Introduction ChoiceNet is a security technology invented by Lucent to provide a traffic filtering mechanism for networks using dial-up InterNetworking Systems, synchronous leased-line, or Ethernet. When used with RADIUS, ChoiceNet provides exceptional flexibility in fine-tuning the level of access provided to users. ChoiceNet consists of server and client components. The server component resides on the UNIX host. The client component resides on the PortMaster Communications Servers, IRX routers, IRX firewall routers, and the PortMaster Office Routers. Function of ChoiceNet There are two main functions of ChoiceNet in filtering network traffic. These two main functions are described as follows: Centralized Filter Management and Dynamically Downloadable Filters ChoiceNet simplifies filter management through central storage of all filters on the network; all filters are located on the ChoiceNet server. Please refer to the descriptions of the rules directory in the ChoiceNet Architecture section for more details about the filters location. Since all filters are stored on the ChoiceNet server, upon ChoiceNet activation (a user is dialing in to the PortMaster), if a filter assigned to a user or a port matches with the filter residing on the ChoiceNet server, it will be dynamically downloaded from the ChoiceNet server to the ChoiceNet client's flash memory. Once a connection is terminated, the ChoiceNet filter will no longer reside on the PortMaster Communications Servers or Routers. If a filter assigned to a user or a port doesn't match with the filter residing on the ChoiceNet server, ChoiceNet server will return with an error message indicating the non-existent filter. Centralized filter management is useful for a large site that heavily employs packet filtering for screening traffic. Because all the filters are stored in the same location instead of locally on PortMasters scattered throughout the network, managing these filters will be less time-consuming. Filtering traffic with Site List Site list is another function of ChoiceNet. Site list defines the list of hosts and sites that need to be filtered. The list can contain sites catering mainly to children or to adults. Corporations can also employ the site list to screen traffic for employees while at work. This method is often used to improve productivity by preventing access to sites that provide games, stock quotes, and unrelated business activities. Lucent recently announced the partnership with Yahoo! to obtain Yahooligans list. Yahooligans contains Internet sites that cater primarily to children from ages 8 to 12. Using this list, a ChoiceNet filter can be written to permit minors to access only to these sites. Currently, Yahooligans is the only official list that Lucent is distributing to its customers. However, there are several ways that other site lists can be created through the use of search utilities on the Internet. ChoiceNet Architecture ChoiceNet software is organized into the following tree architecture: The functionality of each of the above files and directories is as follows: clients The clients file contains the names or IP addresses of ChoiceNet clients and their secret passwords. When ChoiceNet is activated, the clients file will be consulted to verify the validity of the ChoiceNet clients. This file defines the communication between the Choicenet server and its clients. logfile This is a logfile that records all ChoiceNet activities on the network. buildfilter This is an utility that turns a list of hostnames into a DBM database of IP addresses to enable more efficient lookup by the ChoiceNet server. The buildfilter utility looks in the filters subdirectory for files containing a list of hostnames and turns these into DBM data and index files in the filters.dbm subdirectory. For example, filters/yahoo becomes filters.dbm/yahoo.dir and filters.dbm/yahoo.pag. The format of the buildfilter is as follows: buildfilter <site list> filters This is a directory that contains site lists in human readable form. Site lists are text files that contains host names and IP addresses of the sites that need to be filtered. The site list is specified on the ChoiceNet rules. Since this is a UNIX directory, the number of site lists that may be added to this directory is unlimited. filters.dbm The filters.dbm directory contains the database of the site lists. When executing the buildfilter utility, files with suffix .dir and .pag will be automatically placed under this directory. rules The rules directory contains filter rulesets to be downloaded to ChoiceNet clients. filterd The filterd daemon is a ChoiceNet server process that runs on the UNIX host. This daemon is started from /etc/rc.local and uses UDP port 1647 to listen to requests from clients for filter ruleset download or site list requests. The filterd daemon has the following flags: -a is used to specify an alternate location for the ChoiceNet logfile. -s is used when the ChoiceNet server is run in a single mode. -x is used as a debugging method. When -x is specified, Choicenet activity will be displayed. -d is used to specify an alternate directory for ChoiceNet. The default ChoiceNet directory is /etc/choicenet. Features of ChoiceNet ChoiceNet offers the following filtering capabilities: Input and Output Filtering ChoiceNet allows both inbound and outbound traffic filtering for each interface and user. The interface can be Ethernet, asynchronous, ISDN, or synchronous. This feature provides flexibility by allowing each interface to have a customized set of rules. Source and Destination Filtering ChoiceNet allows a list of names, URLs, IP addresses, network addresses, and subnet masks of the source and destination hosts to be entered in a file which resides on the ChoiceNet server. This file is referred to a filter list as indicated above. The filter list can then be used to specify on a ChoiceNet rule to permit or deny access for a certain network service. Source and Destination TCP and UDP Port Filtering TCP and UDP Port Service specifies a port number associated with the network service for IP networks. Either a port number or a service name can be specified when writing ChoiceNet rules. ChoiceNet filters these network services for source and destination hosts based on the comparison values of eq (equal), lt (less than), or gt (greater than). ChoiceNet uses the UDP Transport protocol. Its network service port number is 1647. A complete list of port numbers for network services is defined in the RFC 1700 "Assigned Numbers." Index A lists some major network services that are commonly used. Protocol Filtering Currently, ChoiceNet filters TCP, IP, UDP, and ICMP traffic. ChoiceNet Action Permit and deny are two actions that can be specified in the ChoiceNet rules. Session Establishment ChoiceNet allows TCP sessions to be established based on a rule set. Any traffic that is not specified as "permit" on the rule set will be denied. This implementation reduces security risk on the network. When specifying TCP session connection, the internal network can access the external network, but the external network cannot have access to the internal network unless it is specifically permitted. Deny Notification Deny notification is a utility provided for PC running Windows 3.x, 95 and Macintosh users. The deny notification is a pop-up application that informs users when ChoiceNet has denied access to a particular site. The text message may be customized to provide a suitable message for a particular site. ChoiceNet Applications Screening indecent Internet material for children and improving business productivity are the two most popular applications for ChoiceNet. The following scenarios portray these two most widely-used applications: ChoiceNet technology. Screening Indecent Internet Material As previously stated, Lucent has formed a partnership with Yahoo!, Inc., to provide the Yahooligans' URL list that contains Internet sites appropriate for children. The Yahooligans list is updated constantly to reflect the fast growth of the Internet community. The updated list can be obtained from Lucent's ftp site, ftp.livingston.com. An Internet Service Provider or a school district can use ChoiceNet to provide special accounts for children to access the Internet. A child at home or at school can access the Internet from a Mac or PC via the PortMaster. The UNIX host on the network functions as a RADIUS and ChoiceNet server. Assume that most Internet access accounts in this example are using the PPP protocol. The RADIUS entry for this user can be set up in the /etc/raddb/users file as follows: Tommy Password = "testing" User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Filter-Id = "yahoo" Since traffic is coming into the PortMaster, the input filter for this user can be defined in the /etc/choicenet/rules as follows: yahoo.in permit tcp estab permit udp dst eq 53 permit 0.0.0.0/0 =yahooligans tcp dst eq 80 deny tcp dst eq 80 log notify permit icmp Note that in the RADIUS entry above, the Filter-Id attribute defined the filter name as yahoo, but the actual filter name in /etc/choicenet/rules is defined as yahoo.in. The appropriate suffix .in and .out will be appended to the filter by the PortMaster when a user is dialing into the network. Since the yahoo.in filter is located on the ChoiceNet server, it will be downloaded to the PortMaster when a user is dialing in. The above input filter restricts Tommy to the following actions: Domain Name Service lookup on the Internet Access web sites on the Yahooligans URL list Ping to any other sites on the Internet If user Tommy attempts to perform any other action, a pop-up window will appear to inform him that access has been denied. Improving Business Productivity A ChoiceNet filter can be defined on the Corporate firewall to prevent employees from surfing the Internet while at work. The IRX-211 functions as a Firewall between the Corporate Network and the Internet. The UNIX host residing on Ethernet 1 of the Firewall is a bastion host and a web server. The UNIX host residing on Ethernet 0 of the Firewall is a ChoiceNet, mail, and DNS server. ChoiceNet filters may be placed on the Ethernet 0 interface to filter the traffic from the Internal network to the Internet. As ChoiceNet filters may not be dynamically downloaded to the Ethernet interface, the ChoiceNet filters must reside on the IRX-211. The ChoiceNet filter in this case can be defined as follows: add filter allow.in set filter allow.in 1 permit tcp estab set filter allow.in 2 permit 149.190.0.0/32 0.0.0.0/0 tcp dst eq 23 set filter allow.in 3 permit 149.190.0.0/32 0.0.0.0/0 tcp dst eq 25 set filter allow.in 4 permit 149.190.0.0/32 0.0.0.0/0 tcp dst eq 53 set filter allow.in 5 permit 149.190.0.0/32 0.0.0.0/0 udp dst eq 53 set filter allow.in 6 permit 149.190.0.0/32 0.0.0.0/0 tcp dst eq 21 set filter allow.in 7 permit 149.190.0.0/32 0.0.0.0/0 tcp src eq 21 dst gt 1023 set filter allow.in 8 permit 149.190.0.0/32 0.0.0.0/0 tcp dst eq 513 set filter allow.in 9 permit 149.190.0.0/32 =permit sites tcp dst eq 80 set filter allow.in 10 permit icmp The above input filter implies that employees are allowed to access the following Internet services: telnet to any sites on the Internet rlogin to any sites on the Internet Domain Name Service lookup on the Internet Domain Zone Transfer to the outside world ftp to any sites on the Internet send and receive electronic mail from the outside world web browsing to a limited number of sites listed in the permit sites filter list The permit sites list in this case would include only sites that are related to the business practice of the company. The permitsites list can be updated with new sites when necessary. When new sites are added or deleted from this list, the list must be rebuilt with the buildfilter utility described above.