Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Content filtering - how to enforce at home

From: Randall C Grimshaw <rgrimsha () syr edu>
Date: Thu, 9 Sep 2010 06:29:41 -0400

Physical access is always a problem, especially if they possess replacement routers - but here is what I use:

2 stacked NAT routers, Cable modem -> R1 -> R2 -> house

R1 is a NAT with 802.11n WPA2 private password for my rare bypass needs. The ports are MAC secured to include my 
notebook and R2

R2 is a WRT running the latest Gargoyle / OpernWRT configured to enforce OpenDNS subscribed (free available) site 
category filtering / tracking. Gargoyle also has functional rate limiting, access quotas, reporting, filtering,

Notes:
My college kids used to have access to R1 in a former configuration, but hacker would break into their computers and 
they were often careless users. So for a while a bsecure securespot (no longer offered but signs of returning) sat 
between R1 and R2 (pre Gargoyle) A hotspot like password was used for bypass needs. Todays configuration is better for 
my immediate needs and works pretty well... hacker #2 is going to be a bigger challenge and I may need a PCI compliant 
cage.

Good luck Jim... as usual should any of your force be....

Randall Grimshaw rgrimsha () syr edu
________________________________________
From: firewall-wizards-bounces () listserv cybertrust com [firewall-wizards-bounces () listserv cybertrust com] On 
Behalf Of Wieslaw Lubas [wieslaw_lubas () o2 pl]
Sent: Wednesday, September 08, 2010 3:18 PM
To: firewall-wizards () listserv cybertrust com
Subject: [fw-wiz] Content filtering - how to enforce at home

Hi,

I am trying to attach small filtering "appliance" in home environment. From user perspective it is a proxy server and 
firewall with IP address A on LAN side. WAN side connected to DSL/cable modem (CPE). All traffic other than restricted 
web categories shall be allowed. CPE DHCP  turned off, allows only "appliance" MAC address.

Scenario 1. Web proxy (A) enforced on workstation.

Scenario 2. CPE or firewall blocks 80&443 from sources different than "A". "Appliance" is in transparent mode, because 
all workstation users can modify proxy settings. Disadvantage - only ports 80 and 443 are filtered - filter can be 
bypassed using Internet-based proxy.

Scenario 1a. Smart 7 years young hacker replaces "appliance" with some non-filtering proxy, using the same IP. How to 
avoid this hack?

Scenario 2a. Smart 7 years young hacker clones "appliance" MAC and connects dorectly to CPE.How to avoid this hack? 
802.1x?

Scenario 2b. CPE is provider-managed - in my case cable modem acting as a bridge. No mac filtering. Any connected DHCP 
client gets online. Anything else than physical lock will help (connecting cable modem with "appliance", setting up 
appliance as DHCP server, both boxes secured with key in enclosure)?

Is there any software based solution that could do the job?

Specifically, tamper proof network driver acting as ICAP client (I could install filter with ICAP server in remote 
location).

Wieslaw


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: