Watchdog Tunneling Technology

Offering Web Filtering to Customers Outside of your Network Using the Watchdog Tunnel Service

Introduction

Many internet services providers provide access to a number of their customers by reselling other provider's connections, especially the wholesale services provided by telecommunications companies such as British Telecom, Telstra and Telecom New Zealand. This creates a problem if the ISP wants to offer internet filtering services to customers using these connections as their traffic does not enter their ISP's network so cannot be inspected.

A common solution for this is for the ISP to route the customer's traffic through a proxy server but this has the limitation that all of the customer's downloaded web traffic now has to travel through the ISPs network with the resultant cost and provisioning challenges. Proxy servers need to be scaled to handle the traffic and they change the source address of the web request which can cause problems.

Watchdog's tunnel service was created to provide a solution to this problem. This service can enable:

1. ISPs to offer filtering to their customers despite the ISP connection being provided outside of their network, and:

2. ISPs to offer filtering to customers of other ISPs

This not only increases the average customer revenue but also increases customer retention and attracts new customers.

Tunnel Service Description

The Watchdog Tunnel service uses devices installed within the target customer's and also in the filtering ISP's network. These devices communicate via a special tunnel allowing the customer's traffic to be filtered without the downloaded traffic having to to pass through the filtering ISP's network.

A tunnel router is required to be installed on the target customer's network, usually as a replacement for their existing DSL, cable or ethernet-connected device. This router tunnels the traffic from their network to a tunnel concentrator within the filtering ISP's network using a special one-way tunnel. If the website requested by the customer is not blocked by their filtering policy then the responses from the requested website route directly back from the site to the ISP, meaning that the ISP does not have to provide the downloaded web traffic through its network at additional cost.

Referring to the diagram below, the process of web filtering for an ISP’s customer is as follows:

1 - The remote user requests a web page from the target Internet site using their computer’s web browser.

2 - The web site request gets sent by the tunnel router through an internet tunnel connection to the ISP's tunnel concentrator, still with the customer’s original source IP address.

3 - The ISP’s filter examines the web request as configured in the customer’s individual filtering profile, determined by the customer’s IP address.

4 - If a match is not made to their blocking profile then the web request is allowed to go to the destination web site and the response gets routed directly to the customer via the Internet and their ISP so the site is displayed normally.

5 - If a match is made, then the ISP's filter immediately sends a block page back to the customer, completing the browser session.


Required Equipment

Tunnel Router

This is installed at the customer's site. We use both the Cisco 800 series and Allied Telesis AR440S. Both units perform well, and have all the features required including policy-based routing, IP tunnelling and firewall. They are available for ADSL or Ethernet connections and Cisco also has a model that includes a Wi-Fi access point. We have found that pre-configuring these routers and shipping them to the customer site so that non-technical people can install them saving installation costs and set up time.

Tunnel Concentrator

The required device here depends on the number of remote customers required to be supported. A small number (20 or so) could be handled by a Cisco 1800. A 2800 would be suitable for 100 or so and we have found that a Cisco 6500 will support at least 500.

Benefits of Watchdog Tunnel Technology

The Watchdog tunnel technology is a system that can allow ISPs to extend their filtering service beyond their own network to enable them both to offer a complete service to existing customers and also to attract new customers to this service. This technology has been proven by Watchdog Corporation which has built an ISP business modeled on the provision of filtering. This business now provides filtering to the majority of New Zealand schools. In today's commercial environment where internet provision is a commodity, value-added services such as internet filtering are becoming more important as ISPs seek to receive additional revenue from their customers. Not only increasing customer value the introduction of filtering services also makes customers more “sticky” as they are more likely to stay with a provider that adds value to their internet connection. Churn rates of 4% or less within the Watchdog business are evidence of this. As more businesses, schools and parents seek a managed internet experience the demand for web content filtering grows providing ISPs with the opportunity to build a stronger and more resilient businesses.