Slashdot Mirror
Internet Access at your Local Libaries?
gettingOnline asks: "I work for a library that will soon offer public access to our network. You come in with your network ready portable computer, change your config to use DHCP, plug in, and you have T1 access to the net. Other libraries are offering this service already, and there's no doubt we will offer it, no matter what the security issues are. What I want to know from all of the network gurus out there is what we can do, short of creating a separate network, to minimize risk without limiting internet access."
At the school I went to, someone tried to send a death threat to the president, from what they thought was an anonymous connection.
Accountability will protect you from all kinds of legal hassle.
Any solution short of creating a seperate network is really asknig for trouble. It's notmuch trouble or money to segment your network into a "private" ethernet for the librarians' servers and workstations, and a "public" ethernet for random laptops. Fence it up with an OpenBSD or Linux router/firewall box with a few ethernet cards in it and you're done (Linux is more multi-purpose and easier for most - OpenBSD is considerably more rock-solid-secure for a firewall-only box, IMHO).
11*43+456^2
Will you allow gamers to come in and set up lan games as well?
Personally I would define the 'internet' as too broad to give access to, you would be better off running a proxy for limited 'www access', and creating logins for everyone based on their library card info/etc..
No system will ever be secure, and there's not much you can do to stop someone who really wants to bring down your network. What I would recommend is some method of identifying usage based on library membership ID. Maybe If there are 30 desktops with network/ineternet access, the ethernet cables are run through a switch, or a large hub before entering the server room, etc... This way, any old librarian can take port number 23 and only connect it when a library member comes and scans/swipes/shows them their card. When they've shown their library card the librarian reaches over to the hub/switch/whatever, and plugs the ethernet labled #23 into port #23 and says, okay, you're the 3rd computer from the right in the second row. All the times could be logged. This is the only way I can think of allowing unrestricted internet access, which fi someone did send a death threat/whatever malicious, they could be traced from the router/switch/ip and whoever was allowed to use that computer would be responsible no if's and's or but's. This way no one would leave their seat or let a non-member use it for fear of them being blamed.
:)
of course it's not too hard to forge a library card. so i guess their s.o.l.
dmarien
What I want to know from all of the network gurus out there is what we can do, short of creating a separate network, to minimize risk without limiting internet access
What do you want to limit the risk of, exactly?
"And like that
why not add a tiny bit of restrictiveness to the system just to prevent people from acting stupid and believing that they are untraceable.
I've seen systems that when you try your first connection using DHCP, you need to input a username and password... often used in new highrise apt complexes that come with broadband.
make the user put in their library card name and number. hell, it's very little information for providing them with broadband access, right?
but I think this might also help when budget time rolls around and the state/county/etc asks you to justify your cost. you then show them usage stats and show how it is a desired service.
I also see lots of other marketing benefits, but it'll take too long to go into them.
You need to outline the various risks and have the administration determine a policy. That both gives you a basis for your technological decisions and it covers your a**. Start by determining the purpose of allowing access - is it just for web research or do you want to provide other access as well?
Some potential problems:
Unlimited and unlogged access?? What a great place for spammers, crackers and such to get net access.
Everyone on the same subnet (w/o router restrictions)?? Everyone with open Windoze shares will be vulnerable while logged in.
Log all access?? You may run afoul of privacy concerns and laws.
If you only intend to provide http(s) and ftp you might consider putting users behing a Squid proxy to improve speed and help limit access (not a substitute for firewalling, though).
I would in any case make sure that the IP (or even entire connection) you use is separate from your administrative connection so if something bad happens (you provided full access and got blacklisted for spam for instance), your administrative functions will not be impaired.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
firewall. I'm sure that would be one of the first few things you want to do in your library. Also check out this site for a lot more info on which hardware to choose, how to set it up, etc.
'A lie if repeated often enough, becomes the truth.' - Goebbels
Several people have mentioned accountability. It creats more problems then it solves. 2 scenarios:
A) Johnny (a minor) and his parents sign an user agreement saying he will do what he is supposed to, etc, etc. He accesses his favorite BSDM site from the library. His parents sue the library. Case is voided, bc Johnny, ergo his parents, violated the library's EULA.
B) Johnny walks in and uses the Wayback machine to get past the firewall that was set up. Johnny's parents sure bc Johnny used the library to 'harm himself' the library then has to pay Johnnies parents, etc.
Accountability is not the answer. PERCIEVED accountability is. Don't monitor anyone, but if they are found to be doing something innapropriate for their age, or illegal, then they lose their right to use the network. Defining innapropriate is a chore, but we gotta love that phrase: "contemporary community standards"
Sig (appended to the end of comments you post, 120 chars)
First of all, why is it even a question as to whether or not you should create a separate network for the public terminals? Why on earth would you have the libary's machines on the same network as the public machines? At the very least, assuming you're using a NAT setup, you should have a firewall keeping 192.168.1.* (public) from touching 192.168.2.* (private).
Your firewall should also only allow outbound port 80, 443, and maybe 22, unless you want people to be able to send mail, in which case you'll also be allowing them to send spam, and you'll be risking having your libary's IPs blackholed. Personally for this type of setup I wouldn't allow port 25. If they really need to check mail they can use hotmail or one of the other myriad webmail systems. Web, SSH, and https are really the only reasonably safe services to allow.
What you need is a firewall with multiple interfaces. You could go commercial and buy something like a Watchguard Firebox or set up a cheap linux box and use a pre-packaged linux firewall like IPCop or SmoothWall where you just boot off a cd and install/configure a Linux firewall.
What you end up setting up is a DMZ. You would have a "Trusted" interface that could be your private library network, a DMZ interface that could be your public access network, and an external interface that is your connection to the Internet.
You could set up the IPs as 192.168.0.0/24 for the trusted, 192.168.100/24 for the DMZ, and use your external ip segment for the external. You still can use all of the same network hardware that you have in place.
Hope this helps.
There's no place I can be, since I found Serenity.
Well, first of all: You should segment your network, with an old Linux box as gateway.
Whether or not you'd consider this a 'separate network' is really up to you. However, it may be that you can't do this, for technical or political (or economical) reasons. Having worked as a network admin for a small library, I understand that there a well-considered hesitance to embrace yet another chunk of technology that only one employee (and, at that,a highly mobile and long-term-unpredictable one) understands. Essentially, you want something that's drop-dead stupid to administer, so that (if, for any reason, you leave) some poor high-school schmuck who just happens to be the kid of one of the librarians stands at least even odds of being able to get it going again.
So instead, you could do something like only assign IPs within a certain 'redlisted' range, such that the important computers on the network can run some cheap-ass firewall freeware to block from those IPs. Such a solution doesn't protect everyone, but it's really fast and easy.
Alternately, you could always buy one of those $60 firewall/routers between the rest of the library's computers and the Internet, and then put the newcomers outside said firewall. Such boxes are easy to administer, and come with nice glossy manuals. Set it up like this:
[T1]
|
|
[Hub for Anonymous Users]
|
[Firewall/Router]
|
{all the other computers}
However, in this scenario, you'll need to make sure that the firewall appliance is (a) able to handle a simple 100BaseTX connection (not just, say, PPPoE) and has sufficiently full NAT support that dhcpd could still be heard from behind it. (Either this last, or ensure that dhcpd is upstream, near (or on) the T1 gateway).
This option also has the downside of forcing NAT upon all the rest of the library's computers, which (depending on how things are set up) could be a big pain in the ass, or break your network altogether. Caveat Emptor.
- undoware.ca
Obviously, this should be a separate network, but for users to get access to the net, they should have to log in with their library card number and a password. The best way to do this would be to use a firewall that has captive gateway support. When the user tries to use a browser to go somewhere, the firewall intercepts the traffic and brings up a login page. This way, you get accounting information of who's using the network, and what they are doing. If you run into problems, you can go back on your logs and pin it down to the person who caused the trouble.
Netscreen makes a model called the 5xp. There's a $495 version that will allow 10 clients at a time behind it, and there's a $995 version that allows unlimited. It has the "captive gateway" code built in, and it can authenticate against a local database on the firewall, or a 3rd party RADIUS or LDAP server. I use several of these units and they are probably the most impressive piece of equipment for the money I've ever seen. The captive gateway stuff works sweet for wireless networks also (although I use one of their larger firewalls and put the WAP in a separate zone). I have a 5xp at home, and the sheer number of features it has well surpasses that of a $30,000 Cisco PIX.
Need Free Juniper/NetScreen Support? JuniperForum
Denying ip traffic to ports above 1024 will kill a lot of "scanners", along with some other basic ACL rules, you could have your router locked down tighter than a mouse's ear. Fake Ip adrresses/IP masquerading should reduce their risks even further. Then turning off incoming icmp will definately make your router look dead to the world but still get web access through. A firewall couldn't hurt either. Some of the things we have done to limit our threats.
"On a long enough timeline, the survival rate for everyone drops to zero."
To all the slashdotters who keep talking about proxies and firewalls:
This person wants to give out unfettered internet access without endangering the libraries local network. They obviously don't care about whether little johnny looks at pron or somebody uses it for spam or whatnot. It is not the duty of the library to protect people from the internet or vice-versa. That is all.
"I assumed blithely that there were no elves out there in the darkness"
Have it give ONLY port 80 traffic. Put the box between the internet connection and the public switch/hub
OR, just get a little firewall/internet appliance.
If you do it the linux way, you can get your company to buy the latest boxed 'pro' linux distro for you, along with a book
Use PPPoE if you are not tring to setup anonymous network access. But ether way have to put public access ethernet access on its own network maybe it could share with the network for your public access computers, but they should be on there own network from the libraries internal computers. Tell the Librarians it would be like letting anyone in the public come in and use there private desks whenever they wanted.
Use a linux box running PPPoE(PPP over Ehternet) that way you can track who was using what ip at what time. www.roaringpenguin.com has a commerial solution if you want to go that way, but you can do all the stuff your self.
One day people will learn the folly of Winbloze, Linux Rules!
You can quickly do this with any Cisco Catalyst series switch.
A single Catalyst 2924XL with say half its ports tosed into a different VLAN than your regular network , and your router understanding the new addresses is all you need.
For DHCP, just set the Catalyst to relay the DHCP request to the server. You will have to add an apropriet range to serve of course.
Very simple, and in most cases do not have to spend any additional money as most places will already have either Cisco or Nortel switches that are capable of running a VLAN.
If you need to purchase one, Cisco Catalyst 2924XL switches can be had for at most $2000 which is inside most libraries budgets.
The program isn't debugged until the last user is dead.
If bandwidth is very limited, make sure people understand that their connection will be cut off if they use up more than fair share of the bandwidth.
There are all sorts of Internet throttling software solutions out there you might want to check into. With some you can put weighted percentages/priorities on certain types of traffic.
Be sure to segment the network properly. Put everything important on a separate subnet. In fact, even better if you can PHYSICALLY segment it completely! Maybe buy a separate DSL line to be used for these library visitors (something I'd really push for). Then create a separate LAN that is not connected to anything important on the other side.
turning off incoming icmp will definately make your router look dead to the world
ACK! NO!
ICMP is a _required_ part of the TCP/IP stack. At a bare minimum, it's used to let the clients know that a remote service or network is unavailable, instead of making them wait for a timeout. Blocking inbound "Fragmentation needed but DF set" packets will also cause an admin nothing but headaches when the path MTU gets smaller than what's set in the client.
Maybe (MAYBE) you disable inbound ICMP Echo_request (to stop some script kiddies from portscanning you) or redirects from non-local addresses, but stopping inbound ICMP is a sure way to cause yourself headaches. It won't "make your router look dead to the world," but it will cause problems for legitimate users.
You may want to limit by Ethernet Addresses, so unrecognized ethernet cards will not be accepted. Of course, this is not 100% foolproof, but it will give most wannabe hackers a major headache.
FreeBSD can do this, you can find it here. It's part of the high uptime project.
Futhermore, I would suggest a firewall setup which blocks about anything but HTTP and possibly FTP. A proxy server may be your best option for this.
Good luck!