Ethical Issues in Firewall Administration

John Bailey
September 5, 2003

For any organization with a Local Area Network, a firewall is having an unlisted phone number. In this case, all stations on
essential to prevent unauthorized outsiders from gaining access the LAN would be “unlisted.”
to information inside that network. While this is the firewall’s
primary purpose, it has an additional use. While the Internet
offers unparalleled access to information, it also contains much
Firewall location
material that is objectionable. Some firewalls offer a range of
tools for preventing users who are inside the network from
gaining access to information on the Internet. Determining
how these tools for filtering or blocking websites are to be
applied confronts the Local Area Network administration with
the ethical challenge of balancing between 1) standards of
decency 2) free access to information and 3) individual's rights
to privacy.

The most powerful capability of a firewall is its ability to refuse

The Tug of War to accept packets of data from the WAN which were not
How do you KNOW I’m looking at porn? requested. Unless a process on a PC within the LAN had
Are YOU telling me what I can see?
requested the information, a packet directed to a PC on the
Privacy Free
Speech LAN would not be accepted. This can be thought of as
What I look at is my own business. Its not porn, its art. analogous to only accepting return calls from numbers
You are just encouraging corrupters. We have to protect kids.
previously dialed. “Don’t call us, we will call you.”
Decency

Almost incidental to these fundamental processes for protecting

the LAN and its inhabitants is the feature to be discussed in this
talk, website blocking.
As the slide shows, this can be viewed as a tug of war between
three kinds of people. There are those whose primary concern Website blocking by the firewall is convenient, allowing
is their personal information space. They resent intrusion of administration of blocking for the network as a whole rather
any kind into their space. There are others who find risqué or than separate blocking for each PC on the network. It allows
lascivicious material offensive and will take aggressive steps to single point control without single point location, since the
purge their environment of such material. Third, there are firewall itself is accessed as web pages on the Local Area
those whose main concern is avoiding censorship or any Network and can be administered from any location within the
restriction to free access to information. The interplay of these LAN. The actions apply, not just to the location but to the
attitudes with the relatively blunt tools available for managing entire network.
and restricting access to “objectionable material” on the
Internet can make the task of administering a firewall quite The tools available for blocking provide the elements from
interesting which to construct a strategy

A firewall is a specialized computer which connects the Local

Area Network to the Wide Area Network. Its software BLOCKING TOOLS.
provides for detection of incoming attempts to gain •Subscription blocking list
unauthorized access to or control of computers on the Local •Custom blocking list
Area Network. It allows for revising the addresses of all •Key word blocking
computers on the network, such that they do not appear as valid •Email notification of a blocked site
TCP/IP addresses to the wide area network processes. This is •Logging of blocked sites
called Network address translation (NAT) and is analogous to •Email log summaries
•Listing of recent site visits
First, there are the options which determine the sites to be visited. The administrator observes a site that is visited,
blocked--a subscription list, a do-it-yourself custom list, or decides it is objectionable and adds it to the blocking list.
blocking by key words. Thereafter no user can visit that site, getting instead the
blocking message.
Additionally, there are information gathering features—
automatic email notifications and logs which assist the
administrator in monitoring the operation.

The network administration must choose between key word

filtering, commercial blocking list filtering, or customization
based on the traffic patterns of its users. Each of these choices
has advantages and pitfalls.

Since an organization I support uses SonicWall, a well-known

firewall device, our first thought was to subscribe to the To overcome the pitfall of always being one visit behind when
SonicWall blocking list. In theory, the process is simple: buy using custom blocking, we then tried adding key word
the download from the supplier and click on the categories to blocking. Key word blocking may be more trouble than it is
be blocked. worth. Finding keywords which will only show up on
objectionable sites but not on acceptable sites is a troublesome
process. Key word blocking is useful to eliminate web pages
which are named with many variations of the same key core
word. Sextracker seems to be a favorite prefix for site names of
one collection of objectionable sites. Since there are many
variations of the similar name, adding the blocking word
“sextracker” allows anticipation of undiscovered and future
variations. Using common words as blocking key words simply
results in a lot of backtracking as perfectly harmless sites show
up as blocked.
The main value of key word blocking is as a supplement to
custom blocking. Since key word blocking will easily block
sites which are not objectionable, it is perhaps most effective
This has two disadvantages --not only is the on-going when used in combination with a permissions technique that
subscription charge high for a small organization, but the allows authorized users on certain machines to by-pass
blocking is one-size-fits-all. A health oriented organization has blocking, thus eliminating some of the problem of excessive
users who want access to sites whose content might appear to censorship.
be objectionable but which actually contain important health Permission pages are intended to inform a user of the
information. For examp le: http://www.menshealth.com, Men’s organization’s internet access policy and what they can expect
Health Magazine or http://www.arhp.org/ which is the website with regard to monitoring their usage. Some types of
of the Association of American Reproductive Health permission pages can allow users on authorized machines to
professionals. The first of these sites should be blocked. The elect non-blocking. Depending on the selection a user makes
second arguably should not, but is blocked by some on such a PC, the firewall blocking can be either applied or
commercial blocking software. (Reference: Kaiser Foundation bypassed, depending on user election. The value of this
study) Using a commercial blocking list gives the approach is that much more restrictive blocking can be used for
administrator no simple recourse to access a site that the list the custom blocking list and key word blocking combination,
supplier has included. but certain users can be granted the option of overriding these
For us, a better alternative is to use customized blocking lists. restrictions.
SonicWall can send email to the administrator when access to a The disadvantage of this approach is that a LAN web server is
blocked site is attempted by a user. As a result, the required to present the permission screens, thus adding an
administrator can then review usage logs and determine if other additional complexity to the administration task.
unblocked sites were also visited. With this information, as well
as times and machines used, it is possible to develop a picture Another strategy component can be termed “site selection
of the usage patterns of offending users and build an impressive redirection.” In some instances, the pattern of usage may lead
private blocking list. With a good starting list, the blocking list to the conclusion that objectionable sites are being visited
grows itself. The problem with this approach is that because the user is searching for information but the
objectionable sites are never blocked the first time they are information suppliers are forcing the objectionable sites on
them. An example of this in a school or library setting might be The example policy outlined here was developed after
based on the following logic: examining examples of policies from the web.. The examples
found there have a different style. In this case, the intent was to
1) Teens know how to use search engines to research questions.
obtain concurrence from the organization’s board of directors
2) They have a natural teenager's curiosity about sex as to what we wanted to do and how we would do it.
3) They frame a query about a sexual topic. The implementation of an Internet Access Policy calls for plans
and actions by a firewall administrator who must select a
4) The porno-pushers deluge them with indecency. technical means to filter information, establish filter settings
5) Because of the teen-ager’s hormones and naiveté, they can and monitor their effect. The administrator should report back
get enticed--being presented with aggressively erotic material to the governing body of the organization from time to time.
Because the entire process involves many sensitive judgments,
Following this logic, one solution might be to offer, as a some on explosive issues, the administrator's best safeguard is a
substitute for the page requested, a suitable page with clear set of operational guidelines which will protect the
information corresponding to the original request. administrator from emotional, reactive decisions by the
The concern here is that parents may object to sex education governing body.
being gratuitously introduced to their children without The degree of control, the violation of privacy and infringement
permission. Permission pages, as outlined above might be used on free access to information are in proportion to the extent to
to relieve this concern. which some few individuals push the limits of decency. Rather
An organization should develop its own Internet Access Policy. than impose severe controls on all users, it is better to impose
As far as practical, such a policy codifies the organization’s severe penalties on the few violators. This requires knowing to
objectives in controlling access to the Internet, what kinds of whom the penalties should be applied. Without excessive
material are considered objectionable and the actions it will control and snooping, it is relatively easy to determine when
take to insure that its objectives are satisfied. The actions to be and on which computer an objectionable site is visited. By
taken will likely include a degree of monitoring, requiring a noting these times and keeping track of the nature of the sites
tradeoff of privacy against the need to insure the intended visited, a pattern may emerge. Comparison of the pattern of
controls are working properly. visits with other data—comings and goings of the possible
users, it eventually becomes possible to identify the violator.
At that point, direct intervention—confrontation or threat of
Internet Access Policy (example) public embarrassment may be enough. If not, the policy
•Statement of intent:–Computers are provided at the prescribes the formal steps.
facility for information research, learning, and the
enjoyment of members. In this latter use, they are a There is, of course, a certain degree of ambiguity regarding the
perk. Members, associates, and their family members character of certain websites. The site www.menshealth.com is
who spend time at the facility are encouraged to use a good example. Although GoogleSafe Search blocks it
computers at the facility for access to the Internet, but entirely, some of its pages are acceptable. To a casual glance,
not to objectionable sites. Esquire magazine, for example has about the same el vel of
blatant sex. On the other hand, on examining the whole site,
In this policy, objectionable sites are ones there are many quite objectionable pages. Another filtering
which contain material involving: process available on the web, the publicly available filter at
–Full Nudity N2H2.com agrees with this assessment.
–Gross Depictions www.menshealth.com is a site for which I received a request to
–Sexual Acts remove from the blocking list, based on its health and medical
–Partial Nudity content. At this juncture, the Google SafeSearch test was
•Implementation: evoked for the first time. Based on the preponderance of pages
–Access will be blocked using a custom blocking which Google SafeSearch would block from the site, it
list. remained on the blocking list.
–Start up message will advise objectionable site
visits are a violation. Our policy evolved to this procedure: If the blocking list denies
–Blocking will be recorded—time and location. access to sites which are needed for facility business—for
–Selections will be monitored. example medical information, a request to remove such a site
–Persistent use will result in sanctions. from the blocking list should be made to the VP of
–Exceptions will be by appeal only. Administration. The standard of acceptance for a site will be
generally used search software with content filtering, e.g. if
Google SafeSearch using strict content blocking blocks the site
in question. If it does, removal of such a site from the
organization’s blocking list will be done only with approval of should only be adopted after careful review by its responsible
the President. authorities of the full spectrum of issues and options.
http://cyber.law.harvard.edu/people/edelman/google-
safesearch/ gives a critical report of Google’s SafeSearch.
The paper: Empirical Analysis of Google SafeSearch Benjamin
Edelman - Berkman Center for Internet & Society - Harvard References:
Law School lists some astonishing gaffes found in its
evaluation of SafeSearch. M. Streb, C. Perkins, FIREWALLS 24 SEVEN Sybex
Network Press 2000 ISBN: 0-7821-259-8
N2H2, the other filtering software available on the web at
http://www.n2h2.com/ provides an on-line evaluation and SONICWALL SOHO USERS GUIDE, Sonic Wall
classification of individual websites a user submits to it. B. Edelman, EMPIRICAL ANALYSIS OF GOOGLE
Some experimentation with both of these filters reveals some of SAFESEARCH, http://cyber.law.harvard.edu/people/edelman/
their gaps. N2H2 rates whole sites, not pages. It appears that See No Evil: How Internet Filters Affect the Search for Online
some sites are simply not classified. Google’s SafeSearch Health Information. Kaiser Foundation, http://www.kff.org/
appears to have no way of detecting the unsuitable nature of
images which a page may contain. If a web page uses Children's Internet Protection Act (CIPA), American Library
acceptable words and phrases, but contains pornographic Association, http://www.ala.org/
images, SafeSearch may not filter the page. Specifically, while The Digital Millennium Copyright Act, The UCLA Online
evaluating www.terra.es, Google showed about 1600 pages Institute for Cyberspace Law and Policy,
were acceptable. One of these: titled Exclusive Russian Girls, http://www.gseis.ucla.edu/iclp/dmca1.htm
used moderate words but contained an animated picture
illustrating a link. The animated picture was a close-up of a INTERNET RESTRICTION AND CENSORSHIP, The
female performing fellatio on a male partner. Chronicle of Higher Education, http://chronicle.com/infotech/

Quoting Benjamin Edelman - Berkman Center for Internet & Ethical Issues in Firewall Administration, St. John Fisher
Society - Harvard Law School : “Accurate Internet filtering is conference on Ethics, October 10-11, 2003–
an extraordinarily difficult task still well beyond the reach of http://home.rochester.rr.com/jbxroads/blocking
current algorithms and methods.”

Ethical Questions
• What material is objectionable?
• When does monitoring become
snooping?
• When does blocking become
censorship?
• What evidence is needed to identify a
violator?
• What are just penalties for violation?
• What inconvenience for the many is
justified to prevent objectionable
behavior?

The issues that emerge in determining what and how to block

are largely ones of degree. At either extreme, reasonable
people would reach common ground. The cases in the middle
become contentious.
The range of precedent and variation of the context between
businesses, community organizations, libraries and
colleges/universities leads to the conclusion that there are no
pat answers. Since every organization is different, any strategy
 Appendix I
generic internet access policy

XXX Organization
Internet Access Policy
Intent:
Computers are provided at the facility for information research, learning, and the enjoyment of
members. In this latter use, they are a perk. Members, associates, and their family members who
spend time at the facility are encouraged to use computers for access to the Internet, but not to
objectionable sites.
In this policy, objectionable sites are ones which contain material involving:
Violence/Profanity Partial Nudity
Full Nudity Sexual Acts
Gross Depictions Intolerance
Satanic/Cult Drug Culture
Militant/Extremist Sex Education
Alcohol/Tobacco Gambling/Questionable/Illegal Activities
Sites which could incur service charges billed to this organization will be considered
objectionable.
Implementation:
• Access to objectionable sites from computers on the facility Local Area Network will be
blocked using a custom blocking list.
• All facility computers will display a start up message to advise the user at the start of a
web browsing session
o that the time and location of their use of the web may be logged
o that access to objectionable sites is a violation of the XXX Organization’s
Internet Access Policy
• Blocking of known objectionable sites will be recorded for all facility computers.
• Selection of sites by users on facility computers will be monitored to identify sites that
should be added to the blocking list.
• Persistent use of facility computers for access to objectionable sites will result in
sanctions against the user which may include suspension from the corps or revocation of
their privileges of using facility computers or facilities.
• If users systematically circumvent these controls, then only individuals with passworded
accounts will be granted access to the Internet, to insure compliance with this policy.
• If the blocking list denies access to sites which are needed for facility business—for
example medical information, a request to remove such a site from the blocking list
should be made to the VP of Administration. The standard of acceptance for a site will
be generally used search software with content filtering, e.g. if Google SafeSearch using
strict content blocking blocks the site in question. If it does, removal of such a site from
the XXX Organization’s blocking list will be done only with approval of the President.
Adopted by the Board of Directors of the XXX Organization
Date of adoption