Internet Access at your Local Libaries?

gettingOnline asks: "I work for a library that will soon offer public access to our network. You come in with your network ready portable computer, change your config to use DHCP, plug in, and you have T1 access to the net. Other libraries are offering this service already, and there's no doubt we will offer it, no matter what the security issues are. What I want to know from all of the network gurus out there is what we can do, short of creating a separate network, to minimize risk without limiting internet access."

Create a seperate network

[photon317]

Any solution short of creating a seperate network is really asknig for trouble. It's notmuch trouble or money to segment your network into a "private" ethernet for the librarians' servers and workstations, and a "public" ethernet for random laptops. Fence it up with an OpenBSD or Linux router/firewall box with a few ethernet cards in it and you're done (Linux is more multi-purpose and easier for most - OpenBSD is considerably more rock-solid-secure for a firewall-only box, IMHO).

Lan Parties?

[BumbaCLot]

Will you allow gamers to come in and set up lan games as well?
Personally I would define the 'internet' as too broad to give access to, you would be better off running a proxy for limited 'www access', and creating logins for everyone based on their library card info/etc..

Policy first, technology second

[linuxwrangler]

You need to outline the various risks and have the administration determine a policy. That both gives you a basis for your technological decisions and it covers your a**. Start by determining the purpose of allowing access - is it just for web research or do you want to provide other access as well?

Some potential problems:

Unlimited and unlogged access?? What a great place for spammers, crackers and such to get net access.

Everyone on the same subnet (w/o router restrictions)?? Everyone with open Windoze shares will be vulnerable while logged in.

Log all access?? You may run afoul of privacy concerns and laws.

If you only intend to provide http(s) and ftp you might consider putting users behing a Squid proxy to improve speed and help limit access (not a substitute for firewalling, though).

I would in any case make sure that the IP (or even entire connection) you use is separate from your administrative connection so if something bad happens (you provided full access and got blacklisted for spam for instance), your administrative functions will not be impaired.

captive gateway

[austad]

Obviously, this should be a separate network, but for users to get access to the net, they should have to log in with their library card number and a password. The best way to do this would be to use a firewall that has captive gateway support. When the user tries to use a browser to go somewhere, the firewall intercepts the traffic and brings up a login page. This way, you get accounting information of who's using the network, and what they are doing. If you run into problems, you can go back on your logs and pin it down to the person who caused the trouble.

Netscreen makes a model called the 5xp. There's a $495 version that will allow 10 clients at a time behind it, and there's a $995 version that allows unlimited. It has the "captive gateway" code built in, and it can authenticate against a local database on the firewall, or a 3rd party RADIUS or LDAP server. I use several of these units and they are probably the most impressive piece of equipment for the money I've ever seen. The captive gateway stuff works sweet for wireless networks also (although I use one of their larger firewalls and put the WAP in a separate zone). I have a 5xp at home, and the sheer number of features it has well surpasses that of a $30,000 Cisco PIX.