Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#136594 - 23/01/2003 14:39 Restricting Internet Access on a Computer Network
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
My chief engineer at the radio station where I work is also supporting a computer network at a local Christian school.

The server is Windows 2000 Server (not the "Advanced" version) and the workstations are all Windows 2000, grouped together in a computer lab. Internet acess is through a DSL line.

What the administrators at the Christian school want to do is deny internet access on the workstations unless there is an adult supervisor present.

What would be an easy, not highly technical method of doing this? This doesn't have to be a solution to defeat dedicated hackers; just something to keep the kiddies out of the porn sites when the preacher's not watching.

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#136595 - 23/01/2003 14:50 Re: Restricting Internet Access on a Computer Network [Re: tanstaafl.]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
You say internet access is though a DSL line. How, exactly, is is distributed? Do they have one of those Linksys/NetGear router deals? Unplugging the DSL line comes to mind.

The problem I see with any solution to this problem is not turning the service on, but turning it off. It's like you need a reverse deadman's switch, but I can't think of an appropriate way to set anything like that up. I mean, what happens when someone comes into the room and tells the chaperone that they need him right now. Is he going to stop and turn the internet off first? If not, you need either some automated facility to detect that he's not there, or it's just going to be left on.
_________________________
Bitt Faulk

Top
#136596 - 23/01/2003 14:56 Re: Restricting Internet Access on a Computer Network [Re: tanstaafl.]
TigerJimmy
old hand

Registered: 15/02/2002
Posts: 1049
I absolutely despise the idea of this, but it can be done pretty easily and for free using squid as a proxy server.

Here is a link to a paper on how to set this up.

Of course, the DSL will need to come in to the proxy computer and the clients will need to be configured to use that machine as their internet gateway and the browser client will need to be informed that the gateway machine is a proxy, but all of that is pretty easy. You can have an OpenBSD box with two NICs doing that job in an hour or two.

FWIW,

Jim


Top
#136597 - 23/01/2003 14:56 Re: Restricting Internet Access on a Computer Network [Re: tanstaafl.]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31602
Loc: Seattle, WA
At home, I use one of the cyber-babysitter programs on my daughter's workstation. I think it's called "Cybersitter".

In a classroom or work environment, the proper solution is a proxy/firewall that has the capability of denying access to certain sites. There are many products which do this and work as either stand-alone firewalls, or plug-ins to the Microsoft Proxy Server product.

Either would work. The reason the latter solution is better in a classroom is because it doesn't require the software to be installed on each client computer.
_________________________
Tony Fabris

Top
#136598 - 23/01/2003 15:00 Re: Restricting Internet Access on a Computer Network [Re: TigerJimmy]
TigerJimmy
old hand

Registered: 15/02/2002
Posts: 1049
Oh yeah, obviously, how this works is that at the monthly censorship and child ignorance meeting (oops, I mean, at the monthly all teachers meeting), you give the new proxy password to the teachers. Alternatively, you could give a different password to all of the teachers and log the internet access that goes along with their authentication. You carefully explain to the teachers that all internet access that happens after they authenticate with the proxy is logged, so if they give out their password to the kids so the kids can use the internet when they aren't around and the kids go find something "they shouldn't", it will be discovered and it will be known which teacher didn't do their job. If you're going to have teachers spying on the kids, then I think you should at least make it clear that the administration is spying on their spying.

Jim


Edited by TigerJimmy (23/01/2003 15:12)

Top
#136599 - 23/01/2003 15:03 Re: Restricting Internet Access on a Computer Network [Re: tfabris]
TigerJimmy
old hand

Registered: 15/02/2002
Posts: 1049
Tony, take an old computer you have laying around and put OpenBSD on the bad boy and you've just solved two problems at once: 1. you have yourself a squid proxy server and don't need to rely on someone else's censorship decisions, and 2. you now have a way to share files with your buddy.

Top
#136600 - 23/01/2003 15:05 Re: Restricting Internet Access on a Computer Network [Re: wfaulk]
TigerJimmy
old hand

Registered: 15/02/2002
Posts: 1049
Bitt, if you use a proxy that requires authentication, all the "chaperone" needs to do is close the browser. That essentially shuts off access to the world outside the LAN. The next browser session will need to re-authenticate through the proxy.

Top
#136601 - 23/01/2003 15:19 Re: Restricting Internet Access on a Computer Network [Re: tanstaafl.]
TigerJimmy
old hand

Registered: 15/02/2002
Posts: 1049
Sorry for the number of posts, but I think this approach solves another problem, too. If that Windows 2000 server is a LAN server (which it probably is), putting a proxy/gateway machine in between it (and the rest of the LAN) and the DSL connection is a good idea anyhow. OpenBSD would definitely be the answer, IMHO: free, "secure by default", and pretty easy to use. It's not Windows point&click, but it is still pretty easy to get going.

Top
#136602 - 23/01/2003 15:33 Re: Restricting Internet Access on a Computer Netw [Re: TigerJimmy]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
    if you use a proxy that requires authentication, all the "chaperone" needs to do is close the browser.
Yup. So all he'd have to do is close the browser for all 30 students before he went off to deal with the infant who just got his arm ripped off in a freak combine accident.

(I do agree about the censorship crack, though.)
_________________________
Bitt Faulk

Top
#136603 - 23/01/2003 16:15 Re: Restricting Internet Access on a Computer Network [Re: tanstaafl.]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
Put the gateway router in a locked cabinet. When the teacher's around he or she can open the cabinet & plug in the wire between the router & dsl line. When they leave, unplug it & lock the cabinet. Unless the DSL line is also used by administrators in the front office this'd work & boy is it cheap.


-Zeke
_________________________
WWFSMD?

Top
#136604 - 23/01/2003 17:05 Re: Restricting Internet Access on a Computer Netw [Re: wfaulk]
TigerJimmy
old hand

Registered: 15/02/2002
Posts: 1049
Well, I'm assuming that the christian school has 1 or 2 "internet computers" and this isn't a whole classroom kind of thing. Possibly a poor assumption.

Top
#136605 - 23/01/2003 17:10 Re: Restricting Internet Access on a Computer Netw [Re: tanstaafl.]
jimhogan
carpal tunnel

Registered: 06/10/1999
Posts: 2591
Loc: Seattle, WA, U.S.A.
(Flashback to a phone call from a hematologist at a children's hospital...he had just sat down in a conference space with a very distressed mom and dad of a sick child when his elbow bumped a mouse, killed the screensaver, and revealed a browser displaying a pic of a very naked man and woman doing the nasty.... It wasn't a pleasant day, but the episode did bolster my budget request for filtering...)

tanstaafl: What would be an easy, not highly technical method of doing this?

Not sure that there's a solution that is as non-technical as could be desired, but....

Bitt: I mean, what happens when someone comes into the room and tells the chaperone that they need him right now. Is he going to stop and turn the internet off first?

On a very machanistic basis, if they were using something like a Netgear/Linksys router, I'd put it in a locked cabinet handy to the classroom door with a barrel-key power switch on the outside of the cabinet. Teacher keeps key on keyring, turns off on way out, back on when returning.

If the existing Win2K base dictates choices, then Tony's suggestion re: Proxy Server add-ins could be the route, but might cost some money depending on hat they already own, software-wise.

I run Squid+Privoxy and that combination would make for a much more tailorable solution for the long haul, but I don't know that it qualifies for the "easy" award. There is a version of Squid out there somewhere compiled for Windows, FWIW, but that doesn't automatically remove complexity.
If he was interested in exploring his options a bit more and had an old, spare computer, it would not take much longer than a few hours to install Linux/BSD with Squid and check it out. Of note, I read this story in the last Linux Journal that is pretty relevant to his situation. It mentions a program called "Dan's Guardian" that looks like a freeware Squid add-in.

If complexity is really an obstacle, I'd probably go with the cabinet and locked power switch approach!
_________________________
Jim


'Tis the exceptional fellow who lies awake at night thinking of his successes.

Top
#136606 - 24/01/2003 04:17 Re: Restricting Internet Access on a Computer Netw [Re: jimhogan]
muzza
Pooh-Bah

Registered: 21/07/1999
Posts: 1765
Loc: Brisbane, Queensland, Australi...
Could you play 'pass the proxy'?
the computer lab looks to the teacher's computer as a proxy which in turn looks to the school's proxy. the teacher MUST however turn off their computer to stop access.
_________________________
-- Murray I What part of 'no' don't you understand? Is it the 'N', or the 'Zero'?

Top
#136607 - 24/01/2003 10:27 Re: Restricting Internet Access on a Computer Netw [Re: muzza]
TigerJimmy
old hand

Registered: 15/02/2002
Posts: 1049
You can have the teacher's computer work as the proxy, but to do that correctly the teacher's computer is probably not running Windoze.

You could create a little script that the teacher runs that sends a SIGHUP to squid, which should close all of the connections. If that doesn't do it, a kill and restart would definitely do the job. I don't know if squid can keep state across a HUP. But, we were looking for a fairly easy to implement solution, so I'm assuming that means no script writing and no dicking around with 'sudo' and things like that. Installing OpenBSD and getting squid to work is actually pretty easy.

Top
#136608 - 24/01/2003 12:21 Re: Restricting Internet Access on a Computer Netw [Re: TigerJimmy]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Hmmm. Maybe you could write a script that would require interaction from the teacher and if it doesn't get the correct response in a set amount of time, kill the proxy. That could work.
_________________________
Bitt Faulk

Top