Internet Access at your Local Libaries?

gettingOnline asks: "I work for a library that will soon offer public access to our network. You come in with your network ready portable computer, change your config to use DHCP, plug in, and you have T1 access to the net. Other libraries are offering this service already, and there's no doubt we will offer it, no matter what the security issues are. What I want to know from all of the network gurus out there is what we can do, short of creating a separate network, to minimize risk without limiting internet access."

Uh

First of all, why is it even a question as to whether or not you should create a separate network for the public terminals? Why on earth would you have the libary's machines on the same network as the public machines? At the very least, assuming you're using a NAT setup, you should have a firewall keeping 192.168.1.* (public) from touching 192.168.2.* (private).

Your firewall should also only allow outbound port 80, 443, and maybe 22, unless you want people to be able to send mail, in which case you'll also be allowing them to send spam, and you'll be risking having your libary's IPs blackholed. Personally for this type of setup I wouldn't allow port 25. If they really need to check mail they can use hotmail or one of the other myriad webmail systems. Web, SSH, and https are really the only reasonably safe services to allow.

My opinion

[Snafoo]

Well, first of all: You should segment your network, with an old Linux box as gateway.

Whether or not you'd consider this a 'separate network' is really up to you. However, it may be that you can't do this, for technical or political (or economical) reasons. Having worked as a network admin for a small library, I understand that there a well-considered hesitance to embrace yet another chunk of technology that only one employee (and, at that,a highly mobile and long-term-unpredictable one) understands. Essentially, you want something that's drop-dead stupid to administer, so that (if, for any reason, you leave) some poor high-school schmuck who just happens to be the kid of one of the librarians stands at least even odds of being able to get it going again.

So instead, you could do something like only assign IPs within a certain 'redlisted' range, such that the important computers on the network can run some cheap-ass firewall freeware to block from those IPs. Such a solution doesn't protect everyone, but it's really fast and easy.

Alternately, you could always buy one of those $60 firewall/routers between the rest of the library's computers and the Internet, and then put the newcomers outside said firewall. Such boxes are easy to administer, and come with nice glossy manuals. Set it up like this:

[T1]
|
|
[Hub for Anonymous Users]
|
[Firewall/Router]
|
{all the other computers}

However, in this scenario, you'll need to make sure that the firewall appliance is (a) able to handle a simple 100BaseTX connection (not just, say, PPPoE) and has sufficiently full NAT support that dhcpd could still be heard from behind it. (Either this last, or ensure that dhcpd is upstream, near (or on) the T1 gateway).
This option also has the downside of forcing NAT upon all the rest of the library's computers, which (depending on how things are set up) could be a big pain in the ass, or break your network altogether. Caveat Emptor.