ChoiceNet is a security technology invented by Lucent to provide a traffic filtering mechanism for networks using dial-up InterNetworking Systems, synchronous leased-line, or Ethernet. When used with RADIUS, ChoiceNet provides exceptional flexibility in fine-tuning the level of access provided to users.
ChoiceNet consists of server and client components. The server component resides on the UNIX host. The client component resides on the PortMaster Communications Servers, IRX routers, IRX firewall routers, and the PortMaster Office Routers.
Function of ChoiceNet
There are two main functions of ChoiceNet in filtering network traffic. These two main functions are described as follows:Centralized Filter Management and Dynamically Downloadable Filters
ChoiceNet simplifies filter management through central storage of all filters on the network; all filters are located on the ChoiceNet server. Please refer to the descriptions of the rules directory in the ChoiceNet Architecture section for more details about the filters location.
Since all filters are stored on the ChoiceNet server, upon ChoiceNet activation (a user is dialing in to the PortMaster), if a filter assigned to a user or a port matches with the filter residing on the ChoiceNet server, it will be dynamically downloaded from the ChoiceNet server to the ChoiceNet client's flash memory. Once a connection is terminated, the ChoiceNet filter will no longer reside on the PortMaster Communications Servers or Routers.
If a filter assigned to a user or a port doesn't match with the filter residing on the ChoiceNet server, ChoiceNet server will return with an error message indicating the non-existent filter.
Centralized filter management is useful for a large site that heavily employs packet filtering for screening traffic. Because all the filters are stored in the same location instead of locally on PortMasters scattered throughout the network, managing these filters will be less time-consuming.Filtering traffic with Site List
Site list is another function of ChoiceNet. Site list defines the list of hosts and sites that need to be filtered. The list can contain sites catering mainly to children or to adults. Corporations can also employ the site list to screen traffic for employees while at work. This method is often used to improve productivity by preventing access to sites that provide games, stock quotes, and unrelated business activities.
Lucent recently announced the partnership with Yahoo! to obtain Yahooligans list. Yahooligans contains Internet sites that cater primarily to children from ages 8 to 12. Using this list, a ChoiceNet filter can be written to permit minors to access only to these sites.
Currently, Yahooligans is the only official list that Lucent is distributing to its customers. However, there are several ways that other site lists can be created through the use of search utilities on the Internet.
ChoiceNet software is organized into the following tree architecture:
The functionality of each of the above files and directories is as follows:clients
The clients file contains the names or IP addresses of ChoiceNet clients and their secret passwords. When ChoiceNet is activated, the clients file will be consulted to verify the validity of the ChoiceNet clients. This file defines the communication between the Choicenet server and its clients.logfile
This is a logfile that records all ChoiceNet activities on the network.buildfilter
This is an utility that turns a list of hostnames into a DBM database of IP addresses to enable more efficient lookup by the ChoiceNet server.
The buildfilter utility looks in the filters subdirectory for files containing a list of hostnames and turns these into DBM data and index files in the filters.dbm subdirectory. For example, filters/yahoo becomes filters.dbm/yahoo.dir and filters.dbm/yahoo.pag.
The format of the buildfilter is as follows:
This is a directory that contains site lists in human readable form. Site lists are text files that contains host names and IP addresses of the sites that need to be filtered. The site list is specified on the ChoiceNet rules.
Since this is a UNIX directory, the number of site lists that may be added to this directory is unlimited.filters.dbm
The filters.dbm directory contains the database of the site lists. When executing the buildfilter utility, files with suffix .dir and .pag will be automatically placed under this directory.rules
The rules directory contains filter rulesets to be downloaded to ChoiceNet clients.filterd
The filterd daemon is a ChoiceNet server process that runs on the UNIX host. This daemon is started from /etc/rc.local and uses UDP port 1647 to listen to requests from clients for filter ruleset download or site list requests.
The filterd daemon has the following flags:
Features of ChoiceNet
ChoiceNet offers the following filtering capabilities:Input and Output Filtering
ChoiceNet allows both inbound and outbound traffic filtering for each interface and user. The interface can be Ethernet, asynchronous, ISDN, or synchronous. This feature provides flexibility by allowing each interface to have a customized set of rules.Source and Destination Filtering
ChoiceNet allows a list of names, URLs, IP addresses, network addresses, and subnet masks of the source and destination hosts to be entered in a file which resides on the ChoiceNet server. This file is referred to a filter list as indicated above. The filter list can then be used to specify on a ChoiceNet rule to permit or deny access for a certain network service.Source and Destination TCP and UDP Port Filtering
TCP and UDP Port Service specifies a port number associated with the network service for IP networks. Either a port number or a service name can be specified when writing ChoiceNet rules. ChoiceNet filters these network services for source and destination hosts based on the comparison values of eq (equal), lt (less than), or gt (greater than).
ChoiceNet uses the UDP Transport protocol. Its network service port number is 1647. A complete list of port numbers for network services is defined in the RFC 1700 "Assigned Numbers." Index A lists some major network services that are commonly used.Protocol Filtering
Currently, ChoiceNet filters TCP, IP, UDP, and ICMP traffic.ChoiceNet Action
Permit and deny are two actions that can be specified in the ChoiceNet rules.Session Establishment
ChoiceNet allows TCP sessions to be established based on a rule set. Any traffic that is not specified as "permit" on the rule set will be denied. This implementation reduces security risk on the network. When specifying TCP session connection, the internal network can access the external network, but the external network cannot have access to the internal network unless it is specifically permitted.Deny Notification
Deny notification is a utility provided for PC running Windows 3.x, 95 and Macintosh users. The deny notification is a pop-up application that informs users when ChoiceNet has denied access to a particular site. The text message may be customized to provide a suitable message for a particular site.
Screening indecent Internet material for children and improving business productivity are the two most popular applications for ChoiceNet. The following scenarios portray these two most widely-used applications: ChoiceNet technology.
Screening Indecent Internet Material
As previously stated, Lucent has formed a partnership with Yahoo!, Inc., to provide the Yahooligans' URL list that contains Internet sites appropriate for children. The Yahooligans list is updated constantly to reflect the fast growth of the Internet community. The updated list can be obtained from Lucent's ftp site, ftp.livingston.com.
An Internet Service Provider or a school district can use ChoiceNet to provide special accounts for children to access the Internet.
A child at home or at school can access the Internet from a Mac or PC via the PortMaster. The UNIX host on the network functions as a RADIUS and ChoiceNet server. Assume that most Internet access accounts in this example are using the PPP protocol. The RADIUS entry for this user can be set up in the /etc/raddb/users file as follows:
Tommy Password = "testing" User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Filter-Id = "yahoo"
Since traffic is coming into the PortMaster, the input filter for this user can be defined in the /etc/choicenet/rules as follows:
Note that in the RADIUS entry above, the Filter-Id attribute defined the filter name as yahoo, but the actual filter name in /etc/choicenet/rules is defined as yahoo.in. The appropriate suffix .in and .out will be appended to the filter by the PortMaster when a user is dialing into the network. Since the yahoo.in filter is located on the ChoiceNet server, it will be downloaded to the PortMaster when a user is dialing in.
The above input filter restricts Tommy to the following actions:
If user Tommy attempts to perform any other action, a pop-up window will appear to inform him that access has been denied.
Improving Business Productivity
A ChoiceNet filter can be defined on the Corporate firewall to prevent employees from surfing the Internet while at work. The IRX-211 functions as a Firewall between the Corporate Network and the Internet. The UNIX host residing on Ethernet 1 of the Firewall is a bastion host and a web server. The UNIX host residing on Ethernet 0 of the Firewall is a ChoiceNet, mail, and DNS server.
ChoiceNet filters may be placed on the Ethernet 0 interface to filter the traffic from the Internal network to the Internet. As ChoiceNet filters may not be dynamically downloaded to the Ethernet interface, the ChoiceNet filters must reside on the IRX-211.
The ChoiceNet filter in this case can be defined as follows:
The above input filter implies that employees are allowed to access the following Internet services:
The permit sites list in this case would include only sites that are related to the business practice of the company. The permitsites list can be updated with new sites when necessary. When new sites are added or deleted from this list, the list must be rebuilt with the buildfilter utility described above.