Hi everyone,

Although I did come up with an answer myself, I'd still like to see whether it would hold up in the real world.
Al my PC's (4) have a fixed address. Well, based on their MAC-address, they always get DHCP'd with the same address.

Now I like to tinker with computers and networks so I'm planning to set up squid as a proxy at home. I hope it will be educational to me as I've started a ICT job recently (we already have a good proxy here so its not for my job)and I'm eager to learn.

The PC's with a fixed address are allowed full internet access, no restrictions. If anything else gets an IP the it _has_ to go through the proxy. I know the PC's with a fixed address can marked in Squid as 'full access' but that is not what I want.

If someone deletes the proxy's address from the webbrowser what stops them from getting to the internet? An ACL on the Router right? I can block the DHCP range I give to clients but allow the fixed IP's + the computer running the proxy.

Is that the best way to do this?

cheers,
Jeroen

The best way to do it is

1) Since you already have static ARP (MAC binded to ip) you can allow them alone to access the net straight on port 80 and 443 + allow the squid system to access port 80 and 443

2) Deny everything else. So automatically the extra clients have to use the proxy.

Thanks Harry, that would be a good second line of defense but wouldn't spoofing the MAC-address circumvent it?
Same deal with an IP-address, it can also be spoofed (there goes my own idea out the window)

I've been thinking and I might be able to use 2 subnets, when I realized that doesn't really hinder spoofing a lot. I realize the average user may not even know what spoofing is but it would be good to know what can be done to prevent it.

True, but if you want to stop spoofing with ARP attacks, then VLAN is the only way you can stop, still somebody can do a getmac into a victim computer, note down the mac and spoof the same, disconnect victim's computer and then use his computer with spoofed mac.

This is why you need cam in your computer room, which records what people do, so if somebody is plugging his laptop into another person's port, then it gets recorded in the cam, and you can kick his ass for doing that.

So there is nothing really called super security, you just need to mitigate each risk with a solution, still everything is crackable....

For clarification, you do mean physical access is required to a workstation to circument the VLAN protection (if VLAN assignment is based on physical ports and _not_ MAC-address based assignment)?
Physical actions always have a higher threshold. In my situation I don't see anyone doing this nor spoofing the MAC.

At work the server room is secured of course and @ home my switch is in the basement. But workstations will most likely always be vulnerable to a physical attack. Putting camera's is one bridge too far I'm afraid (although privacy isn't what it used to be anymore).

So VLAN's is a good idea for the workstations. But how am I going to deal with laptop's. There is no physical way to bind them to a VLAN (they will of course be connecting wireless). Here the MAC-spoofing is playing a way more dangerous role.
Perhaps the easiest way is to put them in a separate VLAN/subnet and never fully trust a laptop.

Correct, the final thing you said is true, WIFI connections should never be given full access to LAN. Even in our setup WIFI can access only the internet.

If somebody wants to access internal resources they must use LAN port only.

This way, even if somebody cracks your WPA, they only get free WIFI, not straight access to my protected resources.

Also even for your WPA you can push the key from the windows server(GP) and change it once in a week....

Hope it helps

VLAN assignment should be based on physical port + MAC address.

In cisco language i mean both port security as well as static ARP binded to VLAN ID

I have a similar question. I use a cable modem/wireless router (Linksys WCG200), and am looking for some foolproof way to keep my teenage son out of the sites I don't think he should be going to (porn, etc.). His laptop connects to the Linksys router, which is also the cable modem, so his connection goes straight out to the internet.

I can tell the Linksys router not to allow him to connect to the internet, and he can still connect to other PCs in my network, but that's an all-or-nothing proposition...either all internet or no internet.

My idea is to install Squid on a server in my network and configure the Linksys router to allow connections from the Squid server, but not from his laptop. Then configure his laptop to use the Squid server as a proxy.

I think this will force his connection to go as follows:
1) laptop wireless to Linksys router/cable modem;
2) Linksys router/cable modem to internet...fail
3) Linksys router to Squid proxy server...success
4) Squid proxy to Linksys router/cable modem to internet...success

Then I can use blacklists to block the sites I don't want him to access. If he turns off or disables the Squid server, or reconfigures his laptop to not use the proxy, the Linksys cable modem will not allow him to pass through to the internet. So as long as he doesn't hack the Squid server and disable or change the blacklist, it should be good.

Am I missing anything?

if your linksys has that option (disallow from internet, but still allow routing to the squid box)..

If I were betting on the ingenuity of a bored teenage son (or otherwise motivated) against your ability to anticipate and blacklist all of the sites that said son, I'd still be betting on some hits for the son. Of course, you may well see some bad stuff first, and part of what happens depends on your reaction to that.

What about using OpenDNS's 'parental access controls' as a backup?

Of course. But until the student defeats the master, he must live under the master's rules.

I tried using openDNS, and had problems with it. First, using my son's Vista laptop I couldn't even open the web page...it just took forever and a day to open a screen. It worked fine on my XP and Linux desktops. Second, he's smart enough to revert the DNS settings when I'm not looking. I had tried to link my Linksys router to openDNS, but that requires a static WAN IP address, and my ISP (Mediacom) was either unwilling or clueless as to how to do that, so they refused. Does openDNS allow you to slave your own DNS server to their master? If so, I could put BIND on my Squid server, configure my Linksys to use my DNS server (I think I can do that...), and get the best of both approaches.

Yes....just put their ip in as the source for your name resolutions and you are closely related to someone called Robert...

I didn't understand this at first, but you are probably right that you need a static ip, if you are to use the blocking facilities (I don't actually use the blocking bit). Most ISPs will give you a static IP, but you have to pay extra for it (why? what does that cost them per month?).

But I wouldn't be using BIND (YMMV) for this, DNSMASQ would be simpler and provides DHCP, DJBDNS has proved less prone to, err, issues and is probably easier to set up (depending on whether you have to buid your own...but its certainly easier to configure, if you have it in your repos, rather than having to build it from source yourself). And I like the idea of having name look-ups cached locally to your squid server, from an efficiency point of view, too.