Monthly Archives: April 2012

Looking back on safe Internet use for 7 years

For 7 years we have had a nice safe internet environment at home.

The whole family have been using SunRay thin terminals that were protected by multiple layers.

  • First the SunRay terminals are wired into a dedicated network that is not directly connected to the internet and which only supports SunRay clients. So foor example you couldn't bring a laptop into their room and connect it to the internet via the network cable there.
  • The SunRays were connected to a Sun server running Ubuntu linux. I didn't support Windows in their rooms at all. So no Windows virus problems plus centralised management, configuration and logging meant I was in control of all the applications.
  • The Sun server was then connected via a second network to a dedicated firewall machine running IPCOP (a special version of Linux locked down for use as a firewall). This was set in a fairly restrictive mode in terms of what internet protocols were supported. This kept the already fairly secure Ubuntu further protected from attackks. Plus it also allowed me to restrict in lots of ways what was available to us all on the Internet. For example it included DansGuardian which is a content filter that looks at every web page to check the address is not known to be porn etc and looks at the content of every page to score it and decide if it is ok based on the words used in the page (and it's url).
  • The IPCOP firewall was then connected to a standard broadband router (via CAT5 rather than USB) and I locked that down as much as is possible with these fairly basic devices.

Beyond the SunRays we have supported a variety of other devices

  • I added WiFi using a 3rd network adaptor in the IPCOP firewall connected to a separate WiFi Hub. This was setup with very tight restrictions. If you turned up with a laptop then before you could use it I had to add it's MAC address (unique address that every network adaptor has) to both the WiFi Hub and the IPCOP firewall. That would give you access to the internet through the IPCOP firewall but no access at all to the SUN Server. 
  • For very privileged people (basically me only) I allowed laptop to connect to the network printer via special routes from WiFi through the IPCOP machine.
  • The WiFi has in recent years also supported Android phones and Kindles.

Over the years this has kept all our data safe and it has resisted attempts by teenagers to get at content, that I didn't want them to get to.

It has meant some inconveniences.

  • Many times I have to specifically allow websites or parts of them that the firewall is blocking so that the boys can do homework or play games. It was a simple enough task.
  • Sharing files between laptops and the main system was designed to be inconvenient, because that was the easiest way to keep the boys from getting lots of virus ridden fiiles from friends. For our own sharing beyond the Sun server we simply used the internet whether using email or dropbox or similar. For many years I simply used software version control with the "code" hosted on the internet and synced to whichever machine I needed it.
  • Video and sound support on the SunRays has been poor to non existant. But we have always had a laptop or 2 around that can be used for this.
  • Flash has often not worked properly on the SunRays, again if important then use a laptop.
  • It meant we were using OpenOffice rather than Microsoft Office, but II have always seen that as an advantage :-) (the only application where this has occasionally been a nuisance is ppowerpoint where OpenOffice Impress is not 100% compatible with annimations and transitions.
  • In more recent years some internet things just haven't worked properly through the firewall as it was getting a bit old. That included iTunes.

Since the original purchase 7 years ago we have been able to use entirely legal software on the Sun server and all the SunRays, have it updated many times and all for zero cost.

Let me repeat that. Since buying the Sun server 7 years ago we have spent £0 on software despite many updates and a full set of applications. We have also had zero problems with viruses. Our downtime has been minimal with the server frequently running for months at a time between reboots.

Not only that but the SunRays had other advantages too.

  • They had no fans and so were silent. Handy when everyone had one in their bedroom.
  • Installation of a new application and making it available to everyone takes seconds (find it in the Ubuntu software centre and click install).
  • If they get turned off, knocked over or have cola poured over them you don't lose anything at all. Just take out your smartcard, put it in another machine and carry on from where you were (it helped that it was cheaper to buy a bundle of them rather than 5 individually).
  • If you want a change of scene then remove your smartcard and put it in any other machine to carry on exactly where you were.
  • Want some help with your homework then just take your smartcard to someone else and pop it in their SunRay to show them what you are doing.
  • When I wanted to run training courses I could setup a room with 15 workstations in a tiny fraction of the time it would take with individual PC's (I know I have done it). My only restriction was due to the number of monitors I could borrow.

But now without our Sun server I am entering a Brave New World with all these levels of security lost :-(  More thoughts on that later.

The end of a SunRay era

For 7 years we have been running a Sun server with SunRay thin clients (see 42: SunRay Server installation).

However, this week the server failed in a major way (power on but nothing at all on the screen and no hard disk activity).

 

So it is being retired. To an extent we had been expecting to do this. We now have one son already away from home and using a Macbook when he is around. We hope another will go to university in October. Also I am using a laptop much of the time. So the server was no longer making economic sense simply in terms of electricity for only 2 or 3 users.

 

However, everything has been organised around that server in terms of shared storage, email, printing, … So a lot of reconfiguring in progress. We are going to have a linux file server (a simple Network Attached Storage box). 

 

I am going to change the firewall to provide more WiFi integration and am thinking of going the whole hog and moving it to OpenBSD as the most secure firewall option there is.

 

I am also going to be shifting our main domain to google for email (most users have been using gmail to collect the mail from the server anyway).