wireless MAC record-keeping for URLs

Printable View

09-30-2007, 11:39 PM
unix

wireless MAC record-keeping for URLs

We've got a portable satellite Internet connection that we'd like to share
wirelessly at several remote events this summer. All Internet traffic passes
through a Linux box, so that we have the ability for monitoring and the use
of netfilter/iptables:

Access Point(AP) <-> Linux:eth1 <-> Linux:eth0 <-> satellite modem

The AP will be allowed via MAC addresses only (ACL), so that we can keep a
list of who belongs to what MAC; IP addresses will be DHCP-served by the AP.
What we'd like to accomplish is some sort of record-keeping in order to
protect ourselves in the event that someone uses the connection to visit a
child-porn site or the like, and the FBI comes back on us, the responsible
owner of the satellite connection.

We don't wish to snoop users' content, but only to maintain a concise record
of which MAC address (and thus, $user) connects to a web site, and when. The
AP allows "URL redirection" if needed or desired, as well as remote SNMP
traps and syslog functionality.

Does a transparent proxy seem reasonable? Is "squid" the tool for this task?
And is there a pre-defined filter of some sort that can be applied to
preemptively avoid any known child-porn sites, whatever they may be? And how
might we keep a record on the Linux box of what MAC connects to what URL and
the time and duration of each connection? Does netfilter/iptables serve any
purpose here, and if so, what syntax should be used?

Thanks for any suggestions and/or examples. Much of this is new to us, and
we'd like to get it right the first time out.
09-30-2007, 11:39 PM
unix

Re: wireless MAC record-keeping for URLs

On 13 Jun, 16:59, "Patrick" <ptri.c...@statrerv.corn> wrote:[color=blue]
> We've got a portable satellite Internet connection that we'd like to share
> wirelessly at several remote events this summer.[/color]
<snip>[color=blue]
> The AP will be allowed via MAC addresses only (ACL), so that we can keep a
> list of who belongs to what MAC; IP addresses will be DHCP-served by the AP.
> What we'd like to accomplish is some sort of record-keeping in order to
> protect ourselves in the event that someone uses the connection to visit a
> child-porn site or the like, and the FBI comes back on us, the responsible
> owner of the satellite connection.
>[/color]
<snip>[color=blue]
> Does a transparent proxy seem reasonable? Is "squid" the tool for this task?
> And is there a pre-defined filter of some sort that can be applied to
> preemptively avoid any known child-porn sites, whatever they may be?[/color]

No - despite what the FhesPbageby sales guy says. But Dans Guardian
might be a good start.

You should also think about skipping MAC addresses (which are easily
changed) and establish an authenticated session on the proxy. Its
still not perfect but a lot better than host based authentication.
(hint: use the URL re-writer to only allow unmodified - but filtered -
URLs from the user logged on from the IP address through - and do your
logging in the re-writer).

Not sure about the integration with Dans Guardian, but the auth/log
thing is maybe 100 lines of PHP/Perl/....

C.
09-30-2007, 11:39 PM
unix

Re: wireless MAC record-keeping for URLs

In news:5daij8F32qb2qU1@mid.individual.net,
Patrick <ptri.c.k.@statrerv.corn> wrote:
[color=blue]
> We've got a portable satellite Internet connection that we'd like to
> share wirelessly at several remote events this summer. All Internet
> traffic passes through a Linux box, so that we have the ability for
> monitoring and the use of netfilter/iptables:[/color]
....[color=blue]
> Does a transparent proxy seem reasonable? Is "squid" the tool for
> this task? And is there a pre-defined filter of some sort that can be
> applied to preemptively avoid any known child-porn sites, whatever
> they may be? And how might we keep a record on the Linux box of what
> MAC connects to what URL and the time and duration of each
> connection? Does netfilter/iptables serve any purpose here, and if
> so, what syntax should be used?[/color]

[url]http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html[/url]
seems perfect, using squidguard and calamaris log analyzer.
09-30-2007, 11:39 PM
unix

Re: wireless MAC record-keeping for URLs

Patrick wrote:
[color=blue]
> The AP will be allowed via MAC addresses only (ACL), so that we can
> keep a list of who belongs to what MAC; IP addresses will be
> DHCP-served by the AP.[/color]

Can the AP keep a log (syslog to the Linux system you described as acting
as your router, perhaps?) of which MAC addresses it provided which IP
addresses to at given times?
[color=blue]
> What we'd like to accomplish is some sort of record-keeping in order
> to protect ourselves in the event that someone uses the connection to
> visit a child-porn site or the like, and the FBI comes back on us, the
> responsible owner of the satellite connection.[/color]

If the FBI comes back to you, they'll be asking about specific IP
addresses. If you're also NATting, my proposal above isn't much help, I
realize, but you haven't said anything about NAT.
[color=blue]
> We don't wish to snoop users' content, but only to maintain a concise
> record of which MAC address (and thus, $user) connects to a web site,
> and when.[/color]

You're going to be able to track which IP address accessed which sites
(you could even setup your Linux gateway to provide that kind of
logging, for example), but to associate that back to a MAC address will
depend on your being able to keep a record of which IP addresses are
assigned to which MAC addresses by the DHCP server.
[color=blue]
> And how might we keep a record on the Linux box of what MAC connects
> to what URL and the time and duration of each connection? ...[/color]

Does anyone know of a tool that can generate NetFlow (compatible) data
from a Linux gateway system? If so, that tool, with analysis from
flow-tools would likely help ... Again, based on IP addresses, though,
not MAC addresses ...

--
----------------------------------------------------------------------
Sylvain Robitaille [email]syl@alcor.concordia.ca[/email]

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
09-30-2007, 11:39 PM
unix

Re: wireless MAC record-keeping for URLs

IMHO, authentication is the best option. MAC & IP addresses can be
easily spoofed. But a user is always responible for keeping his
username and password confidential. If he shares it with anybody, who
misuses it, it is his funeral.

I would have used something like squid + dansguardian, or better
still, SafeSquid, since it is a proxy with content filtering and also
allows creation of users from its GUI interface. No point in setting
up and configuring another user database for authentication, if this
is going to be a temp session.

Then I would use url blacklist to block categories like porn and
anonymous proxy, and to be double sure, I would use Keyword Filter to
analyze the websites being visited for unwanted keywords for porn or
anonymous proxies. This will narrow down the chances of users being
able to visit such sites.

Next I would configure a log analyzer like Sarg or Sawmill to generate
per user usage reports, so that I am ready with my reports, if the FBI
arrives.