Internet Access at your Local Libaries?

gettingOnline asks: "I work for a library that will soon offer public access to our network. You come in with your network ready portable computer, change your config to use DHCP, plug in, and you have T1 access to the net. Other libraries are offering this service already, and there's no doubt we will offer it, no matter what the security issues are. What I want to know from all of the network gurus out there is what we can do, short of creating a separate network, to minimize risk without limiting internet access."

Create a seperate network

[photon317]

Any solution short of creating a seperate network is really asknig for trouble. It's notmuch trouble or money to segment your network into a "private" ethernet for the librarians' servers and workstations, and a "public" ethernet for random laptops. Fence it up with an OpenBSD or Linux router/firewall box with a few ethernet cards in it and you're done (Linux is more multi-purpose and easier for most - OpenBSD is considerably more rock-solid-secure for a firewall-only box, IMHO).

Re:Create a seperate network

[skotte]

yeah, really the whole "Public Access Network" should be covered by a fFirewall, and good logs need be kept.

i can hear the kiddies whining about privacy now. i know, i know. but come on fFolks. it's a public access point. You sort of expect to give up some privacy in that case. If you want anonymity, buy it yourself.

Lan Parties?

[BumbaCLot]

Will you allow gamers to come in and set up lan games as well?
Personally I would define the 'internet' as too broad to give access to, you would be better off running a proxy for limited 'www access', and creating logins for everyone based on their library card info/etc..

Re:Lan Parties?

[Godeke]

I would have to agree with this assessment - the library should set the lan up distinct from any other networks already in place and only allow access out via a proxy. Whether access to the proxy is based on the library card is a different issue. On one side I can see that accountability of use (using the library to set up a freemail account and send death threats from there) must be balanced with the fact that someone may be at the library precisely so they can access information that may be sensitive in their own home environment. Release of information clauses about the use of the proxy would have to be very tight for most people to feel comfortable using it (i.e., will release with a warrant).

Of course, with the new cybersnooping laws looming everywhere in response to the massive armies of terrorist/cracker/Taliban that failed to appear, perhaps that's too much to ask for.

Re:Lan Parties?

[skotte]

i saw this title and just thought, y'know, thats what this can easily become. one big invitation fFor the local gamers union to park themselves in the library.

oh, not at fFirst. when the system is new, and the ports are bright and shiny, they will stand out in the middle of the room with a proud librarian hovering over them.

but at some point, the new will wear off. and "that kid who comes in fFor a while" will become "a couple kids who waste the whole afternoon here." and the ports will get moved to a corner, thus encouraging the kids to spend the whole dern day there, while the librarian stews at the desk.

ok, i got a little carried away.

but like, what such a system really needs is a method of checks and balances. time limits fFor example. just as a book may be checked out, use of a port would be checked out on a library card.

additionally, a set of clear rules would need to be installed. fFor example, NO PORN (you mooks). i know, covering this becomes very tricky. like what if the librarian decides any gay content is akin to porn? and we all know babysitter software doesnt work.

limit risk ... of what?

[tswinzig]

What I want to know from all of the network gurus out there is what we can do, short of creating a separate network, to minimize risk without limiting internet access

What do you want to limit the risk of, exactly?

Re:limit risk ... of what?

[skotte]

well, thats a fFair enough question.

when you allow someone onto your network, it's like letting them lounge in your living room. they could very easily take paperweights and drop things on the carpet. or to be a bit more precise in this case at hand, a person may be inclined to alter official library records. this is something which could be done easy enough anyway, but with a person bringing their own laptop to the location, fFilled with whatever may be held therein, you are really opening the door fFor viruses and crackers.

Re:limit risk ... of what?

[tswinzig]

My point was it was not clear from the question what ELSE was going to be on this library network. The way it was described, it was just going to be an internet connection with a LAN that anyone can connect into using DHCP to get online. If that's the case, nothing needs to be done. Just post a sign telling everyone that they need to make sure their machines are secured, or they risk having an intruder connect to their machine. Recommend ZoneAlarm or something similar.

In fact, I believe the newer linksys routers can actually be enabled so that they check new systems to make sure they have zonealarm installed... maybe you could use that.

start with your library cards?

[kootch]

why not add a tiny bit of restrictiveness to the system just to prevent people from acting stupid and believing that they are untraceable.

I've seen systems that when you try your first connection using DHCP, you need to input a username and password... often used in new highrise apt complexes that come with broadband.

make the user put in their library card name and number. hell, it's very little information for providing them with broadband access, right?

but I think this might also help when budget time rolls around and the state/county/etc asks you to justify your cost. you then show them usage stats and show how it is a desired service.

I also see lots of other marketing benefits, but it'll take too long to go into them.

Policy first, technology second

[linuxwrangler]

You need to outline the various risks and have the administration determine a policy. That both gives you a basis for your technological decisions and it covers your a**. Start by determining the purpose of allowing access - is it just for web research or do you want to provide other access as well?

Some potential problems:

Unlimited and unlogged access?? What a great place for spammers, crackers and such to get net access.

Everyone on the same subnet (w/o router restrictions)?? Everyone with open Windoze shares will be vulnerable while logged in.

Log all access?? You may run afoul of privacy concerns and laws.

If you only intend to provide http(s) and ftp you might consider putting users behing a Squid proxy to improve speed and help limit access (not a substitute for firewalling, though).

I would in any case make sure that the IP (or even entire connection) you use is separate from your administrative connection so if something bad happens (you provided full access and got blacklisted for spam for instance), your administrative functions will not be impaired.

My opinion

[Snafoo]

Well, first of all: You should segment your network, with an old Linux box as gateway.

Whether or not you'd consider this a 'separate network' is really up to you. However, it may be that you can't do this, for technical or political (or economical) reasons. Having worked as a network admin for a small library, I understand that there a well-considered hesitance to embrace yet another chunk of technology that only one employee (and, at that,a highly mobile and long-term-unpredictable one) understands. Essentially, you want something that's drop-dead stupid to administer, so that (if, for any reason, you leave) some poor high-school schmuck who just happens to be the kid of one of the librarians stands at least even odds of being able to get it going again.

So instead, you could do something like only assign IPs within a certain 'redlisted' range, such that the important computers on the network can run some cheap-ass firewall freeware to block from those IPs. Such a solution doesn't protect everyone, but it's really fast and easy.

Alternately, you could always buy one of those $60 firewall/routers between the rest of the library's computers and the Internet, and then put the newcomers outside said firewall. Such boxes are easy to administer, and come with nice glossy manuals. Set it up like this:

[T1]
|
|
[Hub for Anonymous Users]
|
[Firewall/Router]
|
{all the other computers}

However, in this scenario, you'll need to make sure that the firewall appliance is (a) able to handle a simple 100BaseTX connection (not just, say, PPPoE) and has sufficiently full NAT support that dhcpd could still be heard from behind it. (Either this last, or ensure that dhcpd is upstream, near (or on) the T1 gateway).
This option also has the downside of forcing NAT upon all the rest of the library's computers, which (depending on how things are set up) could be a big pain in the ass, or break your network altogether. Caveat Emptor.

captive gateway

[austad]

Obviously, this should be a separate network, but for users to get access to the net, they should have to log in with their library card number and a password. The best way to do this would be to use a firewall that has captive gateway support. When the user tries to use a browser to go somewhere, the firewall intercepts the traffic and brings up a login page. This way, you get accounting information of who's using the network, and what they are doing. If you run into problems, you can go back on your logs and pin it down to the person who caused the trouble.

Netscreen makes a model called the 5xp. There's a $495 version that will allow 10 clients at a time behind it, and there's a $995 version that allows unlimited. It has the "captive gateway" code built in, and it can authenticate against a local database on the firewall, or a 3rd party RADIUS or LDAP server. I use several of these units and they are probably the most impressive piece of equipment for the money I've ever seen. The captive gateway stuff works sweet for wireless networks also (although I use one of their larger firewalls and put the WAP in a separate zone). I have a 5xp at home, and the sheer number of features it has well surpasses that of a $30,000 Cisco PIX.

Acceptable Use Policy

[scubacuda]

If bandwidth is very limited, make sure people understand that their connection will be cut off if they use up more than fair share of the bandwidth.

There are all sorts of Internet throttling software solutions out there you might want to check into. With some you can put weighted percentages/priorities on certain types of traffic.

Be sure to segment the network properly. Put everything important on a separate subnet. In fact, even better if you can PHYSICALLY segment it completely! Maybe buy a separate DSL line to be used for these library visitors (something I'd really push for). Then create a separate LAN that is not connected to anything important on the other side.

Re:PPPoE

[raju1kabir]

Use PPPoE if you are not tring to setup anonymous network access.

That seems like a pretty user-hostile approach. Most of the people (those not running OSX or XP) would have to install big bad software just to talk to the network. Who wants to do that, and who wants to put people through it, when there are so many other better solutions available?

Re:Accountability

[unitron]

"He accesses his favorite BSDM site..."

BSDM? Berkeley Software Distribution Masochist?