[fw-wiz] Content filtering - how to enforce at home

From: Wieslaw Lubas <wieslaw_lubas@xxxxx>
Date: Wed, 8 Sep 2010 21:18:41 +0200

Hi,

I am trying to attach small filtering "appliance" in home environment. From
user perspective it is a proxy server and firewall with IP address A on LAN
side. WAN side connected to DSL/cable modem (CPE). All traffic other than
restricted web categories shall be allowed. CPE DHCP turned off, allows
only "appliance" MAC address.

Scenario 1. Web proxy (A) enforced on workstation.

Scenario 2. CPE or firewall blocks 80&443 from sources different than "A".
"Appliance" is in transparent mode, because all workstation users can modify
proxy settings. Disadvantage - only ports 80 and 443 are filtered - filter
can be bypassed using Internet-based proxy.

Scenario 1a. Smart 7 years young hacker replaces "appliance" with some
non-filtering proxy, using the same IP. How to avoid this hack?

Scenario 2a. Smart 7 years young hacker clones "appliance" MAC and connects
dorectly to CPE.How to avoid this hack? 802.1x?

Scenario 2b. CPE is provider-managed - in my case cable modem acting as a
bridge. No mac filtering. Any connected DHCP client gets online. Anything
else than physical lock will help (connecting cable modem with "appliance",
setting up appliance as DHCP server, both boxes secured with key in
enclosure)?

Is there any software based solution that could do the job?

Specifically, tamper proof network driver acting as ICAP client (I could
install filter with ICAP server in remote location).

Wieslaw
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] Content filtering - how to enforce at home
  - From: Randall C Grimshaw
- Re: [fw-wiz] Content filtering - how to enforce at home
  - From: pkc_mls

Prev by Date: [fw-wiz] Getting windows user name?
Next by Date: Re: [fw-wiz] Getting windows user name?
Previous by thread: [fw-wiz] Getting windows user name?
Next by thread: Re: [fw-wiz] Content filtering - how to enforce at home
Index(es):
- Date
- Thread

Relevant Pages

Re: searching for hardware firewall with web history
... it is marketed as an appliance... ... >hardware in it and the OS is some sort of BSD derivate. ... >> indicate that Astaro is a software firewall. ... Wrong, marketing speech and technical ...
(comp.security.firewalls)
Re: Firewall for VMS / TRU64
... >}for up to 254 client computers. ... >}Think of a firewall also as a circuit breaker. ... >}the network is much better than having your computer do so. ... is that the appliance is dedicated to one specific type of task. ...
(comp.os.vms)
Re: ISA Server or Firewall Appliance?
... > is ISA server enough to use as a firewall (along with all of the other ... > Of course the ISA server would sit facing the internet, ... What you have to bear in mind here is that an appliance is, generally, a ... top of, with a proprietary operating system (typically based on freebsd, ...
(Focus-Microsoft)
RE: ISA Server or Firewall Appliance?
... I've been using ISA 2004 on a box that's been facing the internet since it's ... I've run other firewall "appliances" as well ... ISA Server or Firewall Appliance? ...
(Focus-Microsoft)
Re: Hardware vs Software Firewall - Pros and Cons?
... Now the problem is how to define a firewall appliance ... ... (Layer n refers to the OSI model). ... A more buzzworded firewall is a stateful packet filter with deep inspection. ...
(comp.security.firewalls)