J
johnsuth
This system seems to work, but I will be grateful for your observations
and suggestions.
My Security Primer for school classroom.
Classroom internet access is for academic research, not entertainment and definitely not titillation.
HIERARCHY OF HARDWARE
WAN termination (campus boundary)
NAT router
Non-secure network
Bastion (multi-homed or spider PC router)
Secure classroom network(s) with no domain name service.
Win clients and IBM fileserver.
NAT ROUTER
Block of static IP addresses is reserved for Bastion non-secure gateway.
Routing table is unaware of secure networks.
BASTION SOFTWARE
NIC protocol is TCP/IP only.
TCP notebook defines gateways, and routes through them to LANs.
IP forwarding is off.
IBM firewall rules permit access to proxy.
Squid provides transparent HTTP and passive FTP proxy, ACL, cache, and DNS client.
IBM FIREWALL RULES
Deny through routing (redundant with IP forwarding off).
Deny fragmented packets.
Deny the usual suspects.
Permit requests to ISP DNS eq 53.
Permit requests to NIST servers eq 13.
Permit requests to http servers eq 80.
Permit requests to passive tcp servers eq 20, eq 21.
Permit pinging gateway by secure hosts eq 8.
SQUID ACL
Deny urlpath_regex -i "BlacklistFile" (file extensions & google search keys)
Allow dstdomain -i "WhitelistFile" (teacher approved domains)
Allow url_regex -i "UrlFile" (odds & ends)
Deny every dst
WIN CLIENTS
XP Home SP1.
NTFS.
Protocols TCP/IP, and Netbios for file & printer sharing.
Static IP address.
Students are Limited users (no password) with ACL restrictions.
Admin user has strong password.
Deinstalled Windows components include Windows Messenger, MSN Explorer.
Disabled services include Automatic updates, DHCP client, DNS client, ICF/ICS, IPSEC, Netmeeting, Portable media serial, Remote access, Remote desktop help, Routing and remote access, Secondary logon, SSDP, TCP/IP Netbios helper, Telephony, Wireless zero config.
Firefox proxy address is secure LAN gateway on Bastion.
and suggestions.
My Security Primer for school classroom.
Classroom internet access is for academic research, not entertainment and definitely not titillation.
HIERARCHY OF HARDWARE
WAN termination (campus boundary)
NAT router
Non-secure network
Bastion (multi-homed or spider PC router)
Secure classroom network(s) with no domain name service.
Win clients and IBM fileserver.
NAT ROUTER
Block of static IP addresses is reserved for Bastion non-secure gateway.
Routing table is unaware of secure networks.
BASTION SOFTWARE
NIC protocol is TCP/IP only.
TCP notebook defines gateways, and routes through them to LANs.
IP forwarding is off.
IBM firewall rules permit access to proxy.
Squid provides transparent HTTP and passive FTP proxy, ACL, cache, and DNS client.
IBM FIREWALL RULES
Deny through routing (redundant with IP forwarding off).
Deny fragmented packets.
Deny the usual suspects.
Permit requests to ISP DNS eq 53.
Permit requests to NIST servers eq 13.
Permit requests to http servers eq 80.
Permit requests to passive tcp servers eq 20, eq 21.
Permit pinging gateway by secure hosts eq 8.
SQUID ACL
Deny urlpath_regex -i "BlacklistFile" (file extensions & google search keys)
Allow dstdomain -i "WhitelistFile" (teacher approved domains)
Allow url_regex -i "UrlFile" (odds & ends)
Deny every dst
WIN CLIENTS
XP Home SP1.
NTFS.
Protocols TCP/IP, and Netbios for file & printer sharing.
Static IP address.
Students are Limited users (no password) with ACL restrictions.
Admin user has strong password.
Deinstalled Windows components include Windows Messenger, MSN Explorer.
Disabled services include Automatic updates, DHCP client, DNS client, ICF/ICS, IPSEC, Netmeeting, Portable media serial, Remote access, Remote desktop help, Routing and remote access, Secondary logon, SSDP, TCP/IP Netbios helper, Telephony, Wireless zero config.
Firefox proxy address is secure LAN gateway on Bastion.