security and a school computer lab
 

Not too sure if this is the right forum to as this but here goes. I have a Computer lab at my Church School and we are concerned about inapproiate web sights getting to the children screen. We don't want this to happen. I am probablly gonna use IPCop as a start but I want to be able to block out certain other things like IM programs. Also a request was made of me to find a program that will inabel the teacher to view whatever is on a students screen from the teachers desk. Now I know that some people wil chim in on it is wrong to block IM programs and spying on what is on a student screen is bad too, but this is what is requested.

All the PC in the classroom are Dell P4 with windows XP Pro installed the internet gateway is a Dell PowerEdge 2650 NO os is as yest installed.

Robert

Certainly not the right forum, no.

The only way I could see Linux fitting into this is by being used on the server, but even still that doesn't make this a Security question.

I think it's fine here, as it's about setting up a GNU/Linux firewall. I do, however, request that a separate thread be opened for the screen monitoring question. Furthermore, since it sounds like both teacher and students are running Windows, that question should probably go in General.

hewittrj, have you considered simply making a list of allowed websites for the children? Said approach would be the simplest (and quite likely the most effective too). Granted, it's not an option everyone finds attractive, but I still wanted to ask.

I agree with Win32. From a behavioral perspective, making your intentions known and clearly understood will get you better results than placing obvious barriers in front of them. If they are aware that you are deliberately blocking stuff from them, for some at least, it will become a challenge just to avoid your block. From experience, I think it is safe to say that this is a game that you would likely lose. Also, one of the absolute worst responses to "inappropriate content" that your organization could make would be to "make a big ordeal about it" as this would only enhance the experience and make for a more enticing game. Instead you would be better off to use it as an opportunity to teach and discuss about why it is inappropriate for a public setting like school or the work place. I don't mean to preach here, but on a talk radio station that I listen to in the mornings on the way to work, variations of this subject come up frequently. Far too often the school systems react in an insane and very non-adult manner and their response is usually far more controversial than the original offense.

If you do decide to go with filtering software, there are several options, both commercial and free. Typically these act as proxy servers, receiving the request, making a determination as to whether or not the site is allowed and then fulfill the request by relaying the data. The most common commercial one I am aware of is a programm called Bluecoat. In the free realm, a lot of people use Squid / Squidguard as a proxy, but I couldn't provide you with a lot of details on how to use it for content filtering. Here is a link to one that is a how-to implement content filtering site using squidguard, dansguardian, and Ubuntu Linux, from a reputable author.

Such a system would also contain logs that could be used to review a students activity in regards to where they have been. You might consider this as a compromise to the desire to have the children's monitors spied on. It would still achieve the same goal, but in a more subtle fashion. It would identify any violators, who could be dealt with, while not sending the undesirable message that "we are watching you because you can't be trusted"; a message that, if given, they will certainly live up to.

One simple thing you can do is use Open DNS. Register, and enable the family filtering.
I imagine you have a NAT router, and the computers use DHCP to get their IP address and the DNS address. You can put enter the IP addresses for OpenDNS in the routers config page so the computers use it instead of your ISP's name server.

Some ISP's offer a similar service for $1 or $2 a month.

Another option is a device such as an Astaro gateway. There will be an upfront charge for the device and a monthly charge.

If you will go for the home brew proxy server route, google for terms in the link provided in the last post. I've seen pages giving complete configurations for Dan's guardian & squid that is used in a school proxy. Such a system will not only block sites on a black list, but can also scan pages visited and block pages containing objectionable text. If you can identify a school that uses Dan's Guardian, contact the IT department at that school. They will probably be glad to offer advice.

Another thing that is important is the the kids are supervised when they are online.

In terms of effectiveness and maintenance using a blacklist is less optimal than using a whitelist. Using that instead will also help enforce the educating users and policy aspects (which I agree are important things to emphasize) from Noway2's post.

I don't disagree with this point. Using OpenDNS as well as white listing could provide redundancy, in case of a mistake or misspelling in the white list.

Is there such a thing as a white list download? It sounds like it could be a maintenance nightmare if not meant for younger children who only need to visit a handful of sites.

Good point. BTW what happens if OpenDNS fails to filter a site?


Heh, the phrase "maintenance nightmare" is exactly what I had in mind for describing a blacklist ;-p Whitelists must be tailored for a specific sites needs so I doubt there's any generic parental control type of whitelists for free D/L (there is a restricted search engine for little children though). A maintenance nightmare to me would be having to find out, not from the FQDN or URI, but by manually visiting a page to see if it would be fit for whatever place.

I think I will be usig IPCop as a firewall filter setup I need to start the server install for it but it still leaves out the monitoring. A blacklist is a nightmare but it my be the only way to go as the students use the computers for web research on various subjects. My only real concern is accidental access to pg-13; R; and X rated web sites, and the school has asked to block Myspace and Facebook. I am not too worried about IM as the grade level is 1st to 6th grade. As for the screen monitoring You could look at as security, I know of business that do this to their employees.


RObert