Providing a Whitelisted Wireless Hotspot? 58
Ploxis writes "I volunteer some of my day managing a small network (and a ragtag band of computers) for a local nonprofit. I have been asked to set up a second, open, independent wireless network on site that will provide cost-free broadband Internet access to patrons. The catch is that they want to provide access only to a select group of about 25 websites while disallowing everything else. No objectionable sites, no mundane but non-relevant sites such as online banking or YouTube, and no other activities such as P2P or IM. They only want HTTP and HTTPS activity from a set of whitelisted websites." For the rest of Ploxis's question and his intial thoughts on making this happen, read on below.
"They'd also like any non-whitelisted URL to be redirected to a 'splash page,' which would just be some HTML providing a list of allowed sites by category. I'd host this page internally on the network.
Their primary concerns are liability for access of illegal/objectionable materials and conserving their bandwidth, while still providing access to specific relevant tools online.
My initial thought was simply an open wireless router, a set of remarkably restrictive firewall rules, and an in-house server as a custom DNS ... but that's pretty shaky (i.e. anyone specifying their own DNS can still get at whatever they want). I assume they'll need a router with some pretty significant traffic management capabilities as well, but that's not something I've investigated before.
Anyone's experiences, recommendations, case studies, or maps of similar networks would be greatly appreciated."
If you really need to make it bullet proof... (Score:1, Interesting)
You need a web proxy and a DNS proxy: The web proxy to restrict the URLs to those which are whitelisted and the DNS proxy to stop "clever" people from tunneling through DNS.
Re:Squid (Score:2, Interesting)
Since there can be only one HTTPS site per IP address, that's not a problem. If one of the sites is an HTTPS site, just allow it in the firewall. It's on a different port, so the transparent proxy isn't going to see the connection. Make sure that the address in the firewall rule is kept up to date.
(Yes, I know there is a TLS extension which allows multiple sites to share an IP address, but since that is not universally implemented, no HTTPS site owner uses it, as it would break too many clients.)
Perform a DNS lookup on each of the 25 domain name (Score:2, Interesting)
Of the allowed sites.
Use any commercial router and access point, or even a WRT-54G. Drop the list of allowed ips into an access list
Deny traffic for all other ips.
Use separate rules to deny traffic to ports other than 80 and 443
Re:Squid (Score:3, Interesting)
Sure that looks like a better solution, but squid over a linux router is easier and "good enough".
My caveat is that we have a strict usage policy and if you are caught circumventing my "good enough" solution you are not going to like the written warning. If you want general internet access you are expected to use your notebook and WiFi connection, and not connect to my lab network.
-nB
Dans Guardian (Score:2, Interesting)
Setup a transparent proxy and use dansguardian [dansguardian.org]. I've set this up and had it running for several months. It *easily* supports whitelited/blacklisted sites, domains (using regular expressions even), and mime types. It can also block objectionable content based on keyword groups and ratings etc. Very good indeed.
Mikrotik RouterOS (Score:2, Interesting)
Simplest, quickest way to do it, and does everything you're looking to do.
They put a relatively decent shell interface on top of linux that hides a lot of the complexity, and also have a good GUI management utility (I don't use it myself, but it can do everything the shell can).
It'll run on most hardware, including x86. You'd have to buy a license, $45, but it's worth the time saved figuring out how to get all the different parts tied in together.
And there is an active community forum with helpful people in case you run in to trouble.