Post by thread:Re[4]: [OT]: ISP-based whitelisting service?

Hi Bob, Monday, June 26, 2006, 4:28:30 PM, you wrote: > I am assuming that the expression "have the Internet filtered before it > arrives on the place" is intended to ensure that even with physical access > to the incoming wire from the ISP the young bucks cannot get to something > they shouldn't. Yes, that is what is intended. > I believe the solution I outlined before can handle this, with the following > simple notes: > 1) Access from the router to the ISP requires knowledge of the ISP password, > which would only be stored in the Router and unknown to anyone in the > Colony. Okay... > 2) Access to the router setup is protected by the router's own password, > which would not be known by anyone at the Colony either. Okay... > Thus to get to the internet you have to go through the router, and the > router does all the filtering for you. Sounds like I'll have to learn more about routers. Like how many sites can be added to their whitelist, and just what can and can't be done with them. > The only way I can see to get around this is to get another account with the > same ISP and use it on the same physical connection. Sounds like a reasonably remote possibility - if they can do this, they will probably set up their own, secret connection instead. > Bob Ammerman > RAm Systems Thanks for your help. I've now got a better and more focused understanding of our options! -- Best regards, Patrick Murphy James Valley Colony

Hi John, Monday, June 26, 2006, 4:20:56 PM, you wrote: > The problem is more widespread than you think. > I am setting up a network at my church. I have come to a holding point > because there is currently no way to provide access to the general user > while limiting the possibility that a hormone driven teenager will be caught > on a porn site. There is a software solution for porn that you might be interested in - I haven't tried it, but IIRC, PC Magazine recently reviewed it and found it effective, although not foolproof. <http://www.guardwareinc.com/ishield/> Okay, I found the PC Magazine review here: <http://www.pcmag.com/article2/0,1895,1927957,00.asp> The FortiGate device I briefly tested was able to block sites based on text content so I assume that would help as well. <http://www.fortinet.com/> -- Best regards, Patrick Murphy James Valley Colony

Hi Herbert, Monday, June 26, 2006, 3:10:38 PM, you wrote: > How important is bandwidth? I don't know - I assume if the colonies could have a connection that doesn't drop below, say, three to four times as fast as Dial-up, they would be satisfied for now. {Quote hidden}> If sacrificing bandwidth is an "OK" solution, perhaps something like > this is an option: > Colony: > Internet Connection -> router -> router with VPN client -> clients > Base: > Internet Connection -> VPN server -> Filter computer -> Internet > Connection > I hope this makes sense. Basically every colony doesn't get a connection > to the internet, their VPN client connects to the "Base" VPN server. > This VPN server could then block out whatever you'd like. > The benefit is it's relatively plug and play for the colonies, you set > up each box and mail it to them. They can set up their networks any way > they want, wired or WiFi. Since the router with VPN is their only > connection to the rest of the internet only physical access can bypass > it (unless they manage to hack the VPN router, possible, but easy enough > to secure). > At the base you can use a computer to act as the VPN server, or just buy > one. The whitelist filtering can then be done with a Linux or Windows > box. Since it's the only point that goes to the rest of the internet > it's the only point that needs configuring. You can also reconfigure it > remotely if you wish. > The bad side of this idea is the all the internet traffic from the > colonies will come through the "Base's" internet connection. If you're > dealing with just a few emails and web pages that's probably OK. If > you're dealing with streaming video or thousands of clients, that won't > be OK. I don't think streaming video is currently desired - just basic email, access to on-line banking, and business-related web sites. This will likely expand greatly as the colonies become more familiar with the new options that the Internet will provide. I assume the base computer's connection to the Internet should be faster than any other colony's connection - how much improvement might extra bandwith give? I assume bandwith is more a bottleneck than the VPN hardware? > Basically you are creating a pseudo ISP that the clients connect to > through VPN. > Costs shouldn't be too bad. The VPN client routers are getting pretty > cheap (since they are in the consumer space now), VPN servers are a > little more expensive, but you only need one. -- Best regards, Patrick Murphy James Valley Colony

On Tue, 2006-06-27 at 10:17 -0500, Patrick Murphy wrote: > Hi Herbert, > > Monday, June 26, 2006, 3:10:38 PM, you wrote: > > > How important is bandwidth? > > I don't know - I assume if the colonies could have a connection that > doesn't drop below, say, three to four times as fast as Dial-up, they > would be satisfied for now. Well, what you describe sounds very "bursty", so actual bandwidth shouldn't be too bad. > I don't think streaming video is currently desired - just basic email, > access to on-line banking, and business-related web sites. This will > likely expand greatly as the colonies become more familiar with the new > options that the Internet will provide. Well as a start this might be a good solution for you. > I assume the base computer's connection to the Internet should be > faster than any other colony's connection - how much improvement > might extra bandwith give? Unfortunately I don't have the experience to really be able to recommend something specific. The most important thing for the "bases" internet connection is that it's a "symmetric" connection, meaning the upstream bandwidth is the same as the downstream. Most consumer connections are asymmetric which wouldn't work to well for your application (since the limit for be the slower direction. Best idea IMHO would be to get a symmetric connection for the base with the option of upgrading the bandwidth, therefore if your users complain things are too slow you just call the ISP and have them up the bandwidth. > I assume bandwith is more a bottleneck than > the VPN hardware? Unless you're dealing with hundreds of VPN clients you are correct, bandwidth will be the bottleneck. Since each colony will only be one VPN connection you should be OK. Good luck! :) TTYL

Hi Herbert, Tuesday, June 27, 2006, 4:19:49 PM, you wrote: {Quote hidden}> On Tue, 2006-06-27 at 10:25 -0500, Patrick Murphy wrote: >> > Obviously, physically securing the hardware is an issue, but I don't see >> > that as a big issue. >> >> That password barrier sould be a good deterrent. > As long as the password is set to something OTHER then the default, you > wouldn't believe how many times I've found devices with the default > password still set. >> I'm a bit uncertain, however, what device would require a password >> - do modems themselves allow the requiring of passwords? It's been >> a while since I've tried it, but IIRC, I was able to connect my >> laptop directly to my broadband modem and surf the net. > The password would be in the VPN box. The only connection you supply to > the clients is a connection to the VPN box. The VPN box would be > connected to the modem, and would be the only thing at the colony with a > free connection to the internet, hence the need to physically secure it. > The VPN box's configuration would have to be passworded. If I use a computer running Linux, that should be a good deterrent by itself, as there are very few in the colonies that have any experience with Linux. >> I like the idea of ISP transparency - some colonies can only get an >> expensive satellite connection, while others would be able to choose a >> less expensive connection. >> >> The tradeoff is, then, lower bandwidth vs. ISP transparency. > Absolutely. That said, if email and a few webpages are the only things > the clients are using bandwidth shouldn't be much of an issue. That makes sense. -- Best regards, Patrick Murphy James Valley Colony

On Wed, 2006-06-28 at 09:05 -0500, Patrick Murphy wrote: > Hi Herbert, > If I use a computer running Linux, that should be a good deterrent by > itself, as there are very few in the colonies that have any experience > with Linux. True, but you have to think about a youngster in general. The more difficult and "mysterious" something appears, the MORE interested they will be in figuring out how it works and breaching it! :) There's nothing in making somebody want something then telling them they can't have it! TTYL