09 Mar

Safeguarding Family Internet – Overview

My wife and I home school our children using excellent videos from Abeka, and it works out very well.  They can travel with me when the opportunity arises, work from the dentist’s waiting room, or whatever.  Except for the problem of how to let the kids get to the Internet safely.  Well, there’s all kinds of thoughts out there on the subject.  Everything from “Don’t” (absolutist) to the school of thought that says “They’re Going to See It Anyway” (defeatist).  Then there are the people who say, “My kids would never do anything like that…”

Hmm…Since it’s just you and me here, so I hope you don’t mind if I say that your kids are just like you were, Sir or Madam.  And let’s be honest, neither you nor I are so very lily-white, if you’ll just deign to admit it to yourself (the rest of us already know).

Get a clue!  Sheesh.

Look–the Internet serves its purpose as part of life today.  It’s merely a tool–much like plumbing–with the obvious parallels in capacity to transport both the good and the bad.  I make a very good living from this tool in the field of cyber security.  My children watch me work and I fully anticipate that they too will go into technical fields.

Now, listen, I come at this from a Christian perspective.  I believe that we all have a nature to sin (disobey God) and therefore a locked door keeps an honest man honest.  However, you do not have to share my perspective–you may even earnestly come from a feminist mentality that chooses to prevent a son from learning to “objectify” the female body.  We can disagree on the motivation, but either way, I hope that we all can agree that pornography damages the developing mind.  It affects behavior and interpersonal relationships throughout adulthood.  This article doesn’t attempt to make a moral statement or the impetus, but merely seeks to guarantee the results:  Protecting our children from damage!

So, how?  Inaction and half-hearted attempts won’t do.  We want Defense-in-Depth here.  If you have K9 installed on your family computer–then congratulations–that’s a step.  But what happens when it fails (as software does) and you don’t catch it; or they browse the Internet through the Nintendo Wii or on a Kindle reader; or something else completely unexpected (like a neighbor’s unsecured wireless access point)?  What other layers of protection do you have in place?

Stay in the Castle

Think of a castle wall.  Poor kingdoms only had a small wall around the castle itself.  When invaders breached the wall, they stole the crown jewels and made off with the princess.  Slightly better protected kingdoms put an outer ward, or another wall, around the first wall–effectively doubling the effort an invader must employ to break in.  Wealthy kingdoms dug a moat around the outer ward and filled it with sea monsters.  But some of the best protected kingdoms did all of this AND put guards on the wall to sound alerts when the invaders approached.

Do you know when your defenses go down?  Do your kids browse the Internet freely right now and you don’t even know?

The layers of protection I currently use include the following:

  • Network-Based:
    • OpenDNS – Some basic adult content filtering, good phishing protection.  See my post a few years back about it–but I’ll cover it again in the near future.
    • PFSense Firewall – Keeps the bad guys and neighbors out of your Quicken database (you didn’t think I knew about that, did you?) and provides control for the network.
    • SquidGuard – Currently running on the firewall…it dies occasionally without any notification.  I hate that.  That’s why I’m re-building my network.
    • Network Segmentation – I keep the kids’ computers on a different network entirely.  That way I can control it and still give my wife access to Pintrest (which is like crack cocaine for ladies, btw).
  • Host-Based:
    • Windows Accounts – The children do not have Administrator accounts on their computers, they have basic User accounts.  Pro-Tip:  If you and your kids all use the same account, as in it automatically logs in–your kids have administrator access.  Even my wife’s laptop locks after 10 minutes of inactivity–because it is on a “unrestricted” wireless network segment.
    • iPad/iPhone/iPod Touch /IOS Restrictions – YouTube, Safari Browser, and Adding / Deleting Apps all remain off and password protected.
    • Android Seal – Lock out Settings and Task Manager (so the seal task cannot be killed) to prevent Internet access.
    • Blue Coat K9 Web Protection – Restricts and logs all Internet activity.  I also blacklist google.com, bing.com, yahoo.com in addition to the usual and obvious settings.
    • Wii Internet Restrictions – We occasionally let the kids watch Netflix through the Wii…but only after I temporarily disable the restrictions with the passcode.

The Plan

So, I’m going to try to document this as I go.  The diagram above essentially describes my current configuration (minus the DansGuardian box), but I’m rebuilding with some new hardware and a few new systems, such as the DansGuardian box.  In any case, check back occasionally and see how I’m doing.  This first post deals only with the plan.  Ya got’s ta have a plan.

 Even if you only have one computer and no children, you need a firewall!

Firewall Rebuild

As a firewall, my firewall is a great firewall.  As a web content filter, my firewall is … well … a great firewall.  To start, I’m building a new one, and you should too.  But it doesn’t have to be expensive.  Old PC computer hardware can do all of this–hit craigslist or a salvage shop.  You essentially need a functional computers with no operating system.  Technically, you may just skip monitors and keyboards as well after the first one and buy a cheap KVM (keyboard/video/mouse) switch.  Really–skip Starbucks for a month and you’ll probably have more than enough to make a firewall happen on the cheap.  Usually people find it more difficult to physically find a spot for all of this equipment than anything.  Nonetheless, the firewall remains the first element and really the cornerstone of this entire foundation.  My firewall requires five (5) network cards (See the diagram above – 4 segments plus the Internet connection).  And after all, there’s a new version of PFSense out, and instead of updating, I’m building a new box with some better hardware I’ve run across.

Quick Note:  I’ve worked with just about every brand and distribution out there.  Cisco, CheckPoint, SonicWall, WatchGuard, Endian, IPCop, SmoothWall, etc.  I’ve even written articles for magazines on some of them (paid at freelance journalist rates).  All in all, though, PFSense just seems to run great and it is the only one that works with OpenDNS natively.   And it throws OpenBSD into your operating system mix for some more diversity (i.e. one attack won’t affect on all your systems).

Content Filtering

Second, DansGuardian to proxy and filter all traffic but also with an instance of Squid (proxy) running to whitelist the kids’ network.  The way I’m planning will either be fully functional or it will be down–No guessing, no hope-so.

 

The firewall rules does not allow ANY traffic from the Home School network to get to the Internet interface.  None.  The Home School network can only send traffic to the DMZ network and the Family network (to print).  To get to the Internet for Abeka school videos, the traffic proxies to the DansGuardian server in the DMZ.  The firewall allows the DansGuardian address out to the Internet–so all traffic stays under control.  If the DansGuardian box goes down–the School Network cannot get to the Internet.  If the proxy service on the DansGuardian box dies, the School Network cannot get to the Internet.  If a kid manages to change network settings on a computer, then that computer cannot get to the Internet.  This is a brute-force engineering mechanism, nuts and bolts style.  I love that.

Hours of Operation

Thirdly, I’m setting up a Windows 2003 domain controller.  As a former traveling network engineer, I obtained a full license for training and certification purposes.  You can do some of the same things with other technologies, but my main goal is to set the kids up with common accounts, have a common administration account, and setup “Hours of Use” so that none of the Home School computers will log in between, say, 10:00 PM and 6:00 AM.  Paranoid?  Not really, I just remember being a kid.  Maybe my kids are suffering from my own memories of cleverness, but they don’t appear to be terribly scared as yet from it.

Minutia

Lastly, the bazillion little things, like the actual white-listing I’ll have to do.  Things like lego.com are fairly easy, but (unless they’ve cleaned it up since I last checked) Abeka Academy has services flung all over the Internet, so the whitelisting was a trial-and-error process.  Right now, just Abeka requires these sites to fully operate:

  • abeka.com
  • abekaacademy.org
  • google-analytics.com
  • fplive.net
  • verisign.com
  • adobe.com
  • geotrust.com
  • service.abekaacademy.org

Well, maybe not google-analytics.com, but once I got it working I hated to go back and mess it up in some weird and not readily apparent way…

Oh, and one more thing.  There exist services, like CleanInternet that provide filtering and (I think) reporting as well.  That might be another good layer of protection to add. One word of caution:  Filtering simply cannot do it all though.  Keep family computers, even filtered ones, in common areas of the home.  In our case, we have enough children to warrant an entire School Room.  There are too many to keep in a common area, therefore, White-Listing is the ONLY safe answer.

Eternal Vigilance

After all of that, I hope I’m scaring you a little.  And this doesn’t even go into external threats, such as war-driving and Internet attacks, phishing, worms, and such.  Honestly, if I wanted to, I could drive down your street with a laptop and probably be more successful than not at browsing people’s files, family photos, financial records, and anything else.  And just because *I* don’t want to, won’t prevent others.

By the way, it’s a Federal Offense to join a wireless network without the owner’s permission.  So if you’re stealing Internet from your neighbor’s access point–stop it.  And how do you know he’s not stealing it from you and browsing your computer?  Because you put a password on your wireless access point?  Please.  That would last about 20 minutes with a determined attacker, WEP passwords go down like they’re not even there.

Small Businesses and Churches, these same warnings apply for you.

Be back soon!