filtering. However, the principles underlying the two are different. Filtering policies in an enterprise network are determined by the owner of the network (for example, a business, institution or government body). Users of such a network are typically employees of these organisations who are bound by the terms of their employment and their organisation’s acceptable internet usage policy, which may restrict access to particular content on grounds ranging from productivity to liability. The nature of the architecture of an enterprise network is such that any filtering policy applies only within that network and affects a relatively small population. The architecture of an enterprise network is illustrated in Figure 23. Internet Other ISPs and subscribers Enterprise network ISP Figure 23: Enterprise network versus ISP network By contrast, ISPs are privately owned networks where bandwidth access is sold to public customers who pay a fee for the use of the ISP’s infrastructure and facilities to access the content of their choice. Customers of ISPs may be bound by an acceptable usage policy, but these usually cover bandwidth usage limitations only. Customers of ISPs are likely to expect that they can determine whether filtering is applied to their internet connection (although other considerations may apply for filtering of illegal content). Consequently, the adaptability requirements for ISP-level filter products are likely to be more complex than those for enterprise-level products. Australian Communications and Media Authority 59
    • Appendices Appendix D: Specifications of the hardware used. NETWORK PERFORMANCE TEST ● Web server Manufacturer: Dell Model: PowerEdge 1950 Processor: 2 × Xeon 5140 2.33GHz RAM: 4GB Hard Drive: 73GB 10,000RPM SAS drive ● Client test computers Three machines had the following configuration: Manufacturer: Clone PC Processor: Intel Core 2 Duo 4400 2.0GHz RAM: 2GB The remaining three machines had the following configuration: Manufacturer: Clone PC Processor: AMD Athlon 64×2 Dual Core 4000 + 2.11 GHz RAM: 2GB ● Controller Manufacturer: Clone PC Processor: Intel Core 2 Duo 4400 2.0 GHz RAM: 2GB ● Switch Manufacturer: Edgecore 4649 Interfaces: 48 port 10/100/1000 Base-T ACCURACY TEST ● Client test computers Three machines had the following configuration: Manufacturer: Clone PC Processor: Intel Core 2 Duo 4400 2.0 GHz RAM: 2GB The remaining three machines had the following configuration: Manufacturer: Clone PC Processor: AMD Athlon 64×2 Dual Core 4000 + 2.11 GHz RAM: 2GB ● Switch Manufacturer: Edgecore 4649 Interfaces: 48 port 10/100/1000 Base-T Australian Communications and Media Authority 60
    • Appendices Appendix E: Baseline network performance characteristics of the test network 10000 600 9000 Throughput (Mbits per second) 500 8000 Transactions per second 7000 400 6000 5000 300 4000 200 3000 2000 100 1000 0 0 1 4 5 6 8 12 18 24 30 Num ber of users Figure 24: Network load performance characteristics plotted against network transactions and network throughput Australian Communications and Media Authority 61
    • Appendices Appendix F: Individual product performance ALPHA Alpha is a hybrid filtering solution, offered by its manufacturers as either a hardware appliance or a software product. The product performs filtering using the following standardised techniques: Index-based filtering Analysis-based filtering Packet filtering Port blocking Pass-through filtering The index-based filtering component supports an extensive control list. It is further complemented by its analysis-based filtering component in the form of a real-time analysis engine. Pass-through filtering is performed on previously accessed unclassified URLs. These URLs are analysed offline, classified and accordingly populated into the control list. The filter product also offers controls for multiple protocols running on a range of different ports and permits the creation of blocking profiles for undefined protocols by specifying the port on which they run. Performance The mean performance indexes measured were: PPI: 92 per cent API: 16 per cent CPI: 17 per cent The PPI indicated that Alpha introduced low network degradation relative to the baseline when connected in passive mode. However, when actively filtering content, the network performance dropped by 76 per cent relative to the baseline. This is consistent over the entire simulation, as indicated by the low CPI. Effectiveness The effectiveness indexes measured were: BRI: 0.90 OBI: 0.026 The BRI indicates a 90 per cent success rate when blocking content from categories 1 and 2. The OBI indicates that less than three per cent of content from Category 3 was overblocked. Scope Alpha offers control over more than 90 different protocols. It offers filtering for both HTTP and HTTPS while offering blocking controls over: ● P2P protocols (over 10 variants); ● instant messaging protocols (over 40 variants), with the ability to permit text communication while disabling file transfer and voice and video communications; ● streaming video (over five variants); ● anonymisers (over five variants); ● various network services (over 15 variants); ● remote desktop protocols(over five variants); ● email (POP2, POP3, SMTP, IMAP, Microsoft HTTP mail); and ● newsgroups (NNTP, NNTPs); Australian Communications and Media Authority 62
    • Appendices ● a range of assorted protocols associated with games and Web 2.0 applications. Adaptability Alpha offers a range of filtering options that can be tailored to meet requirements per group, subscriber or user. The product is capable of defining over 150 customised profiles (including pre­ defined profiles) to offer group-level filtering, while also supporting subscriber-level and user- level differentiation of filtering schemes. It is capable of controlling access to the internet based on time of day, duration of activity and amount of data accessed, and can be controlled by user, IP address and geographic location. BETA Beta is offered as an appliance or as a software package that can be installed on specified hardware. For the purpose of this trial, the manufacturer provided its product pre-installed on its own hardware appliance. The manufacturer supplies products that cater exclusively to the ISP market and cites multiple commercial implementations of the product by overseas ISPs. The product performs filtering using the following standardised techniques: Index-based filtering Analysis-based filtering Packet filtering Port blocking Pass-by filtering Pass-through filtering The index-based filtering component supports a prohibited content list and is complemented by a real-time, analysis-based filtering scheme that references over 50 pre-defined categories. It also supports the creation of over 70 custom categories. As part of its filtering methods, the product inspects individual packets, examining the content within while classifying and updating its list of prohibited content sites over time. Performance The mean performance indexes measured were: PPI: 99 per cent API: 67 per cent CPI: 68 per cent The PPI indicated that Beta introduced almost no degradation in network performance in passive mode. When actively filtering content, the network performance remained stable, though it exhibited close to a 30 per cent drop in network performance relative to the baseline. Effectiveness BRI: 0.98 OBI: 0.075 The BRI indicates a 98 per cent success rate when blocking content from categories 1 and 2; the product did not have the most current version of the ACMA prohibited content list installed when tested. The OBI indicates less than eight per cent of content from Category 3 was overblocked. Scope Beta offers controls over more than 80 protocols with plans to offer controls over another 30 within the next year. It currently filters web content delivered over HTTP, HTTPS and WAP. It offers blocking controls over: ● P2P protocols (over 20 variants); ● instant messaging protocols (over 15 variants); ● streaming video (over five variants); Australian Communications and Media Authority 63
    • Appendices ● anonymisers (over five variants); ● various network services (over 10 variants); ● remote desktop protocols (over five variants); ● email (POP3, SMTP, IMAP, Lotus Notes, Microsoft HTTP mail); and ● a range of protocols associated with games, chat services and database applications. It also offers: ● spyware blocking; ● anti-virus integration; and ● malware defence. Adaptability Beta offers a range of filtering options that can be tailored to meet requirements per group, subscriber or user. The product can be integrated with an ISP’s existing subscriber authentication system (such as LDAP and RADIUS) to offer different levels of filtering to meet different requirements. The filter allows the creation of an infinite number of filtering profiles to offer group-level, subscriber-level and user-level differentiation of filtering schemes. GAMMA Gamma is a software solution. Its manufacturer provides filtering solutions to both ISP and enterprise environments. For the purpose of this trial, the product was pre-installed on vendor- provided hardware. This product is also used to provide internet content filtering via a filtered service directly provided to customers by the vendor. The product performs filtering using the following standardised techniques: Index-based filtering Analysis-based filtering Packet filtering DNS poisoning Pass-by filtering The index-based filtering component is supported by analysis-based filtering, which uses content category, file type and custom word list analysis. In addition, it also features a real-time dynamic content classification component, which updates the contents of its categories periodically. Performance The mean performance indexes measured were: PPI: 98 per cent API: 14 per cent CPI: 14 per cent The PPI indicated that Gamma introduced almost no degradation in network performance in passive mode. However, the API indicates that when actively filtering content, the network performance dropped by over 80 per cent relative to the baseline. The CPI remained uniform across testing loads, indicating that the device operated stably. However, its low value indicated that Gamma introduced a significant delay in network performance. The manufacturer noted that in a typical ISP environment, a larger number of devices would be used than those provided for this trial. Effectiveness BRI: 0.87 OBI: 0.013 Australian Communications and Media Authority 64
    • Appendices The BRI indicates that Gamma displayed an 87 per cent success rate when blocking content from categories 1 and 2. The OBI of 0.013 indicates that Gamma overblocked under two per cent of all content from Category 3. Scope Gamma filters web content delivered over HTTP and HTTPS. It also filters email traffic over SMTP and file transfers over FTP. In addition, it also offers blocking controls over P2P protocols (over 10 variants). It also offers: ● spyware blocking; ● anti-virus integration; and ● malware defence. Adaptability Gamma offers filtering options that can be tailored to meet requirements per group and subscriber. The product can be integrated with an ISP’s existing subscriber authentication system (such as LDAP) to offer different levels of filtering to meet different requirements. Its ability to meet the requirements for individual users is limited to a specific end user operating system. DELTA Delta is a software solution. The manufacturer offers the solution either pre-installed on an appliance, or as a software package. For the purpose of this trial, the manufacturer provided the filter pre-installed on an appliance. The product performs filtering using the following standardised techniques: Index-based filtering Analysis-based filtering Packet filtering DNS poisoning Caching web proxies Pass-by filtering Pass-through filtering The index-based filtering component supports both blacklist and whitelist filtering. The analysis- based filtering component uses a real-time analysis algorithm. The real-time analysis of content also updates the index of blocked content. The product also filters traffic by inspecting the nature of traffic being exchanged based on IP address and supports integration with a local cache and proxy. Its filtering extends to a range of protocols. Performance The mean performance indexes measured were: PPI: 99 per cent API: 98 per cent CPI: 100 per cent The PPI and API indicated that Delta introduced almost no latency into the prime network while operating either in passive mode or active mode. The network performance remained consistent across the entire simulation. Effectiveness BRI: 0.91 OBI: 0.024 Australian Communications and Media Authority 65
    • Appendices The BRI indicates that Delta exhibited a 91 per cent success rate when blocking content from categories 1 and 2. The OBI indicates that Delta overblocked under 2.5 per cent of all content from Category 3. Scope Delta natively filters web content delivered over HTTP. In addition, it also offers blocking controls over the following protocols: ● P2P protocols (over 25 variants); ● instant messaging protocols (over 30 variants); ● streaming video (over 10 variants); ● anonymisers (over 10 variants); ● various network services (over 20 variants); ● remote desktop protocols (over 20 variants); ● email (POP3, SMTP, IMAP, Lotus Notes, Microsoft HTTP mail); and ● a range of protocols associated with games, chat services and database applications. Adaptability Delta offers filtering options that can be tailored to meet requirements per group and subscriber. The product can be integrated with an ISP’s existing subscriber authentication system (such as LDAP) to offer different levels of filtering to meet different requirements. Its ability to meet the requirements for individual users is limited to a specific end user operating system. THETA Theta is exclusively a hardware solution. The manufacturer specifies that the product is designed for generic network filtering implementations, with the higher-end models specifically targeted at the ISP market. The manufacturer cites a number of ISPs currently using its filtering solutions in commercial deployments. The product performs filtering using the following standardised techniques: Index-based filtering Analysis-based filtering Caching web proxies Pass-by filtering The index-based filtering component supports prohibited content lists from up to eleven different sources. This is further supported using an analysis-based filtering component and a pass-by filtering technique that rates new and unknown content in real-time. This pass-by filtering technique allows the filter to teach itself to distinguish content that should be permitted from content that should be blocked. The product exhibits carrier-grade scalability (that is, it is suitable for large ISPs and other large networks) for fixed-line, satellite and wireless environments. The network performance of the filter is further enhanced with the use of a cache to localise frequently requested content. The product allows traffic to be logged and exported to a range of reporting systems. Performance The mean performance indexes measured were: Australian Communications and Media Authority 66
    • Appendices PPI: 78 per cent API: 76 per cent CPI: 99 per cent The PPI indicated that Theta degraded network performance by 22 per cent in passive mode. However, when actively filtering content, the filter product did not introduce significant additional network degradation and maintained this characteristic across increasing loads of the simulation. This is further indicated by the plot of CPI. Effectiveness BRI: 0.94 OBI: 0.078 The BRI indicates that Theta displayed a 94 per cent success rate when blocking content from categories 1 and 2. The OBI of 0.078 indicates that less than eight per cent of all content from Category 3 was overblocked. Scope Theta is primarily targeted at web content (HTTP and HTTPS). It also offers blocking or bandwidth management controls over: ● P2P protocols (all commonly known variants); ● instant messaging protocols (Yahoo, MSN, AIM); ● streaming video (MMS/RTSP); ● a range of protocols used for network services such as SOCKS (both versions 4 and 5) and DNS; and ● file transfer protocol (FTP). In addition, it supports the definition of custom TCP protocols that subsequently permit limiting the bandwidth or blocking any application using such a defined protocol. It also offers: ● spyware blocking; ● anti-virus integration; and ● malware defence. Adaptability Theta offers a range of filtering options that can be tailored to meet requirements per group, subscriber or user. The product can be integrated with an ISP’s existing subscriber authentication system (such as LDAP or RADIUS) to offer different levels of filtering to meet different requirements. The filter allows the creation of an infinite number of filtering profiles to offer group-level, subscriber-level and user-level differentiation of filtering schemes. OMEGA Omega is exclusively a hardware solution. The vendor specifically supplies products suitable for the ISP market and cites a number of existing ISPs currently using its solutions in commercial deployments. The product performs filtering using the following standardised techniques: Index-based filtering Analysis-based filtering Packet filtering Port blocking Pass-through filtering Australian Communications and Media Authority 67
    • Appendices This product executes its filtering at the hardware level as part of an embedded system, rather than at the software level. The index-based filtering component is executed using multiple methods. The device recognises and filters based on the type of traffic and the port on which it runs. The product allows traffic to be logged and exported to a range of reporting systems. Performance The mean performance indexes measured were: PPI: 101 per cent API: 79 per cent CPI: 78 per cent The PPI indicated that Omega introduced a marginal improvement in network performance when connected in passive mode. This marginal improvement appears to be a statistical variance. The API indicates that while actively filtering content the network performance fell by approximately 20 per cent relative to the baseline. The performance remained stable throughout the simulation, consistently remaining less than 25 per cent. Effectiveness BRI: 0.94 OBI: 0.029 The BRI indicates that Omega displayed a 95 per cent success rate when blocking content from categories 1 and 2. The OBI indicates that less than three per cent of content from Category 3 was blocked. The manufacturer of Omega did not have access to the ACMA prohibited content list when submitting its product for the trial. Scope Omega filters web content (HTTP and HTTPS), email (SMTP) and streaming media (RTSP) protocols. In addition, it supports the definition of custom TCP protocols that subsequently permit blocking any application using such a defined protocol. It also offers: ● spyware blocking; and ● anti-virus integration. Adaptability Omega offers a range of filtering options that can be tailored to meet requirements per group, subscriber or user. The product can be integrated with an ISP’s existing subscriber authentication system (such as LDAP or RADIUS) to offer different levels of filtering to meet different requirements. The filter allows the creation of filtering profiles to offer group-level, subscriber- level and user-level differentiation of filtering schemes. Australian Communications and Media Authority 68
    • Glossary Glossary Access network The part of a communications network that connects subscribers to their immediate service provider. ACMA Australian Communications and Media Authority—an Australian Government regulatory authority for broadcasting, online content, radiocommunications and telecommunications, with responsibilities under the Broadcasting Services Act 1992, the Radiocommunications Act 1992, the Telecommunications Act 1997 and related Acts. Established on 1 July 2005 following a merger of the Australian Communications Authority and the Australian Broadcasting Authority. ACMA prohibited content A list of URLs that link to internet content hosted outside list Australia that ACMA is satisfied is prohibited or potentially prohibited in accordance with Schedule 5 to the Broadcasting Services Act 1992. Prohibited and potentially prohibited content are defined in clauses 20 and 21 of Schedule 7 to the Broadcasting Services Act 1992 and may include content in the range MA15+ to Refused Classification. Active mode A state of an internet content filter where it is actively filtering content. ADSL Asynchronous Digital Subscriber Line—a grade of internet service provided by telecommunications carriers that offers high-speed data transmission over copper lines. Analysis-based filtering One of two primary identification techniques in internet content filtering that involves an algorithm to actively analyse retrieved internet content to ascertain the nature of the content. Array In telecommunications, a group of similar devices performing a similar function synchronised with one another. Australian Communications and Media Authority 69
    • Glossary ATM Asynchronous Transfer Mode—a cell relay, packet- switching network and data link layer protocol that encodes data traffic into small (53 bytes; 48 bytes of data and five bytes of header information) fixed-sized cells. This differs from other technologies based on packet- switched networks (such as the Internet Protocol or Ethernet), in which variable sized packets (known as frames when referencing Layer 2) are used. AusTender An Australian website that provides centralised publication of Australian Government business opportunities, annual procurement plans, multi-use lists and contracts awarded. Bandwidth The theoretical maximum amount of data that a data pipe can transmit per unit time. Baseline In statistics, a reference point against which other measurements are calibrated. Bespoke filtering policy A filtering policy tailored to meet the needs of a specific organisation, end user or end user group. Blocking Completely preventing access to, or delivery of, specific content. Bridge A networking device that connects multiple network segments. Bursty In data communications, small amounts of data of variable size and frequency. Caching A process by which internet content is stored locally. Content requested frequently can be retrieved from this local repository, speeding up data retrieval and conserving outbound bandwidth. Central exchange (ITU) A telephone exchange that serves as a hub for local exchanges. Characteristic curve In statistics, a curve plotted on a graph between two or more variables that shows the variance of one variable relative to the others. Checksum A form of redundancy check that provides a simple means to protect the integrity of data by detecting errors in transmitted data by adding up the basic components of the message and storing the resulting value. Australian Communications and Media Authority 70
    • Glossary Client A machine (or a piece of software residing on the machine) that accesses services from another controlling machine (or piece of software on this machine—the server). Client-server architecture A distributed system where the client software makes a service request from another program—the server—that fulfils the request. Core network The central part of a telecommunications or internet network that provides various services to customers who are connected by the access network. CSIRO Commonwealth Scientific and Industrial Research Organisation—the government body for scientific research. Delimiter A sequence of one or more characters used to specify a boundary between separate, independent regions in plain text or other data streams. For example, in written English, the space between two words serves as a delimiter. DNS omain Name System—serves as the ‘phone book’ of the D internet, translating human-readable URLs into IP addresses. DS3 Digital Signal level 3 T-carrier, also referred to as a T3. The data rate for this type of signal is 44.736 Mbps. DSLAM Digital Subscriber Line Access Multiplexer—a network device typically placed in an exchange located in the vicinity of a subscriber that connects multiple digital subscriber lines to a high-speed internet backbone using multiplexing techniques. Email Electronic mail—a store-and-forward method of composing, sending, receiving and storing messages over an electronic communications system. Ethernet The IEEE 802.3 standard—a family of frame-based computer networking technologies for local area networks. Filter Content control software and/or hardware designed and optimised for controlling what content is accessible to a user. Filtering The process of actively identifying and blocking or permitting access to web content. Australian Communications and Media Authority 71
    • Glossary Filtering policy A set of rules that defines what content should be blocked and what should be permitted. Frame relay An efficient data transmission technique used to send digital information quickly. FTP File transfer protocol—a network protocol used to transfer data from one computer to another over a network. Gateway A network node equipped for interfacing with another network that uses different protocols. Generally available A term used in product development for products which have gone through the product development cycle and are now available to be freely purchased. Gigabit Refers to a network, a network device or network interface with a rated bandwidth of 1 billion bits per second. Hardware filter product A filter product that is sold as an appliance, as distinct from a software package. Header Supplemental data at the beginning of a data block being stored or transmitted that follows a clear and unambiguous specification. HTTP Hyper-Text Transfer Protocol—web content. HTTPS Hyper-Text Transfer Protocol over Secure Socket Layer—secure web content. Hybrid solution A filter product that has a hardware appliance component complemented by a software component. IM Instant messaging—a form of text based chat on the internet. IMAP Internet Message Access Protocol—a protocol operating on port 143 that allows a local client to access email on a remote server. Index-based filtering One of two primary identification techniques in internet content filtering that involves using a list of content that may either be permitted, or denied. Internet A worldwide, publicly accessible series of interconnected computer networks. IP Internet protocol—a set of rules under which data is exchanged across the internet among network elements. Australian Communications and Media Authority 72
    • Glossary IP address A unique address that network elements use in order to identify and communicate with each other on a computer network using the internet protocol. ISP Internet Service Provider—a company that provides internet access for individuals, organisations and companies. ITU International Telecommunication Union—an international organization established to standardise and regulate international radio and telecommunications. IWF Internet Watch Foundation—a UK organisation that operates an internet hotline for the public and IT professionals to report potentially illegal content online. It works in partnership with the police, the government, the public, internet service providers and the wider online industry. LDAP Lightweight Directory Access Protocol—an application protocol for querying and modifying directory services. Linearly correlated A relationship between two variables where each increases or decreases by the same order as the other. Local exchange (ITU) A telephone exchange that serves as a hub for end users in a local area. Malware Malicious software, including viruses, worms, Trojan horses, spyware and keystroke loggers. Many early forms of malware were pranks that were intended to disrupt organisations’ functioning rather than cause serious damage. However, malware is now increasingly used for extortion through denial of service attacks and to perpetrate online fraud. MP3 MPEG-1 Audio Layer 3—a digital audio encoding format. Multiplexer Sometimes referred to as a mux. In electronics, a device that performs multiplexing where multiple analog message signals or digital data streams are combined into one signal over a shared medium. The aim is to share an expensive resource. Australian Communications and Media Authority 73
    • Glossary NCS National Classification Scheme —a cooperative federal– state arrangement under which the Classification Board classifies films (including videos and DVDs), computer games and certain publications. It is the role of the Classification Board to decide which classification should be given, by applying the relevant law and classification guidelines. The classifications for films and computer games are G, PG, M, MA15+ and Refused Classification. Films have two additional classifications—R18+ and X18+. Material that is Refused Classification cannot be legally shown, sold or hired in Australia. Network element Any hardware device in a network. Newsgroup A repository within the Usenet system for messages posted by many users at different locations. NNTP Network News Transfer Protocol—the application protocol used primarily for reading and posting Usenet articles and transferring news among news servers. OC12 Optical carrier level describing a digital signal that can be carried over SONET fibre-optic network—622.344 Mbps. OC3 Optical carrier level describing a digital signal that can be carried over SONET fibre-optic network—155.52 Mbps. OC48 Optical carrier level describing a digital signal that can be carried over SONET fibre-optic network—2488.32 Mbps. Operating system The software component of a computer that is responsible for the management and coordination of activities and the sharing of resources of the computer. Overblocking The blocking of sites that should not be blocked as a result of filtering. Overhead Ancillary data required by a transmission system to transmit data from a source to a destination. Ovum A UK-based telecommunications and information technology research company. P2P Peer-to-peer. Packet A formatted block of data carried by a computer network. Padding Data that fills a data field (if necessary) to ensure that it meets the minimum length requirements. Australian Communications and Media Authority 74
    • Glossary Passive mode A state of an internet content filter where it is connected to a network but is not actively filtering content. Payload The part of a data stream representing the user information. Peer-to-peer A system of coordinating communication across networks that involves diverse connectivity among users, typically used to share files. Performance characteristic A curve plotted on a graph that exhibits the variance of performance of a subject being tested under varying test conditions. POP3 Post Office Protocol version 3—a standard protocol used to retrieve email from a remote server. Port A virtual data connection between computer programs, typically across a computer network. Protocol A set of rules governing communication within and between computing endpoints. Proxy A computer network service that allows clients to make indirect network connections to other network services. RADIUS Remote Authentication Dial In User Service—a networking protocol used to access servers to provide centralised management of access to large networks. Retransmission In data communications, an event where the same packet is transmitted more than once to overcome a scenario where the original packet may have been lost when initially transmitted. It is analogous to repeating oneself in a conversation when the recipient fails to interpret one’s statements the first time. RTSP Real-time Streaming Protocol—a protocol for use in streaming media systems that allows a client to remotely control a streaming media server, issuing VCR-like commands such as ‘play’ and ‘pause’ and allowing time- based access to files on a server. Saturation That state in a network where an increase in bandwidth demand produces no further increase in the measured throughput of the network. Server An application or device that performs services for connected clients as part of a client-server architecture. Australian Communications and Media Authority 75
    • Glossary SMTP Simple Mail Transfer Protocol—the de facto standard protocol used to send email across the internet. Software filter product A filter product that is sold as a software package, as distinct from an appliance. SONET Synchronous optical networking—a multiplexing protocol for transferring multiple digital bit streams using lasers or light-emitting diodes over the same optical fibre. The method was developed to replace the Plesiochronous Digital Hierarchy (PDH) system for transporting larger amounts of telephone calls and data traffic over the same fibre wire without synchronisation problems. Spam Unsolicited messages often sent in bulk to a large number of email addresses. Spyware Software that is used to capture personal information without the user’s knowledge for business purposes such as advertising or criminal purposes such as theft. Subnet Subnetwork—a range of logical addresses within a defined IP address space that is assigned to be kept separate from the rest of the address space. Telnet A network protocol used on internet or local area network connections to gain access to the command line interface of a device. Throughput The amount of data that a computer network is capable of transmitting per unit time. Transaction The complete cycle of communication, originating from its initiation and concluding with its termination. URL Uniform Resource Locator—a string of characters used to identify or name a resource on the internet. It provides users seeking access to a resource (such as a website, or a picture or other element within a website) with a means to locate it. Vendor-managed service A filtering service offered by a third-party that is hosted on a server that is remote to an ISP. Virus A form of malware that infects other programs on a computer. Viruses may contain a single message or image that is intended to consume memory and degrade computer performance or they may be more malicious and destroy data or computer hard drives. Australian Communications and Media Authority 76
    • Glossary VoIP Voice Over IP—a protocol optimised for the transmission of voice across the internet. Walled-garden A closed exclusive set of information services provided for users. Australian Communications and Media Authority 77
    • Bibliography Bibliography LEGISLATION Australia Guidelines for the Classification of Films and Computer Games 2005 available at: http://www.comlaw.gov.au/ComLaw/Legislation/LegislativeInstrument1.nsf/0/A3B39BA36F22DFE5 CA25700D0029AEE4?OpenDocument. Broadcasting Services Act 1992 available at: http://www.comlaw.gov.au/comlaw/legislation/actcompilation1.nsf/current/bytitle/F880DDB153B0D6 A2CA2573D40016778B?OpenDocument&mostrecent=1. JOURNALS Germany Dornseif, M. (2003) Government Mandated Blocking of Foreign Web Content, in: von Knop, J., Haverkamp, W. and Jessen, E. (Eds), Security, E-Learning, E-Services: Proceedings of the 17th DFN- Arbeitstagung über Kommunikationsnetze, Düsseldorf, available at: http://md.hudora.de/publications/200306-gi-blocking/200306-gi-blocking.pdf. REPORTS Australia: ACMA (2007), Developments in Internet Filtering Technologies and Other Measures for Promoting Online Safety. First Annual Report to the Minister for Broadband, Communications and the Digital Economy, available at http://www.acma.gov.au/webwr/_assets/main/lib310554/developments_in_internet_filters_1streport.pdf. Ovum (2003), Internet Content Filtering. A report to DCITA, available at: http://www.dbcde.gov.au/__data/assets/file/10915/Ovum_Report_-_Internet_content_filtering.rtf. TEXT BOOKS Tannenbaum, Andrew S. (2002), Computer Networks 4th Edition, Prentice Hall Spurgeon, Charles E. (2000), Ethernet: The Definitive Guide, O'Reilly Australian Communications and Media Authority 78
    • Australian Communications and Media Authority 79