The Great Firewall of China, also known as the Golden Shield Project, is the largest and most in-depth censorship program in the world. It utilizes a combination of legislative actions and technologies enforced by the People’s Republic of China to regulate the Internet domestically. Created in 1998, four years after the internet was made available in China, The Great Firewall of China was originally developed and built by well-known companies such as Nortel Networks and Cisco Systems and contains many layers of controlled methods and tricks to block access to websites. Those who try to access regulated content will encounter slow loading times, timeouts, connection errors, and problems with the network, with no indication that the site has been blocked.
Popular global websites and cloud applications are not accessible in China and users must resort to in-country alternatives that adhere to the government’s regulatory compliance instead. A variety of methodologies are used to block website traffic to and from China, including:
Blocking IP access
Blocking IP access is a common technique to prevent access to many IP addresses. Around 10,000 sites currently are blocked in China, including common search engines, social media, and news sites.
DNS poisoning or spoofing
With DNS poisoning or spoofing, access to foreign sites in China like Google and YouTube are blocked or slowed down. When users connect to websites, computers will contact the DNS server and request the IP address. This method effectively “poisons” the DNS responses, returning corrupt addresses and making the websites completely inaccessible. Any website request initially goes to the DNS server to fetch the IP address of the website and accesses it on the responded address. If the response from the DNS is incorrect, users won’t be able to access the website.
URLs analysis/filtering
Web traffic is filtered based on a URL filtering database, denying access based on a list of websites. This technique can block the entire website or selective web pages based on the requested URL scan for blocked keywords.
Manual enforcement
Hundreds of thousands of civilian workers are employed to enforce censorship and filter out content which the Chinese government has deemed detrimental to China’s “progress.” Some sites provide back-end access to allow workers to edit content directly.
AI
Artificial Intelligence (AI) has now allowed monitoring processes to be automated.
Deep Packet Inspection
Deep Packet Inspection (DPI) is used to look at encrypted incoming and outgoing packets. DPI techniques are also deployed to extensively inspect incoming and outgoing unencrypted network traffic for packets, filtering and blocking data packets that contain sensitive information that is censored by China.
Resetting connections
Another method or trick is resetting connections between two communicating devices/servers as long as the transmitted data is qualified as sensitive data. This means that after blocking the data packets, the firewall can also reset the client-server connection for a certain time period.
Blocking VPNs
When a website is blocked, users can try to access it using an encrypted Virtual Private Network (VPN). Newly developed technologies are being utilized to continuously learn the evolving attributes of a VPN traffic to terminate known VPNs as well as new VPNs.
What does this mean for enterprises with operations in China? Any one or a number of these techniques and tricks can hinder organizations with sensitive info on their sites, blocking access to productivity tools, social media, news and media, and communication tools such as Skype. Those using any third-party services that are blocked in China will encounter websites or applications that will fail to function properly, or even be inaccessible from China. Ads from agencies outside China, or any other blocked companies, along with banned advertisements, won’t appear on a page. Users can also encounter speed and performance issues amounting to
an estimated seven percent loss in conversions, 11 percent fewer page views, and poor customer or employee experience.
While it’s nearly impossible to get around the Great Firewall of China using ordinary local internet, some carriers can provide access to and from China through an agreement with the government. AireSpring’s Global Managed SD-WAN offers global internet connectivity with last mile circuit procurement, including a Global Private Network (GPN) with highly available, dedicated access to and from locations in China. The solution provides complete middle-edge connectivity via GPN tunnels, combining the power of SD-WAN with the reliability of AireSpring’s GPN—a resilient, fully meshed, global private layer 2 network backed by a service level agreement (SLA). AireSpring’s network connects to 8 points-of-presence (POPs) in China, with 23 POPs globally.
AireSpring also provides proactive third-party internet monitoring, including 24/7/365 capabilities for troubleshooting, as well as US Global AireSpring Gateway Access and IP mobility that ensures that if circuits drop, the firewall’s IP addresses remain reachable and unchanged. AireSpring’s Premium Internet Access China (PIAC) enables undisturbed, optimal internet access to global resources like Office 365, Google, cloud-based apps, and Enterprise Resource Planning (ERP) systems. Although global enterprises face unique obstacles of getting mission critical data and application traffic in-out of China, these solutions keep them reliably connected and unburden them from the high costs and challenges of managing global SD-WAN and network infrastructure.