Iinternet access control..

Hi,

We need to set up an Ubuntu box to act as http proxy and also control
internet access by MAC address.

Which tools / software exists which works with ubuntu and enables us to use
some kind of database with MAC addresses mapped to computernames to control
internet access and log activity?

Thanks a lot for hints and solutions

regards

geir

Geir Holmavatn wrote:
> Hi,
>
> We need to set up an Ubuntu box to act as http proxy and also control
> internet access by MAC address.

Why access control by MAC? MAC addresses are link (local) addresses so
don't propogate beyond the local link (subnet).

> Which tools / software exists which works with ubuntu and enables us to use
> some kind of database with MAC addresses mapped to computernames to control
> internet access and log activity?

Well, you might have some luck if you're using managed vlan switches on
your network, which I assume you are not. Directory server?

Squid is quite capable but whether it (or whether any other proxy) will
satisfy your needs is doubtful. See here:
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.20

What are you trying to accomplish? What kind/level of access control
are you wanting? Why using MAC addresses? Why will Squid together
with netfilter firewall not meet your needs using IP addresses?

I guess I'm having trouble imagining why you want to do acls via MACs.

advise,
prg

"prg" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) oups.com...
>

> Squid is quite capable but whether it (or whether any other proxy) will
> satisfy your needs is doubtful. See here:
> http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.20
>
> What are you trying to accomplish? What kind/level of access control
> are you wanting? Why using MAC addresses? Why will Squid together
> with netfilter firewall not meet your needs using IP addresses?
>
> I guess I'm having trouble imagining why you want to do acls via MACs.

As we have DHCP I thought I needed MAC to identify each computer?

This is internet access to a high school dorm. In case of students getting
too creative (hacking others sites etc) we need an emergency way to find out
who the offender was by checking backlogs. How would you guys do this?

Also we don't want foreigners to plug their computers to this LAN. Is
logging on with username password better?

Thanks again for suggestions and comments

regards

Geir

Geir Holmavatn wrote:
> "prg" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed) oups.com...
> >
>
> > Squid is quite capable but whether it (or whether any other proxy) will
> > satisfy your needs is doubtful. See here:
> > http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.20
> >
> > What are you trying to accomplish? What kind/level of access control
> > are you wanting? Why using MAC addresses? Why will Squid together
> > with netfilter firewall not meet your needs using IP addresses?
> >
> > I guess I'm having trouble imagining why you want to do acls via MACs.
>
> As we have DHCP I thought I needed MAC to identify each computer?
>
> This is internet access to a high school dorm. In case of students getting
> too creative (hacking others sites etc) we need an emergency way to find out
> who the offender was by checking backlogs. How would you guys do this?
>
> Also we don't want foreigners to plug their computers to this LAN. Is
> logging on with username password better?
>
> Thanks again for suggestions and comments

You might want to look at these and see if it can be used or adapted
for your needs. These are for campuses where students and staff bring
along their own computers and must register them with the campus before
gaining network access. Also used to check for software (antivirus and
updates) on Windows boxes.

http://www.netreg.org/
http://www.usenix.org/publications/l...n/valian_html/
http://helpdesk.utmem.edu/netreg/linux.htm
http://www.cs.usfca.edu/~afedosov/netgreg/ << wireless connections

http://www.southwestern.edu/pipermail/netreg/
http://www.southwestern.edu/pipermai...er/001071.html
<< help?

If you allow something like this, then this may be the best way to go
as the MAC address is included as the clientID in the dhcp request.

If you provide the computers just set up dhcp using the MACs. This
will provide a MAC/IP mapping. The registration of Netreg collects the
MAC in a similar fashion and does/can provide additional
authentication/authorization processes. I'm pretty sure that at least
some sites have added this capabilty.

Once you have MAC/IP maps you can use Squid and Netfilter as you
require. You could further refine authentication and/or authorization
via ldap or radius. Then you could ... well, make this more
complicated than needed ;-)

At the very least it should give you some ideas and maybe some
additional google terms to search for. It's been a year since I looked
at it.

Let us know if this works for your situation.

good luck,
prg

"prg" <(E-Mail Removed)> wrote

> http://www.southwestern.edu/pipermail/netreg/
> http://www.southwestern.edu/pipermai...er/001071.html
> << help?
>
> If you allow something like this, then this may be the best way to go
> as the MAC address is included as the clientID in the dhcp request.
>
> If you provide the computers just set up dhcp using the MACs. This
> will provide a MAC/IP mapping. The registration of Netreg collects the
> MAC in a similar fashion and does/can provide additional
> authentication/authorization processes. I'm pretty sure that at least
> some sites have added this capabilty.
>
> Once you have MAC/IP maps you can use Squid and Netfilter as you
> require. You could further refine authentication and/or authorization
> via ldap or radius. Then you could ... well, make this more
> complicated than needed ;-)
>
> At the very least it should give you some ideas and maybe some
> additional google terms to search for. It's been a year since I looked
> at it.
>
> Let us know if this works for your situation.

Hi again,

Thanks a lot for your suggestion. NetReg looked interesting, albeit it has
its shortcomings, not being very bulletproof.

Before I test it further I just wonder if it exist commercial solutions of
such software?

I plan to use this with a Ubuntu server.

regards

Geir

Geir Holmavatn wrote:
> "prg" <(E-Mail Removed)> wrote
>
> > http://www.southwestern.edu/pipermail/netreg/
> > http://www.southwestern.edu/pipermai...er/001071.html
> > << help?
> >
> > If you allow something like this, then this may be the best way to go
> > as the MAC address is included as the clientID in the dhcp request.
> >
> > If you provide the computers just set up dhcp using the MACs. This
> > will provide a MAC/IP mapping. The registration of Netreg collects the
> > MAC in a similar fashion and does/can provide additional
> > authentication/authorization processes. I'm pretty sure that at least
> > some sites have added this capabilty.
> >
> > Once you have MAC/IP maps you can use Squid and Netfilter as you
> > require. You could further refine authentication and/or authorization
> > via ldap or radius. Then you could ... well, make this more
> > complicated than needed ;-)
> >
> > At the very least it should give you some ideas and maybe some
> > additional google terms to search for. It's been a year since I looked
> > at it.
> >
> > Let us know if this works for your situation.
>
> Hi again,
>
> Thanks a lot for your suggestion. NetReg looked interesting, albeit it has
> its shortcomings, not being very bulletproof.
>
> Before I test it further I just wonder if it exist commercial solutions of
> such software?
>
> I plan to use this with a Ubuntu server.

Well, I'm still not clear just what your primary, secondary, etc.
requirements are and at which points you need to "enforce" security
policy. Eg., are these student machines or do you own them? This
point is critical. Do you need now or maybe in the future to provide
for campus wireless access? Is controlling/monitoring web access your
_main_ concern along with ... what?

Problem you face is that educational institutions are viewed at two
levels: those with $ to spend like corporate and government profit
makers or those without that serve PR "community service" efforts.
Which are you? Do have a local LUG that can help you review your needs
and possible solutions?

Another question is _where_ you need the bullet proofing and what kind
are you willing to spend $ for and/or in house effort on. Personally,
I don't believe in "bullet proof" security as an achievement one
actually ever attains :-) Is your available expertise to setup and
maintain a solution "limited"? Do you _need_ a shrink-wrap, commercial
solution due to practical constraints?

Afaik, any of the "portal" registration/login schemes rely on a backend
authentication and authorization service, similar to wireless WAP (ie.,
something similar to EAP). Eg., a radius server together with an ldap
server or, joy-oh-joy, Kerberos. Probably just an ldap server like
OpenLdap would be enough to start.

The restriction of Ubuntu leaves me in the dark beyond OSS software.
Not aware of any commercial solutions down that road. If you could
consider Suse, I would tell you to look in that direction for a $
solution from Novell via eDirectory, etc.

Sorry not to be able to point you any further than these generalities
without more info.

regards,
prg

On Thu, 09 Feb 2006 15:00:19 -0800, prg wrote:

>
> Geir Holmavatn wrote:
>> "prg" <(E-Mail Removed)> wrote
>>
>> > http://www.southwestern.edu/pipermail/netreg/
>> > http://www.southwestern.edu/pipermai...er/001071.html
>> > << help?
>> >
>> > If you allow something like this, then this may be the best way to go
>> > as the MAC address is included as the clientID in the dhcp request.
>> >
>> > If you provide the computers just set up dhcp using the MACs. This
>> > will provide a MAC/IP mapping. The registration of Netreg collects
>> > the MAC in a similar fashion and does/can provide additional
>> > authentication/authorization processes. I'm pretty sure that at least
>> > some sites have added this capabilty.
>> >
>> > Once you have MAC/IP maps you can use Squid and Netfilter as you
>> > require. You could further refine authentication and/or authorization
>> > via ldap or radius. Then you could ... well, make this more
>> > complicated than needed ;-)
>> >
>> > At the very least it should give you some ideas and maybe some
>> > additional google terms to search for. It's been a year since I
>> > looked at it.
>> >
>> > Let us know if this works for your situation.
>>
>> Hi again,
>>
>> Thanks a lot for your suggestion. NetReg looked interesting, albeit it
>> has its shortcomings, not being very bulletproof.
>>
>> Before I test it further I just wonder if it exist commercial solutions
>> of such software?
>>
>> I plan to use this with a Ubuntu server.
>
> Well, I'm still not clear just what your primary, secondary, etc.
> requirements are and at which points you need to "enforce" security
> policy. Eg., are these student machines or do you own them? This point
> is critical. Do you need now or maybe in the future to provide for campus
> wireless access? Is controlling/monitoring web access your _main_ concern
> along with ... what?
>
> Problem you face is that educational institutions are viewed at two
> levels: those with $ to spend like corporate and government profit makers
> or those without that serve PR "community service" efforts. Which are you?
> Do have a local LUG that can help you review your needs and possible
> solutions?
>
> Another question is _where_ you need the bullet proofing and what kind are
> you willing to spend $ for and/or in house effort on. Personally, I don't
> believe in "bullet proof" security as an achievement one actually ever
> attains :-) Is your available expertise to setup and maintain a solution
> "limited"? Do you _need_ a shrink-wrap, commercial solution due to
> practical constraints?
>
> Afaik, any of the "portal" registration/login schemes rely on a backend
> authentication and authorization service, similar to wireless WAP (ie.,
> something similar to EAP). Eg., a radius server together with an ldap
> server or, joy-oh-joy, Kerberos. Probably just an ldap server like
> OpenLdap would be enough to start.
>
> The restriction of Ubuntu leaves me in the dark beyond OSS software. Not
> aware of any commercial solutions down that road. If you could consider
> Suse, I would tell you to look in that direction for a $ solution from
> Novell via eDirectory, etc.
>
> Sorry not to be able to point you any further than these generalities
> without more info.
>
> regards,
> prg

I'm having a similar task here. Provide a bunch of young people with
Internet access in a way so that if they clash with the rules, they can be
'relieved' of the possibilities of the big web.
This I intend to accomplish by using freesco v 0.34. It has some abilities
that enables me to do it easily.
Plan A:

1) Set up forwarding so that no-one in the subnet is allowed to go out.

2) Set up restrictions to allow specific NIC's (MAC/IP combinations) to go
out. This calls for contacting the SysAdmin in order to get a working
connection.

3) Set up DHCP-service to provide static leases to each known
NIC.

4) In combination 2 and 3 ought to cut out the industrious ones
bringing in another PC to circumvent restrictions - an unknown NIC does
get a DHCP-lease and can participate in game-parties etc. but is not
allowed to access the web.

5) Logging of DNS-lookups etc in order to catch the ones that just had to
try the forbidden fruit anyway. Result: Quarantined for one month (or what
the going rate will be).

Testing shows that this is possible with a system that can run from a
floppy. If the OP want, more can be gleaned from www.freesco.org

HTH

Jan, OZ1DKE

Plan B will be made up if this doesn't work in case you were curious :-)

"Jan Sevelsted" <(E-Mail Removed)> wrote in
news(E-Mail Removed) .invalid...

> I'm having a similar task here. Provide a bunch of young people with
> Internet access in a way so that if they clash with the rules, they can be
> 'relieved' of the possibilities of the big web.
> This I intend to accomplish by using freesco v 0.34. It has some abilities
> that enables me to do it easily.
> Plan A:
>
> 1) Set up forwarding so that no-one in the subnet is allowed to go out.
>
> 2) Set up restrictions to allow specific NIC's (MAC/IP combinations) to go
> out. This calls for contacting the SysAdmin in order to get a working
> connection.
>
> 3) Set up DHCP-service to provide static leases to each known
> NIC.
>
> 4) In combination 2 and 3 ought to cut out the industrious ones
> bringing in another PC to circumvent restrictions - an unknown NIC does
> get a DHCP-lease and can participate in game-parties etc. but is not
> allowed to access the web.
>
> 5) Logging of DNS-lookups etc in order to catch the ones that just had to
> try the forbidden fruit anyway. Result: Quarantined for one month (or what
> the going rate will be).

Very interesting,

Would it be a problem if the MAC > IP lookup list grew to 300+ entries?

We have an Ubuntu box just acting as a firewall for this network now. Would
it be possible to implement something like the scenario above under Ubuntu
too? Which software would I then need?

Thanks again for opinions on these details

Geir

On Tue, 21 Feb 2006 18:14:22 +0100, Geir Holmavatn had the audacity to
write:

>
> Very interesting,
>
> Would it be a problem if the MAC > IP lookup list grew to 300+ entries?

I wouldn't know - here it is done by entering the known NIC's into the
list of static DHCP-leases - and AFAIK the possible size of that one is
equal to the size of your network range.

>
> We have an Ubuntu box just acting as a firewall for this network now.
> Would it be possible to implement something like the scenario above
> under Ubuntu too? Which software would I then need?

I would assume so, although I haven't bothered to look much into it as the
freesco solution fits the requirements here as a hand in a glove ;-)

The HW requirements of a Freesco setup is VERY slim - it runs on a 386
with down to 8 Mbytes of RAM and a floppy, NIC's as you need (up to 10)
and the rest, (serial and parallel ports as you might want - for modem
dial-in, printer serving etc.). This one is done on a Pentium 133 MHz with
64 MByte RAM and ~ 1 Gig of HD. Less can do, but that was what the
cupboard held :-)
It can serve your home pages (pun not intended), act as ftp-server, ntp
server and... Well, maybe you should go and have a look at
<http://www.freesco.org>

If this whets your appetite, and you would like to give it a try, you
could contact me via e-mail - I assume you can dig out the useful part
from the header...

>
> Thanks again for opinions on these details
>
> Geir

You're most welcome.

--
Jan, OZ1DKE.

Replying to this post from Google groups without proper quoting will
result in no follow-up on my part.

Archival or publication of this post on any part of thisishull.net is
without my consent and is in direct breach of the Data Protection Act.