wireless MAC record-keeping for URLs - Security

This is a discussion on wireless MAC record-keeping for URLs - Security ; We've got a portable satellite Internet connection that we'd like to share wirelessly at several remote events this summer. All Internet traffic passes through a Linux box, so that we have the ability for monitoring and the use of netfilter/iptables: ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: wireless MAC record-keeping for URLs

  1. wireless MAC record-keeping for URLs

    We've got a portable satellite Internet connection that we'd like to share
    wirelessly at several remote events this summer. All Internet traffic passes
    through a Linux box, so that we have the ability for monitoring and the use
    of netfilter/iptables:

    Access Point(AP) <-> Linux:eth1 <-> Linux:eth0 <-> satellite modem

    The AP will be allowed via MAC addresses only (ACL), so that we can keep a
    list of who belongs to what MAC; IP addresses will be DHCP-served by the AP.
    What we'd like to accomplish is some sort of record-keeping in order to
    protect ourselves in the event that someone uses the connection to visit a
    child-porn site or the like, and the FBI comes back on us, the responsible
    owner of the satellite connection.

    We don't wish to snoop users' content, but only to maintain a concise record
    of which MAC address (and thus, $user) connects to a web site, and when. The
    AP allows "URL redirection" if needed or desired, as well as remote SNMP
    traps and syslog functionality.

    Does a transparent proxy seem reasonable? Is "squid" the tool for this task?
    And is there a pre-defined filter of some sort that can be applied to
    preemptively avoid any known child-porn sites, whatever they may be? And how
    might we keep a record on the Linux box of what MAC connects to what URL and
    the time and duration of each connection? Does netfilter/iptables serve any
    purpose here, and if so, what syntax should be used?

    Thanks for any suggestions and/or examples. Much of this is new to us, and
    we'd like to get it right the first time out.


  2. Re: wireless MAC record-keeping for URLs

    On 13 Jun, 16:59, "Patrick" wrote:
    > We've got a portable satellite Internet connection that we'd like to share
    > wirelessly at several remote events this summer.


    > The AP will be allowed via MAC addresses only (ACL), so that we can keep a
    > list of who belongs to what MAC; IP addresses will be DHCP-served by the AP.
    > What we'd like to accomplish is some sort of record-keeping in order to
    > protect ourselves in the event that someone uses the connection to visit a
    > child-porn site or the like, and the FBI comes back on us, the responsible
    > owner of the satellite connection.
    >


    > Does a transparent proxy seem reasonable? Is "squid" the tool for this task?
    > And is there a pre-defined filter of some sort that can be applied to
    > preemptively avoid any known child-porn sites, whatever they may be?


    No - despite what the FhesPbageby sales guy says. But Dans Guardian
    might be a good start.

    You should also think about skipping MAC addresses (which are easily
    changed) and establish an authenticated session on the proxy. Its
    still not perfect but a lot better than host based authentication.
    (hint: use the URL re-writer to only allow unmodified - but filtered -
    URLs from the user logged on from the IP address through - and do your
    logging in the re-writer).

    Not sure about the integration with Dans Guardian, but the auth/log
    thing is maybe 100 lines of PHP/Perl/....

    C.


  3. Re: wireless MAC record-keeping for URLs

    In news:5daij8F32qb2qU1@mid.individual.net,
    Patrick wrote:

    > We've got a portable satellite Internet connection that we'd like to
    > share wirelessly at several remote events this summer. All Internet
    > traffic passes through a Linux box, so that we have the ability for
    > monitoring and the use of netfilter/iptables:

    ....
    > Does a transparent proxy seem reasonable? Is "squid" the tool for
    > this task? And is there a pre-defined filter of some sort that can be
    > applied to preemptively avoid any known child-porn sites, whatever
    > they may be? And how might we keep a record on the Linux box of what
    > MAC connects to what URL and the time and duration of each
    > connection? Does netfilter/iptables serve any purpose here, and if
    > so, what syntax should be used?


    http://www.cyberciti.biz/tips/linux-...uid-howto.html
    seems perfect, using squidguard and calamaris log analyzer.


  4. Re: wireless MAC record-keeping for URLs

    Patrick wrote:

    > The AP will be allowed via MAC addresses only (ACL), so that we can
    > keep a list of who belongs to what MAC; IP addresses will be
    > DHCP-served by the AP.


    Can the AP keep a log (syslog to the Linux system you described as acting
    as your router, perhaps?) of which MAC addresses it provided which IP
    addresses to at given times?

    > What we'd like to accomplish is some sort of record-keeping in order
    > to protect ourselves in the event that someone uses the connection to
    > visit a child-porn site or the like, and the FBI comes back on us, the
    > responsible owner of the satellite connection.


    If the FBI comes back to you, they'll be asking about specific IP
    addresses. If you're also NATting, my proposal above isn't much help, I
    realize, but you haven't said anything about NAT.

    > We don't wish to snoop users' content, but only to maintain a concise
    > record of which MAC address (and thus, $user) connects to a web site,
    > and when.


    You're going to be able to track which IP address accessed which sites
    (you could even setup your Linux gateway to provide that kind of
    logging, for example), but to associate that back to a MAC address will
    depend on your being able to keep a record of which IP addresses are
    assigned to which MAC addresses by the DHCP server.

    > And how might we keep a record on the Linux box of what MAC connects
    > to what URL and the time and duration of each connection? ...


    Does anyone know of a tool that can generate NetFlow (compatible) data
    from a Linux gateway system? If so, that tool, with analysis from
    flow-tools would likely help ... Again, based on IP addresses, though,
    not MAC addresses ...

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Systems and Network analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  5. Re: wireless MAC record-keeping for URLs

    IMHO, authentication is the best option. MAC & IP addresses can be
    easily spoofed. But a user is always responible for keeping his
    username and password confidential. If he shares it with anybody, who
    misuses it, it is his funeral.

    I would have used something like squid + dansguardian, or better
    still, SafeSquid, since it is a proxy with content filtering and also
    allows creation of users from its GUI interface. No point in setting
    up and configuring another user database for authentication, if this
    is going to be a temp session.

    Then I would use url blacklist to block categories like porn and
    anonymous proxy, and to be double sure, I would use Keyword Filter to
    analyze the websites being visited for unwanted keywords for porn or
    anonymous proxies. This will narrow down the chances of users being
    able to visit such sites.

    Next I would configure a log analyzer like Sarg or Sawmill to generate
    per user usage reports, so that I am ready with my reports, if the FBI
    arrives.


+ Reply to Thread