Re: [CentOS] Block internet access for some users on the LAN ?

[James B. Byrne]

On Monday, September 18, 2017 1:04 PM, Nicolas Kovacs wrote"
>
> This year the school's director wants to completely block Internet
> access for all the student's personal devices.
>

The silent premise in this request is that all student Internet access
occurs through the school's gateway.  Which is of course false.

If the objective is to prevent misuse of school resources for
non-education purposes then the premise, while faulty, is fine.  If
the objective is to restrict students' Internet access in its entirety
then this is doomed to fail.

Have you clarified with the director that only access through your
gateway can be affected by this policy and that student devices with
cellular data plans will still have access?

-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[Frank Cox]

On Tue, 19 Sep 2017 13:05:24 -0700
Kenneth Porter wrote:

> > all it takes is one kid, who then shares his 'trick' with other kids, and
> > blam.
> 
> Hire that kid to be head of security. :D

Only if he has a degree in music composition.

-- 
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[m . roth]

Kenneth Porter wrote:
> --On Tuesday, September 19, 2017 9:57 AM -0700 John R Pierce
>  wrote:
>
>> all it takes is one kid, who then shares his 'trick' with other kids,
>> and blam.
>
> Hire that kid to be head of security. :D
>

Um, let's step back a bit here: this is clearly not a large organization.
And only one person can use one MAC address. Anyone beyond the one kid
would have to find others. And, the instant that someone on staff can't
get on, they report it, and you, the admin, either force an expiration of
the lease, or block that IP with a temporary, runtime iptables -A INPUT -s
192.160.10.whatever -J DROP, and they're dead meat.

And then, teachers get to announce that whoever spoofed it will fail the
quarter if they do it again, and the will turn off their device NOW.

See? Simple.

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[Kenneth Porter]

--On Tuesday, September 19, 2017 9:57 AM -0700 John R Pierce 
 wrote:



all it takes is one kid, who then shares his 'trick' with other kids, and
blam.


Hire that kid to be head of security. :D


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[John R Pierce]

On 9/19/2017 8:39 AM, m.r...@5-cent.us wrote:

As a response to someone else's cmts, the set of kids who knows how
they're being blocked is a small subset of all kids, and those who know
that a MAC address can be forged is a small subset of the previous. And
*then*  they'd have to find out a valid MAC address.


all it takes is one kid, who then shares his 'trick' with other kids, 
and blam.


On top of that, it would seem to me that the ones for whom you have a
registered MAC address is either hardwired, and so on, permanently, or the
teachers and staff are in before the students, mostly, and so when a
student tries to spoof the MAC, they get refused, since the real system
already has the IP address.


that presumes all the reserved systems are on 24/7.


--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[m . roth]

Chase, Brian E. wrote:
> The way to do this is with ACL's.  Access Control Lists
> IPtables can perform this function, or an internet gateway router can also
> be used.
> The ISR 4000 Series Cisco router family is where I would start, especially
> if you're in the need for a blade server in the same chassis.
>
> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Nicolas
> Kovacs
> Sent: Monday, September 18, 2017 1:04 PM
> To: Centos Mailing List
> Subject: [CentOS] Block internet access for some users on the LAN ?
>
> Hi,
>
> In our local school we have two servers and roughly 80 clients. The
> network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by
> Dnsmasq.
>
> School PCs (teachers and management) are registered via MAC address and
> get an IP address in a specific range:

> If a client (like a student's laptop, tablet or smartphone) is not
> registered, it gets an IP address in the range between 192.168.10.100 and
> 192.168.10.200.
>
> Up until recently I've been using a combination of Squid and Squidguard to
> filter Internet access.
>
> This year the school's director wants to completely block Internet access
> for all the student's personal devices.

If nixspam doesn't gag me again - tried to respond yesterday.

Put anyone whose MAC address isn't registered on a different subnet, like
192.168.11.x, and give your router no route to 9.0.9.9, only to the
internal.

As a response to someone else's cmts, the set of kids who knows how
they're being blocked is a small subset of all kids, and those who know
that a MAC address can be forged is a small subset of the previous. And
*then* they'd have to find out a valid MAC address.

On top of that, it would seem to me that the ones for whom you have a
registered MAC address is either hardwired, and so on, permanently, or the
teachers and staff are in before the students, mostly, and so when a
student tries to spoof the MAC, they get refused, since the real system
already has the IP address.

   mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[Bill Gee]

> School PCs (teachers and management) are registered via MAC address and get
> an IP address in a specific range:
 
> 192.168.10.2 - 192.168.10.50 - management + teachers
> 
> 192.168.10.201 - 192.168.10.220 - computer room
> 
> 192.168.10.246 - 192.168.10.247 - printers
> 
> 192.168.10.251 - 192.168.10.253 - wireless access points
> 
> If a client (like a student's laptop, tablet or smartphone) is not
> registered, it gets an IP address in the range between 192.168.10.100 and
> 192.168.10.200.
 
> Up until recently I've been using a combination of Squid and Squidguard to
> filter Internet access.
 
> This year the school's director wants to completely block Internet access
> for all the student's personal devices.
 
> The Linux server acts as a transparent gateway. Unfortunately with Squid I
> can only filter/block HTTP connections, but not HTTPS (well, I could, but
> this is way too complicated to setup).
 
> The firewall is managed by a simple Iptables script. Now I *think* the
> easiest way to block a certain IP range from Internet access would be
> through Iptables (correct me if I'm wrong). If this is the case, what would
> that look like?

It seems to me you could accomplish some of this by using 802.1x switch port 
security.  Set up an OpenRADIUS server, configure the network switch ports, 
then put a key on each workstation - especially those whose physical Ethernet 
jack could be unplugged by a student.  If someone does try to plug their 
device into the network, it not only won't get an address - it won't even get 
an open port!

Someone commented that using static IP addresses can be worked around pretty 
easily.  I agree ...  It is just a form of security by obscurity, and we all 
know that really means no security at all.  

There would be some effort to get the key onto the authorized workstations, 
but once there it would not need anything further.  It could also be 
incorporated into the base coreloads.  There is also some effort to reprogram 
the switch ports - also a one-time task.

The WiFi segment should be protected by a WPA2 password.

Bill Gee
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[Chase, Brian E.]

The way to do this is with ACL's.  Access Control Lists
IPtables can perform this function, or an internet gateway router can also be 
used.
The ISR 4000 Series Cisco router family is where I would start, especially if 
you're in the need for a blade server in the same chassis.

-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Nicolas Kovacs
Sent: Monday, September 18, 2017 1:04 PM
To: Centos Mailing List
Subject: [CentOS] Block internet access for some users on the LAN ?

Hi,

In our local school we have two servers and roughly 80 clients. The network is 
192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq.

School PCs (teachers and management) are registered via MAC address and get an 
IP address in a specific range:

192.168.10.2 - 192.168.10.50 - management + teachers

192.168.10.201 - 192.168.10.220 - computer room

192.168.10.246 - 192.168.10.247 - printers

192.168.10.251 - 192.168.10.253 - wireless access points

If a client (like a student's laptop, tablet or smartphone) is not registered, 
it gets an IP address in the range between 192.168.10.100 and 192.168.10.200.

Up until recently I've been using a combination of Squid and Squidguard to 
filter Internet access.

This year the school's director wants to completely block Internet access for 
all the student's personal devices.

The Linux server acts as a transparent gateway. Unfortunately with Squid I can 
only filter/block HTTP connections, but not HTTPS (well, I could, but this is 
way too complicated to setup).

The firewall is managed by a simple Iptables script. Now I *think* the easiest 
way to block a certain IP range from Internet access would be through Iptables 
(correct me if I'm wrong). If this is the case, what would that look like?

Any suggestions?

Niki Kovacs

--
Microlinux - Solutions informatiques durables 7, place de l'église - 30730 
Montpezat Web  : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 
66 63 10 32 ___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[Leroy Tennison]

While I agree with all this, keep in mind this is a school and the proposed 
solution may not be feasible financially or realistically (Can a student in the 
computer lab unplug an Ethernet connection and plug their device in?  Are the 
teachers systems in the same room as students?)  If it's not then some lesser 
desirable but "better than nothing" solutions would be to get rid of DHCP and 
assign all static IPs (with just 80 systems this is possible though not 
desirable), change those IP ranges to just enough to meet the need for the 
specified systems and allow only IP addresses with a need for Internet access 
through the firewall.  Is monitoring for defined system's IP addresses going 
offline possible?  A good analysis of needs may surface options.  Do the 
teachers need Internet access during school hours (it is possible via cron to 
have time-based firewall rules).  What about the computer lab?  Without knowing 
the specifics these questions are unanswerable.  And we have to keep in mind 
"relative security" - if they have an "evil genius" student on their hands 
there will be a way around the best security which can be put in place.

- Original Message -
From: "Johnny Hughes" <joh...@centos.org>
To: "centos" <centos@centos.org>
Sent: Monday, September 18, 2017 12:42:34 PM
Subject: Re: [CentOS] Block internet access for some users on the LAN ?

On 09/18/2017 12:23 PM, John R Pierce wrote:
> On 9/18/2017 10:03 AM, Nicolas Kovacs wrote:
>> This year the school's director wants to completely block Internet
>> access for all the student's personal devices.
> 
> MAC addresses can easily be forged, IP addresses can easily be changed,
> none of that is secure if its on the same network segment
> 
> The student's personal devices should be on a completely different
> 'guest' subnet, enforced by the wireless infrastructure, via use of a
> captive portal and/or WPA2-EAP authentication.     Presumably most of
> the schools infrastructure is on ethernet?  those ethernet connections
> should be kept physically secure so noone unauthorized can plug/unplug
> anything into the ethernet.
> 
> THEN you'd use iptables to enforce access restrictions on this guest
> subnet.
> 
> 

It would be extremely easy to, for example, try to get to the internet
and fail .. look at my IP address and get my default gateway from my
device (that I own) .. then try manually other network addresses until I
find one that works (with the same gateway).  That is, I can easily find
the others segments (like the printers) and take a free address in that
segment.  Since the whole network is flat, It will let me out then.

As John says .. if you want to isolate guest accounts, do it with a
completely different network segment that is isolated from things you
don't want them to access.  You can then setup rules unique to that
network segment that they can't forge (the gateway is the only way that
segment can get out and all the rules are the same for any IP that will
route from that segment).


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[Johnny Hughes]

On 09/18/2017 12:23 PM, John R Pierce wrote:
> On 9/18/2017 10:03 AM, Nicolas Kovacs wrote:
>> This year the school's director wants to completely block Internet
>> access for all the student's personal devices.
> 
> MAC addresses can easily be forged, IP addresses can easily be changed,
> none of that is secure if its on the same network segment
> 
> The student's personal devices should be on a completely different
> 'guest' subnet, enforced by the wireless infrastructure, via use of a
> captive portal and/or WPA2-EAP authentication.     Presumably most of
> the schools infrastructure is on ethernet?  those ethernet connections
> should be kept physically secure so noone unauthorized can plug/unplug
> anything into the ethernet.
> 
> THEN you'd use iptables to enforce access restrictions on this guest
> subnet.
> 
> 

It would be extremely easy to, for example, try to get to the internet
and fail .. look at my IP address and get my default gateway from my
device (that I own) .. then try manually other network addresses until I
find one that works (with the same gateway).  That is, I can easily find
the others segments (like the printers) and take a free address in that
segment.  Since the whole network is flat, It will let me out then.

As John says .. if you want to isolate guest accounts, do it with a
completely different network segment that is isolated from things you
don't want them to access.  You can then setup rules unique to that
network segment that they can't forge (the gateway is the only way that
segment can get out and all the rules are the same for any IP that will
route from that segment).



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[Leroy Tennison]

Iptables is a very reasonable way to do it, basically you decide what devices 
should have Internet access, create accept rules for them and then have a 
default deny for everything else.

- Original Message -
From: "Nicolas Kovacs" <i...@microlinux.fr>
To: "centos" <centos@centos.org>
Sent: Monday, September 18, 2017 12:03:56 PM
Subject: [CentOS] Block internet access for some users on the LAN ?

Hi,

In our local school we have two servers and roughly 80 clients. The
network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq.

School PCs (teachers and management) are registered via MAC address and
get an IP address in a specific range:

192.168.10.2 - 192.168.10.50 - management + teachers

192.168.10.201 - 192.168.10.220 - computer room

192.168.10.246 - 192.168.10.247 - printers

192.168.10.251 - 192.168.10.253 - wireless access points

If a client (like a student's laptop, tablet or smartphone) is not
registered, it gets an IP address in the range between 192.168.10.100
and 192.168.10.200.

Up until recently I've been using a combination of Squid and Squidguard
to filter Internet access.

This year the school's director wants to completely block Internet
access for all the student's personal devices.

The Linux server acts as a transparent gateway. Unfortunately with Squid
I can only filter/block HTTP connections, but not HTTPS (well, I could,
but this is way too complicated to setup).

The firewall is managed by a simple Iptables script. Now I *think* the
easiest way to block a certain IP range from Internet access would be
through Iptables (correct me if I'm wrong). If this is the case, what
would that look like?

Any suggestions?

Niki Kovacs

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block internet access for some users on the LAN ?

[John R Pierce]

On 9/18/2017 10:03 AM, Nicolas Kovacs wrote:

This year the school's director wants to completely block Internet
access for all the student's personal devices.


MAC addresses can easily be forged, IP addresses can easily be changed, 
none of that is secure if its on the same network segment


The student's personal devices should be on a completely different 
'guest' subnet, enforced by the wireless infrastructure, via use of a 
captive portal and/or WPA2-EAP authentication.     Presumably most of 
the schools infrastructure is on ethernet?  those ethernet connections 
should be kept physically secure so noone unauthorized can plug/unplug 
anything into the ethernet.


THEN you'd use iptables to enforce access restrictions on this guest subnet.


--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Block internet access for some users on the LAN ?

[Nicolas Kovacs]

Hi,

In our local school we have two servers and roughly 80 clients. The
network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq.

School PCs (teachers and management) are registered via MAC address and
get an IP address in a specific range:

192.168.10.2 - 192.168.10.50 - management + teachers

192.168.10.201 - 192.168.10.220 - computer room

192.168.10.246 - 192.168.10.247 - printers

192.168.10.251 - 192.168.10.253 - wireless access points

If a client (like a student's laptop, tablet or smartphone) is not
registered, it gets an IP address in the range between 192.168.10.100
and 192.168.10.200.

Up until recently I've been using a combination of Squid and Squidguard
to filter Internet access.

This year the school's director wants to completely block Internet
access for all the student's personal devices.

The Linux server acts as a transparent gateway. Unfortunately with Squid
I can only filter/block HTTP connections, but not HTTPS (well, I could,
but this is way too complicated to setup).

The firewall is managed by a simple Iptables script. Now I *think* the
easiest way to block a certain IP range from Internet access would be
through Iptables (correct me if I'm wrong). If this is the case, what
would that look like?

Any suggestions?

Niki Kovacs

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos