Logging / Proxying Meetinghouse Traffic

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
sammythesm
Member
Posts: 225
Joined: Tue Jan 05, 2010 2:50 pm
Location: Texas, United States
Contact:

Logging / Proxying Meetinghouse Traffic

#1

Post by sammythesm »

I'm a newly called STS. When I was called, the Stake President told me that one of his priorities would be making sure that people aren't using our building internet improperly (we have the most liberal filtering due to FHC). However, after becoming familiar with the church firewall, and searching this forum, it's clear that the church isn't able to log all traffic and report the logging to the STS - clearly this would be the preferred way.

So... I'm thinking of alternatives. Checking browser histories is just not possible or practical in our stake. With 14 units and 5 buildings, I'd be driving the better part of the week to regularly monitor usage. Plus, anyone with half a brain would know to clear the browser history and cache if they were breaking the rules.

This brought me to proxying. I don't want to set up a browser settings pointing to a proxy, because those are too easily circumvented and do not capture 'guest' clients that come on and off the network (wireless).

So that leaves a transparent proxy. My thought is to obtain some low cost plug computer (i.e. fit2pc, GlobalScale Sheevaplugs, etc) set up with Squid and some Squid log analyzer/auto emailer as a transparent proxy between the Church firewall and the rest of the network. Ideally, I'd have the unit keep logs only and maybe even find a way to get the unit to email me an aggregate report automatically. I don't think it'll have a noticeable performance impact, especially if I'm only logging and not cacheing with the proxy.

The only drawback I can come up with here is that all devices would be NAT'ed behind the new proxy (would go ISP <-> Firewall <-> Proxy <-> Client), rather than NATing directly behind the firewall. This may cause some issues with any remote support software the church has installed (do they?) or with other client devices that need to communicate directly with the ASA/PIX/891 (i.e. wireless access points).

I read online that a non-NAT transparent proxy could be achieve by 'smart' switching - so that remains an attractive option - but I'm not familiar with the configuration procedure, so I would need more investigation there.

Anyone have other solutions that have worked for them? Am I trying/thinking too hard? Other ideas?

(p.s. - I did findthis old thread but don't think it really had a resolution to the problem - and it's 3 years old.. thought maybe there might be some new insight...)
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#2

Post by Mikerowaved »

As far as remote support, the software the church uses has no problem with double (or even triple) NAT'ing, so I wouldn't worry about that.

However, you bring up a valid concern regarding wireless access points. The latest ones being offered are connected directly to the firewall, so they will bypass your proxy, and I suspect the WAPs will carry the bulk of the traffic you would like to keep a close watch over.
So we can better help you, please edit your Profile to include your general location.
harddrive
Senior Member
Posts: 501
Joined: Thu Jan 03, 2008 7:52 pm

#3

Post by harddrive »

Transparent proxy is a good idea, but I would move the proxy server to between the firewall and the ISP. This way you would catch the wireless traffic.

Now the other issue that I see is making sure that all the traffic goes through the proxy. My thinking to make sure that happens is to set up the computer that will capture the data has 2 NIC's in it. So the IP addresses for those NIC's would have to be different. Unless you set something up that acts like a switch to capture the data.

I'm not familiar with the products you describe, but I do know that traffic will have to get to that server so that you can get the data you are looking for.

you can also wait until the church implements the log in procedure in 2012.
sammythesm
Member
Posts: 225
Joined: Tue Jan 05, 2010 2:50 pm
Location: Texas, United States
Contact:

#4

Post by sammythesm »

As far as remote support, the software the church uses has no problem with double (or even triple) NAT'ing, so I wouldn't worry about that.
Good to know!
The latest ones being offered are connected directly to the firewall, so they will bypass your proxy, and I suspect the WAPs will carry the bulk of the traffic you would like to keep a close watch over.
Right. And I think they have to be directly connected to the FW so they can obtain their profile from the router. I don't have any 1041s installed to experiment with - can someone validate whether a 1041 AP will still function correctly if NAT'd? Perhaps if you initially plug it into the firewall (to get the profile installed), then move it behind the proxy/NAT? Or can the profile request/CDP (or whatever it's using to auto provision) transverse a NAT?
sammythesm
Member
Posts: 225
Joined: Tue Jan 05, 2010 2:50 pm
Location: Texas, United States
Contact:

#5

Post by sammythesm »

harddrive wrote:Transparent proxy is a good idea, but I would move the proxy server to between the firewall and the ISP. This way you would catch the wireless traffic.
I think if you put the proxy in between the FW and ISP, you aren't going to see diddily. All traffic is sucked into the VPN tunnel between the FW and SLC, so there's no chance to log individual HTTP/S requests at that point because they've become encrypted.
harddrive wrote:you can also wait until the church implements the log in procedure in 2012.

Right - but as far as I understand (correct me if I'm wrong) they still haven't said they will provide any reporting to the local unit - still an aggregate thing at the data center.
User avatar
johnshaw
Senior Member
Posts: 2273
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

#6

Post by johnshaw »

My own personal opinion is to let the Church handle the filtering. I don't get why going through this effort is necessary. The Church already does the filtering, and If a stake president doesn't trust that.... I just can't seen any reason going through this effort is worth the complexity.

I'd stick to the policy, put everything behind the firewall.... let the church handle the filtering... isnt' there enough to do already? :)
sammythesm
Member
Posts: 225
Joined: Tue Jan 05, 2010 2:50 pm
Location: Texas, United States
Contact:

#7

Post by sammythesm »

I definitely agree. Not looking to replicate what the church is doing. Not looking to really filter anything. I just want to log so I can fulfill the request from my Stk Prez to have some local auditing capabilities.
User avatar
nbflint
Member
Posts: 204
Joined: Mon Mar 12, 2007 9:07 pm

#8

Post by nbflint »

I don't know about the other buildings in the stake but our building is setup ISP -> FW -> Router -> AP's & Clients.

The router could easily be setup to use DNS from Open DNS which provides reporting. I'm not a network guy, just a home user, so I don't know how this would affect the FW and traffic.

jdlessley
Community Moderators
Posts: 9859
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#9

Post by jdlessley »

sammythesm wrote:
harddrive wrote:Transparent proxy is a good idea, but I would move the proxy server to between the firewall and the ISP. This way you would catch the wireless traffic.
I think if you put the proxy in between the FW and ISP, you aren't going to see diddily. All traffic is sucked into the VPN tunnel between the FW and SLC, so there's no chance to log individual HTTP/S requests at that point because they've become encrypted.
The VPN tunnel is for remote communications between CHQ and the firewall/local network. Internet traffic does not go through the VPN. There is filtering through a third party service, Websense, but that is not VPN nor is it encrypted.
sammythesm wrote:
harddrive wrote:you can also wait until the church implements the log in procedure in 2012.
Right - but as far as I understand (correct me if I'm wrong) they still haven't said they will provide any reporting to the local unit - still an aggregate thing at the data center.
The wait is to see how the LDS Account logon is implemented. It could affect the location of the proxy server within or outside the local network. It could also negate its use altogether.

With LDS Account logon, CHQ should be able to identify inappropriate internet use and the user. No mention has been made as to how this would be implemented. It is possible that something like repeated blocks of inappropriate sites from one location will trigger some recording of the requested/attempted URL and the LDS Account owner. We can only speculate at this point. To me this would be far less than recording or logging all internet traffic for local leaders to call up for analysis of internet use.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
danpass
Senior Member
Posts: 514
Joined: Wed Jan 24, 2007 5:38 pm
Location: Oregon City, OR
Contact:

#10

Post by danpass »

jdlessley wrote:With LDS Account logon, CHQ should be able to identify inappropriate internet use and the user. No mention has been made as to how this would be implemented. It is possible that something like repeated blocks of inappropriate sites from one location will trigger some recording of the requested/attempted URL and the LDS Account owner.

I recall that one of the reasons/benefits for switching to LDS Account authentication is to provide accountability for Meetinghouse Internet use. As you say, we don't have implementation details, but it does seem certain that inappropriate Internet use will be scanned for and presumably reported to the local steward over the LDS Account holder.
Post Reply

Return to “Meetinghouse Internet”