Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Star Lounger
    Join Date
    Dec 2009
    Posts
    65
    Thanks
    12
    Thanked 1 Time in 1 Post
    BLOCK PORN ON A WIRELESS HOME NETWORK

    BACKGROUND
    I plan a home wireless network, N-class, and know visiting teenagers will be tempted
    on rare occasion to go places on the internet they should not. So, I need a way to
    prevent internet travel to porn palaces and other sites associated with malware.

    METHOD
    Generally, I am familiar with wireless setup, and plan WPA2 security, and to stop SSID
    broadcast. Maybe even to restrict home network access to registered MAC addresses.
    But this is only general security, and blocking porn sites is still another issue.

    BLOCKING PORN SITES
    To stop porn access absolutely, I have a choice of a resident local control for each
    computer, like NetNanny (https://www.netnanny.com/alt_rotate) or CyberSitter
    (http://www.cybersitter.com/). The problem is these programs are fairly obvious, and
    a blocked search on Google will present a screen that indicates there is a blocking
    system in-place. An alert teen will attempt to boot past them with a Linux boot CD, or
    equivalent. Depending on the program, security is not all that solid against determined
    teens.

    Aside from NetNanny or CyberSitter, I also can use something like Open DNS, a
    business website and gateway system which allows the wireless router, itself (if the
    feature is provided), to use the ODNS IP as its gateway to the internet-- completely
    bypassing the regular ISP. (www.openDNS.com)

    While most ISPs have no problem with this arrangement, ODNS is still something
    like a committee system of actually voting on which sites are bad / trouble / risky,
    and this leaves the coverage less than comprehensive, and often crude and very
    granular.

    For example, a recent ODNS forum post mentioned a school had blocked the
    hypothetical porn site www.sexgals.com at one level, but students still contrived to
    reach the porn website through another level-- the difference was a matter of one
    webpage which was still accessible.

    So, it appears ODNS-- a brilliant approach, from the standpoint of hardware control
    and even the knotty political / social issue of classifying certain websites "bad"--
    seems ineffectual as a really air-tight barrier against the galaxy of malware and porn
    sites.

    IN OTHER WORDS
    Does anyone have suggestions for a really secure system that can screen out porn
    and other bad sites, yet not have to reside on the client computer on the network?

    I had considered putting NetNanny or CyberSitter on a single computer to be used
    on the home network as a gateway system for all the others-- all network client
    machines would attach to a router subnet running out of the gateway computer. But
    that is a scenario from a wired, not wireless network.

    Wireless network protection and control is still a problem. Unfortunately, most
    wireless routers have no provision for a resident NetNanny or CyberSitter level of
    control-- it's a few blacklisted sites, or a few whitelisted sites, or nothing. So, I am
    down to using two routers-- the first a modem/router which delivers my ISP services
    (on which I would turn off wireless) and a second wireless router which gets and
    distributes its data from the gateway machine on which I have installed NetNanny or
    CyberSitter.

    At least this would bypass the issue of installing NetNanny or CyberSitter on each
    computer on the home network..Unlike using Open DNS, the NN or CS setup would
    still present a screen whenever a Google, Yahoo or Bing search is blocked.

  2. #2
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    I highly recommend OpenDNS, I set my router up to use them, it is quite transparent and free.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  3. #3
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,172
    Thanks
    47
    Thanked 981 Times in 911 Posts
    plan WPA2 security, and to stop SSID broadcast. Maybe even to restrict home network access to registered MAC addresses
    This post explains why that is of little value.

    cheers, Paul

  4. #4
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I would also recommend openDNS. The key here is

    visiting teenagers will be tempted
    on rare occasion
    The point you make on openDNS is correct. Any administrator that is trying to filter his/her network will find that ALL filters have holes and a determined user will find them. YOU MUST WATCH THE FILTER LOGS no matter what solution you are using. In your situation though we are looking at users that do not have time to try and "break" the filter. For a network that needs filtering "at the gateway" and where the owner does not have a huge budget, openDNS is not a bad solution.

    Unlike using Open DNS, the NN or CS setup would
    still present a screen whenever a Google, Yahoo or Bing search is blocked.
    I'm not sure I understand this as openDNS does give a block screen.

    PS> I am not affiliated with openDNS other than using it. I use it in multiple corporate settings. We check the most used site list at least weekly and manually block anything in the top 200 that we don't like. If a user breaks the filter and finds a site they like, it quickly moves to the top of the list as they will go back multiple times. We block it and watch for the next one. We run highly complex networks that connect with multiple site-to-site vpn's and vpn clients which connect to government websites. openDNS is the only filter solution we have used that does not take major configuration to make all of our "special" connections work.

  5. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    UK
    Posts
    19
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Open DNS is only really useful against non-Internet-savvy users. Anyone with Admin access to the Windoze/Linux system settings can bypass it. My advice is to set up all the blocking you can at every level: on the PC, on the Internet access router and with DynDNS. If you make it hard enough, most users will give up. Those that don't will find a way, eventually, especially if they have admin rights...

    So:
    • Create restricted accounts on the PC: disable DOS windows etc
    • Disable booting from CD/USB etc - to be doubly sure, disable CD/USB access altogether...
    • Use netnanny or whatever on the PC
    • Run the web browser in a sandbox, disable file sharing, block all file downloads
    • Set up parental control on the Internet router
    • Use OpenDNS
    • Check logs and PC files regularly and kick ass if anything is found.


    Alternatively, treat it as educational...

  6. #6
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,414
    Thanks
    33
    Thanked 195 Times in 175 Posts
    It would be intriguing to know how you "know [that] visiting teenagers will be tempted on rare occasion[s] to go places on the internet they should not"? You only mention porn; how about illegal music and movie downloads? Drugs? Terrorism? ... and so on.

    You are looking for a technical solution for what seems to be a social problem. If you think these visiting teenagers might be tempted to visit porn websites, then you have to be in there in the room with them, monitoring them.

    To be honest, I would be amazed if today's teenagers weren't more technologically savvy than you (and I!) are. I'm sure they could think of at least one way of getting round most of the measures you would put in place. And you only need one way...
    BATcher

    Time prevents everything happening all at once...

  7. #7
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    If you are using OpenDNS, you must block access to other dns through your router by blocking port 53 to all except OpenDNS servers if you want any kind of security at all.

    One advantage of this type of filtering is that It doesn't matter if the person has admin on the computer and knows how to manipulate the registry, as long as they can't access or bypass the router, they are going to have a very hard time bypassing this filter completely.

  8. #8
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Open DNS is only really useful against non-Internet-savvy users
    I would say it this way.

    OpenDNS is only really useful to network savvy administrators. On our corporate networks we run internal DNS servers. We block outgoing access to port 53 from all machines other than the designated DNS server. We then point the internal DNS server at OpenDNS servers.l

    On smaller networks we block port 53 through the firewall accept for requests to OpenDNS servers. We then set DHCP to hand out OpenDNS servers and that pretty much covers it. Unless the user can bypass or change the firewall rules it is pretty hard to break through.

    Now, be aware, OpenDNS is NOT a filter. It has no idea what content is on the page it is resoving. It only knows if the site is allowed or banned.

    See the following for a little more information on what ports to block and how.

    http://forums.opendns.com/comments.p...&page=1#Item_0

  9. #9
    Star Lounger
    Join Date
    Dec 2009
    Posts
    65
    Thanks
    12
    Thanked 1 Time in 1 Post
    THANKS TO ALL

    for your very perceptive suggestions, as well as insight about the social dimension involved. In that regard-- as Thomas Hobbes, himself reminded those who wondered about his suspicious nature-- we lock our doors, no matter how kindly we feel about our neighbors. Ultimately, no fence, no lock, no security measure is completely perfect, but the better of two locks will have to do.

    Special appreciation to mercyh for a very probing, thorough analysis of the problem, clearly beneficiary of many hours dealing with a distant relative of the same security issue.

    I already had intended to use ODNS as exactly what you propose, a means of limiting further the options and exposure. Obviously, my comments paint me as very skeptical of ODNS as any final solution. Yes, paid ODNS ($5 yearly!) does provide a good block page, but I am trying not to be so obvious about the reason the URL is blocked. through ODNS.

    Filtering through router port control and blocks is another, excellent idea. The final item is NetNanny or CyberSitter, both capable programs which will rest on a gateway box with a powerful CPU to minimize the overhead they (may) impose on system response.

    In general terms, the gateway links the ISP via an internal PCI-based ADSL modem with a netcard feeding to a subnet. The modem is internal to limit the option simply to bypass the gateway and plug directly into an external modem. The subnet router/access point provides wired and wireless ports reaching the client machines, which have no control software actually installed on them-- the beauty of the gateway approach.

    Could someone bring in a portable modem/router ? Sure, but the interest level is not really that high, at this point..

  10. #10
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    If you want all the granularity you can imagine, Check out the following.

    http://www.untangle.com/

    They have a Virtual machine version that can run on a windows PC. We have had some issues with time getting messed up when running the virtual machine version, however, this may not matter in your case (just that the reports do not show correct access time).

    The full version can run on an old PC. The Opensource (unpaid) version should do everthing you need plus a whole lot more.

  11. #11
    Star Lounger
    Join Date
    Dec 2009
    Posts
    65
    Thanks
    12
    Thanked 1 Time in 1 Post
    Quote Originally Posted by mercyh View Post
    If you want all the granularity you can imagine, Check out the following.

    http://www.untangle.com/

    They have a Virtual machine version that can run on a windows PC. We have had some issues with time getting messed up when running the virtual machine version, however, this may not matter in your case (just that the reports do not show correct access time).

    The full version can run on an old PC. The Opensource (unpaid) version should do everthing you need plus a whole lot more.
    TO mercyh and all others-- A FINAL CHECK

    Just as a final check, is there any hardware or logical problem you can see with my setup plan for the system?
    The plan involves bringing ISP data to a gateway (desktop) computer using a PCI-based broadband modem, then
    running from the gateway ethernet port out to a Netgear WNR2000 wireless N router, creating a router subnet.
    All clients are wireless N, with full PSA2-PSK security.

    I ask, because I finally have located a USA source for the DLink ADSL broadband modem (once very popular
    around the world, now a discontinued product, yet still "box-new") and am ready to buy. By research, I have
    located and downloaded XP-ready drivers for the modem from CNet, and user comments show no "flaming"
    issues with the XP driver.

    Again, the idea of putting the modem inside the gateway is to provide greater control over connections users might
    make to the ISP.

    As stated previously, I plan to take into account all the suggestions about Open DNS and other products for
    specifics of the gateway computer. But at this moment, making sure there is no glaring or inherent hardware or
    logic problem with the system, as planned, is the most important thing as I begin to build this system.

    Once more, thanks to all for your help and careful deliberation on this project. Maybe this thread will benefit others
    who desire to limit the garbage they bring into their home, as well.

  12. #12
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I have never tried what you are attempting. It seems a bit paranoid to feel the need to lock down the modem in this manner.
    I agree that without doing it this way (or having the modem-router connection in an inaccessable room) breaking the lock is as easy as unplugging the cable.


    I do not know why it wouldn't work. You will need some way of firewalling that incoming connection as that connection will be exposed directly on the web.

  13. #13
    Star Lounger
    Join Date
    Dec 2009
    Posts
    65
    Thanks
    12
    Thanked 1 Time in 1 Post
    Quote Originally Posted by mercyh View Post
    I have never tried what you are attempting. It seems a bit paranoid to feel the need to lock down the modem in this manner.
    I agree that without doing it this way (or having the modem-router connection in an inaccessable room) breaking the lock is as easy as unplugging the cable.


    I do not know why it wouldn't work. You will need some way of firewalling that incoming connection as that connection will be exposed directly on the web.

    UNTANGLE MAY HELP


    I made a note to look at Untangle (UT) "later"-- but then took brief glances at the dox during the day (the website is very helpful, clear
    and well-engineering, content-wise). The more I reviewed UT, the more entangled I became-- this product is very useful and has a feature
    set and field experience adequate to all my concerns. Like Avast! (the paid version), UT comes with its own firewall.

    The "UT for Windows" package captured my attention as an integrated solution, and one that coincides with the network basic design.
    It runs on the gateway which doubles as a workstation.

    But in that configuration, could everything run from a modest P3 with enough memory (1GB) to serve a network with no more than two
    family PCs? Or should I anticipate lots of latency and drag in traffic without a larger CPU? I ask these things, just in case you have some
    field experience with UT.

    Again, thanks! How did you run across UT?

  14. #14
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    You need to read how UT for windows actually works. You can install it on ANY windows machine on the network (it does not have to be at the gateway) and as soon as it is turned on it Grabs all the internet traffic on the network and forces it through that box. (this is assuming you have no hubs, only switches and that the switches are not multilayer which you will not have with residential grade stuff) The downside is that as soon as that box is turned off (or the untangle service is stopped) all filtering ceases.

    This is not a good option if you are so security conscious that you need the modem in the box. You would have to install the windows workstation in a locked room as all the surfer needs to do is shut off the workstation that has this installed and they are in the clear.



    The dedicated version of UT acts as a gateway-router with one nic used as the WAN port and the other used as the LAN port. However, this is a linux distro and it is highly unlikely it will have drivers for the modem you are talking about, although a good look at there hardware list may be in order. (I didn't check).

    This doesn't fill your need either as the machine is dedicated to untangle so cannot be used as a workstation.


    For a home network with only a couple of machines, the hardware specs you have should be no problem. I have a windows version (which takes much more power than the stand alone product) running on a dual core pentium with two gigs of ram filtering a 25 workstation business network and there are no noticeable latency issues.


    I started using untangle while searching for a replacement for censornet (http://opensource.censornet.com/). Untangle is a well known and well maintained linux router/filter distro.

  15. #15
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    BTW

    You are not the first person to ask this question.......

    http://forums.untangle.com/networkin...ugging-ut.html

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •