Pohrn control on home network

BLOCK POHRN ON A WIRELESS HOME NETWORK

BACKGROUND
I plan a home wireless network, N-class, and know visiting teenagers will be tempted on rare occasion to go places on the internet they should not. So, I need a way to prevent internet travel to pohrn palaces and other sites associated with malware.

PROPOSED METHOD
Generally, I am familiar with wireless setup, and plan to use WPA2 security to restrict the network to authorized users.

Since my objective is to stop pohrn, I have a choice between a content-screening proxy like OpenDNS, through which all my router traffic would be directed, or a locally-resident program like NetNanny or CyberSitter.

OpenDNS would be my first choice, since creating a control point is vastly simpler for the local network-- one proxy, one connection point. But OpenDNS seems a bit too loose to provide the fine-grained control I need to keep out cleverly-named websites (whose web page search descriptors draw Google searches like a magnet, no matter what the domain name).

So, I am driven to consider a locally-installed control program like NetNanny or CyberSitter to seal the leaks more effectively. Generally speaking, both products do a fairly complete job and are frequently updated with new lists. The only drawback, at least theoretically, is local control programs impose a real-time burden on system processing times. RAM must be maxed and the CPU very capable to get a decent system response.

That being the case, I plan to run a fairly powerful gateway computer just behind the broadband modem. The gateway will run all the time, and host the pohrn screening programs. A solid system (and CMOS screen) admin password will keep the screening from being too hackable.

Out of the backplane of the gateway system (on a separate card), I plan to run a router to broadcast the wireless signal to all network machines.

WHAT DO YOU THINK?
Is this design practical? Will it work? Have you tried such a setup?

Your suggestions could be valuable to others. Many home networks across this country and abroad must deal with the intrusiveness of malware, pohrn and cybercrime, and need help.

One veteran already has commented that pohrn control is all but a "lost cause ", and he seems to have a defensible point of view. But necessity is the mother of invention (and midwife to many hours of lost sleep).

 

Thanks, Tony-- you understand the problem.

The gateway runs XP Home, which is not perfect, but XP is widely supported by device OEMs (giving me more flexibility for solution), and at least I can password it, along with the CMOS.

From your description, Linux is an interesting and capable option, but my main concern seems simpler-- effectively excluding pohrn sites without significant maintenance. Although I do plan to check out the Linux links you provide, to the best of my information, no OS or firewall list can spare me hours of tinkering to keep up with the ongoing struggle.

The pohrn situation almost dictates a third-party, automatically-updated solution, since I cannot be always present to tweak against holes as they develop.

Which brings NetNanny and CyberSitter into play. Although both of these products, by their multi-level screening, seem much more comprehensive and consistent than the OpenDNS approach, even they have some warts. For example, any really serious effort at screening with NN or CS requires some editing of white or black lists after a breach occurs.

That said, my objective is to minimize my own editing, and in a toss-up between maintenance levels for OpenDNS versus NN and CS, OpenDNS probably loses.

The reason I keep OpenDNS an option is all the facts are not in. Both NN and CS pose real questions about how they interdict-- they degrade system performance if installed locally, and that is my principal reason for the idea of a gateway, instead, as a control point. The hope is all local, user operations will run normally, while the gateway (where NN or CS reside) will function as a more or less transparent intercept point.

The same performance consideration becomes all the more important if my users also plan to stream video over the network

Another question about how NN and CS will interdict is whether they will work when installed on a gateway intended as an internet proxy. Since you are an MS MVP, would the MS concept of a gateway offer an effective solution? That is, would browser requests from users on the (wireless) router subnet actually run through a NN or CS screening and review on the gateway machine? Or does MS mean, by "gateway ", a much more general sense of internet access and protection?

Again, the critical question is whether NN and CS will work for this design when installed on a gateway / proxy, rather local (user) machines.

BTW, to prevent users from simply connecting their own machines via ethernet cable directly to the ISP-supplied modem (upstream of the gateway), I plan to replace the ISP's modem with a good, PCI-based internal broadband modem for N-level network traffic. The phone line goes in the gateway backplane and modem input port, and the traffic exits a separate network card to the router / access point. Such PCI modem cards are in common use everywhere, it seems, but the USA (ISPs love selling hardware).

In any case, it is vital to use only a PCI, N-level modem without built-in, ethernet output ports, to restrict traffic to pass through the gateway machine, and to the router.

The more I ponder this "out loud ", so to speak, the better the responses from experts like you have been. I hope you understand your helpful advice will be of value to others, including many families which elect to stimulate the local economy and acquire the services of a local computer expert.

As mentioned, I'll look over the Linux options. I know far less than you about Linux general suitability, so forgive my presumptions about what Linux can and cannot do. In the next year, in fact, I plan to explore the robust authentication and security options of Novell / Suse and begin to install that for client / office situations. Already, it appears Linux has much better general security than any rival in the market.

By no accident, NSA has its own (more secure) version of Linux, just as the PRC has Red Flag Linux for its own offices. Years ago, in fact, when Mr. Gates visited Beijing to sell Windows as the official interface of PRC government offices (promising to let the PRC look over Windows source code), they would have none of it. Ironically enough for the PRC, on grounds Windows was too insecure.


---- REFERENCE LINKS BELOW ----

OpenDNS--
Introduction-- https://www.opendns.com/start/
Specifics-- http://www.opendns.com/solutions/overview/

NetNanny--
Introduction-- https://www.netnanny.com/alt_rotate
Specifics--https://www.netnanny.com/products/netnanny_home_suite/detail/technical#reports

CyberSitter--
Introduction-- http://www.cybersitter.com/cs10mainpage.html
Specifics-- http://www.cybersitter.com/cs10mainpage.html

 

I practice / agree with TonyT's method.
Over the years have raised 7 children (oldest 29, youngest 16) and a school full of friends. For the past week I have up to 7 computers accessing home network / router 20+ hours a day. The main gathering area for family and friends is our very open family room ... which is where all of our desktops / router is located. All friends of our children know this is the only area of the house they can surf / use their laptops. I run OpenDNS/network at router and some "key explicit words" (of porne nature) filters at router level. After that it is the honor system/trust/ respect of what our family expects of young adults / non-family users.
Currently I have only my 16 year daughter living at home. I do not have any filters / porne tracking programs on her computer, it's just not necessary. When the boys where living here I ran Blue Coat K9 WebProtection, a commercial grade, but free for use non-commercial use. It did not tax the system, automatic filter and program updates. It had good security for by-pass protection right down to running Safe-mode/network connection safe guards. All K9 users are "automatic watchman" by adding links of objectionable subject matter automatically being passed on to K9 for possible inclusion to master filter (based on material and how many users added site to local filter).
As with many things in life, it all comes down to acceptable balance. Encourage the good and in most cases it will happen .. with a little nudge here and there.

 

I have used NN, but not OpenDNS-- can ODNS provide "heavier" filtering than a third-party app like NN or CS?

My concern, again, was that to reach and maintain the appropriate level of filtering on a consistent basis, I would be required to do list editing with time I do not have.

ODNS is a wonderful solution, if only it did automatically provide the level of filtering needed. One forum poster has commented ODNS is satisfactory, but did not comment on his threat environment.

 

THANKS TO DENNISL

You are now the third person to suggest OpenDNS (TonyT, and another on a separate forum).

I would have tried ODNS long ago, but wandering the ODNS forum, I found anecdotes which persuade me there are still plenty of holes to be addressed, despite efforts of (probably) hundreds of ODNS users.

Of course, I am prepared to accept less than perfection, but need also to reduce my probable investment of time in tweaking ODNS.