Block Porn on Wireless Home Network

Topic

New Reply

BLOCK PORN ON A WIRELESS HOME NETWORK

BACKGROUND
I plan a home wireless network, N-class, and know visiting teenagers will be tempted
on rare occasion to go places on the internet they should not. So, I need a way to
prevent internet travel to porn palaces and other sites associated with malware.

METHOD
Generally, I am familiar with wireless setup, and plan WPA2 security, and to stop SSID
broadcast. Maybe even to restrict home network access to registered MAC addresses.
But this is only general security, and blocking porn sites is still another issue.

BLOCKING PORN SITES
To stop porn access absolutely, I have a choice of a resident local control for each
computer, like NetNanny (https://www.netnanny.com/alt_rotate) or CyberSitter
(http://www.cybersitter.com/). The problem is these programs are fairly obvious, and
a blocked search on Google will present a screen that indicates there is a blocking
system in-place. An alert teen will attempt to boot past them with a Linux boot CD, or
equivalent. Depending on the program, security is not all that solid against determined
teens.

Aside from NetNanny or CyberSitter, I also can use something like Open DNS, a
business website and gateway system which allows the wireless router, itself (if the
feature is provided), to use the ODNS IP as its gateway to the internet– completely
bypassing the regular ISP. (http://www.openDNS.com)

While most ISPs have no problem with this arrangement, ODNS is still something
like a committee system of actually voting on which sites are bad / trouble / risky,
and this leaves the coverage less than comprehensive, and often crude and very
granular.

For example, a recent ODNS forum post mentioned a school had blocked the
hypothetical porn site http://www.sexgals.com at one level, but students still contrived to
reach the porn website through another level– the difference was a matter of one
webpage which was still accessible.

So, it appears ODNS– a brilliant approach, from the standpoint of hardware control
and even the knotty political / social issue of classifying certain websites “bad”–
seems ineffectual as a really air-tight barrier against the galaxy of malware and porn
sites.

IN OTHER WORDS
Does anyone have suggestions for a really secure system that can screen out porn
and other bad sites, yet not have to reside on the client computer on the network?

I had considered putting NetNanny or CyberSitter on a single computer to be used
on the home network as a gateway system for all the others– all network client
machines would attach to a router subnet running out of the gateway computer. But
that is a scenario from a wired, not wireless network.

Wireless network protection and control is still a problem. Unfortunately, most
wireless routers have no provision for a resident NetNanny or CyberSitter level of
control– it’s a few blacklisted sites, or a few whitelisted sites, or nothing. So, I am
down to using two routers– the first a modem/router which delivers my ISP services
(on which I would turn off wireless) and a second wireless router which gets and
distributes its data from the gateway machine on which I have installed NetNanny or
CyberSitter.

At least this would bypass the issue of installing NetNanny or CyberSitter on each
computer on the home network..Unlike using Open DNS, the NN or CS setup would
still present a screen whenever a Google, Yahoo or Bing search is blocked.

Reply | Quote

Replies

I highly recommend OpenDNS, I set my router up to use them, it is quite transparent and free.

Reply | Quote

plan WPA2 security, and to stop SSID broadcast. Maybe even to restrict home network access to registered MAC addresses

This post explains why that is of little value.

cheers, Paul

Reply | Quote

I would also recommend openDNS. The key here is

visiting teenagers will be tempted
on rare occasion

The point you make on openDNS is correct. Any administrator that is trying to filter his/her network will find that ALL filters have holes and a determined user will find them. YOU MUST WATCH THE FILTER LOGS no matter what solution you are using. In your situation though we are looking at users that do not have time to try and “break” the filter. For a network that needs filtering “at the gateway” and where the owner does not have a huge budget, openDNS is not a bad solution.

Unlike using Open DNS, the NN or CS setup would
still present a screen whenever a Google, Yahoo or Bing search is blocked.

I’m not sure I understand this as openDNS does give a block screen.

PS> I am not affiliated with openDNS other than using it. I use it in multiple corporate settings. We check the most used site list at least weekly and manually block anything in the top 200 that we don’t like. If a user breaks the filter and finds a site they like, it quickly moves to the top of the list as they will go back multiple times. We block it and watch for the next one. We run highly complex networks that connect with multiple site-to-site vpn’s and vpn clients which connect to government websites. openDNS is the only filter solution we have used that does not take major configuration to make all of our “special” connections work.

Reply | Quote

Open DNS is only really useful against non-Internet-savvy users. Anyone with Admin access to the Windoze/Linux system settings can bypass it. My advice is to set up all the blocking you can at every level: on the PC, on the Internet access router and with DynDNS. If you make it hard enough, most users will give up. Those that don’t will find a way, eventually, especially if they have admin rights…

So:

[*]Create restricted accounts on the PC: disable DOS windows etc
[*]Disable booting from CD/USB etc – to be doubly sure, disable CD/USB access altogether…
[*]Use netnanny or whatever on the PC
[*]Run the web browser in a sandbox, disable file sharing, block all file downloads
[*]Set up parental control on the Internet router
[*]Use OpenDNS
[*]Check logs and PC files regularly and kick ass if anything is found.

Alternatively, treat it as educational…

Reply | Quote

It would be intriguing to know how you “know [that] visiting teenagers will be tempted on rare occasion to go places on the internet they should not”? You only mention porn; how about illegal music and movie downloads? Drugs? Terrorism? … and so on.

You are looking for a technical solution for what seems to be a social problem. If you think these visiting teenagers might be tempted to visit porn websites, then you have to be in there in the room with them, monitoring them.

To be honest, I would be amazed if today’s teenagers weren’t more technologically savvy than you (and I!) are. I’m sure they could think of at least one way of getting round most of the measures you would put in place. And you only need one way…

BATcher

Plethora means a lot to me.

Reply | Quote

If you are using OpenDNS, you must block access to other dns through your router by blocking port 53 to all except OpenDNS servers if you want any kind of security at all.

One advantage of this type of filtering is that It doesn’t matter if the person has admin on the computer and knows how to manipulate the registry, as long as they can’t access or bypass the router, they are going to have a very hard time bypassing this filter completely.

Reply | Quote

Open DNS is only really useful against non-Internet-savvy users

I would say it this way.

OpenDNS is only really useful to network savvy administrators. On our corporate networks we run internal DNS servers. We block outgoing access to port 53 from all machines other than the designated DNS server. We then point the internal DNS server at OpenDNS servers.l

On smaller networks we block port 53 through the firewall accept for requests to OpenDNS servers. We then set DHCP to hand out OpenDNS servers and that pretty much covers it. Unless the user can bypass or change the firewall rules it is pretty hard to break through.

Now, be aware, OpenDNS is NOT a filter. It has no idea what content is on the page it is resoving. It only knows if the site is allowed or banned.

See the following for a little more information on what ports to block and how.

http://forums.opendns.com/comments.php?DiscussionID=2355&page=1#Item_0

Reply | Quote

THANKS TO ALL

for your very perceptive suggestions, as well as insight about the social dimension involved. In that regard– as Thomas Hobbes, himself reminded those who wondered about his suspicious nature– we lock our doors, no matter how kindly we feel about our neighbors. Ultimately, no fence, no lock, no security measure is completely perfect, but the better of two locks will have to do.

Special appreciation to mercyh for a very probing, thorough analysis of the problem, clearly beneficiary of many hours dealing with a distant relative of the same security issue.

I already had intended to use ODNS as exactly what you propose, a means of limiting further the options and exposure. Obviously, my comments paint me as very skeptical of ODNS as any final solution. Yes, paid ODNS ($5 yearly!) does provide a good block page, but I am trying not to be so obvious about the reason the URL is blocked. through ODNS.

Filtering through router port control and blocks is another, excellent idea. The final item is NetNanny or CyberSitter, both capable programs which will rest on a gateway box with a powerful CPU to minimize the overhead they (may) impose on system response.

In general terms, the gateway links the ISP via an internal PCI-based ADSL modem with a netcard feeding to a subnet. The modem is internal to limit the option simply to bypass the gateway and plug directly into an external modem. The subnet router/access point provides wired and wireless ports reaching the client machines, which have no control software actually installed on them– the beauty of the gateway approach.

Could someone bring in a portable modem/router ? Sure, but the interest level is not really that high, at this point..

Reply | Quote

If you want all the granularity you can imagine, Check out the following.

http://www.untangle.com/

They have a Virtual machine version that can run on a windows PC. We have had some issues with time getting messed up when running the virtual machine version, however, this may not matter in your case (just that the reports do not show correct access time).

The full version can run on an old PC. The Opensource (unpaid) version should do everthing you need plus a whole lot more.

Reply | Quote

If you want all the granularity you can imagine, Check out the following.

http://www.untangle.com/

They have a Virtual machine version that can run on a windows PC. We have had some issues with time getting messed up when running the virtual machine version, however, this may not matter in your case (just that the reports do not show correct access time).

The full version can run on an old PC. The Opensource (unpaid) version should do everthing you need plus a whole lot more.

TO mercyh and all others– A FINAL CHECK

Just as a final check, is there any hardware or logical problem you can see with my setup plan for the system?
The plan involves bringing ISP data to a gateway (desktop) computer using a PCI-based broadband modem, then
running from the gateway ethernet port out to a Netgear WNR2000 wireless N router, creating a router subnet.
All clients are wireless N, with full PSA2-PSK security.

I ask, because I finally have located a USA source for the DLink ADSL broadband modem (once very popular
around the world, now a discontinued product, yet still “box-new”) and am ready to buy. By research, I have
located and downloaded XP-ready drivers for the modem from CNet, and user comments show no “flaming”
issues with the XP driver.

Again, the idea of putting the modem inside the gateway is to provide greater control over connections users might
make to the ISP.

As stated previously, I plan to take into account all the suggestions about Open DNS and other products for
specifics of the gateway computer. But at this moment, making sure there is no glaring or inherent hardware or
logic problem with the system, as planned, is the most important thing as I begin to build this system.

Once more, thanks to all for your help and careful deliberation on this project. Maybe this thread will benefit others
who desire to limit the garbage they bring into their home, as well.

Reply | Quote

I have never tried what you are attempting. It seems a bit paranoid to feel the need to lock down the modem in this manner.
I agree that without doing it this way (or having the modem-router connection in an inaccessable room) breaking the lock is as easy as unplugging the cable.

I do not know why it wouldn’t work. You will need some way of firewalling that incoming connection as that connection will be exposed directly on the web.

Reply | Quote

I have never tried what you are attempting. It seems a bit paranoid to feel the need to lock down the modem in this manner.
I agree that without doing it this way (or having the modem-router connection in an inaccessable room) breaking the lock is as easy as unplugging the cable.

I do not know why it wouldn’t work. You will need some way of firewalling that incoming connection as that connection will be exposed directly on the web.

UNTANGLE MAY HELP

I made a note to look at Untangle (UT) “later”– but then took brief glances at the dox during the day (the website is very helpful, clear
and well-engineering, content-wise). The more I reviewed UT, the more entangled I became– this product is very useful and has a feature
set and field experience adequate to all my concerns. Like Avast! (the paid version), UT comes with its own firewall.

The “UT for Windows” package captured my attention as an integrated solution, and one that coincides with the network basic design.
It runs on the gateway which doubles as a workstation.

But in that configuration, could everything run from a modest P3 with enough memory (1GB) to serve a network with no more than two
family PCs? Or should I anticipate lots of latency and drag in traffic without a larger CPU? I ask these things, just in case you have some
field experience with UT.

Again, thanks! How did you run across UT?

Reply | Quote

You need to read how UT for windows actually works. You can install it on ANY windows machine on the network (it does not have to be at the gateway) and as soon as it is turned on it Grabs all the internet traffic on the network and forces it through that box. (this is assuming you have no hubs, only switches and that the switches are not multilayer which you will not have with residential grade stuff) The downside is that as soon as that box is turned off (or the untangle service is stopped) all filtering ceases.

This is not a good option if you are so security conscious that you need the modem in the box. You would have to install the windows workstation in a locked room as all the surfer needs to do is shut off the workstation that has this installed and they are in the clear.

The dedicated version of UT acts as a gateway-router with one nic used as the WAN port and the other used as the LAN port. However, this is a linux distro and it is highly unlikely it will have drivers for the modem you are talking about, although a good look at there hardware list may be in order. (I didn’t check).

This doesn’t fill your need either as the machine is dedicated to untangle so cannot be used as a workstation.

For a home network with only a couple of machines, the hardware specs you have should be no problem. I have a windows version (which takes much more power than the stand alone product) running on a dual core pentium with two gigs of ram filtering a 25 workstation business network and there are no noticeable latency issues.

I started using untangle while searching for a replacement for censornet (http://opensource.censornet.com/). Untangle is a well known and well maintained linux router/filter distro.

Reply | Quote

This is not a good option if you are so security conscious that you need the modem in the box. You would have to install the windows workstation in a locked room as all the surfer needs to do is shut off the workstation that has this installed and they are in the clear…. This doesn’t fill your need either as the machine is dedicated to untangle so cannot be used as a workstation.

For a home network with only a couple of machines, the hardware specs you have should be no problem. I have a windows version (which takes much more power than the stand alone product) running on a dual core pentium with two gigs of ram filtering a 25 workstation business network and there are no noticeable latency issues.

I had believed my own network traffic was so small, a dedicated router might also do light duty as a text workstation. You saved me grief– a computer serving a dedicated router function remains exactly that, reserved for the purpose.

For now, I am back with the Windows-based gateway hosting a shared internet connection. The only remaining issue is how powerful to make this station
so overhead is not too obvious. Your formula for Intel Core 2 Duo and 2gb of RAM for a dedicated machine on a 25-station network, of course, is a far cry
from the modest computer I need. But I imagine a P3 and only 1gb probably would be too little, even so.

The firewall function probably will be met by something suited to the home market for stand-alones.

Reply | Quote

BTW

You are not the first person to ask this question…….

http://forums.untangle.com/networking/15179-preventing-users-unplugging-ut.html

Reply | Quote