Wednesday, 1 June 2011

Manage Family Web Access using CCProxy

After messing around with Norton Internet Security(TM) trying to use their "Parental Controls" and finding nothing but frustration with the limited functionality, I finally put procrastination aside and decided to try implementing a PROXY server to provide the level of control I was seeking.

The big limitation most products have is that while they may allow (some) site and time restrictions, most of them don't seem to combine both features very well (if at all).

After looking at a whole raft applications (like Norton Internet Security, OpenDNS(TM), Net Nanny(TM) and the like) I decided I didn't want to spend the sort of money some of these products were asking and most of the "free" ones just didn't cut it in terms of functionality and flexibility.
I started to focus what proxy offerings were out there and after trying a bunch of both paid and free ones, I've finally settled on CCProxy(TM) (current version 7.2).

The key reasons I chose CCProxy over others I considered were:
  • It is a windows based product
    (I could have gone the linux route using squid, and I'm sure it would have done all I wanted, however, I'm not really a linux guy but know my windows and networking pretty well)
  • It will run on plain old XP - e.g. it doesn't need Windows server or any "special build" to make it work
  • It will work on a single-homed machine - i.e. just a single network card
  • To achieve what I wanted, all I had to do was reconfigure the browsers on the clients I wanted to control.
  • It had a free and un-crippled trial offering so I could check it out properly before committing to buy it
  • The purchase price for 10-user home use was "very reasonable"
  • MOST IMPORTANTLY - I could configure it the way I wanted!
To set the scene.
Let me say up front that I purposely have chosen not to make this solution hack-proof and un-able to be bypassed.
I had a fairly secure, working, home network, which I wanted to put a configurable filter in for individual devices.
I did not want to alter the network config any more than absolutely necessary.
I am also relying on my kids not reconfiguring their browsers to use the unfiltered route to the internet as I want them to learn self restraint by being made aware that there are appropriate times to conduct various internet activities.

OK here's our setup and what I wanted  to achieve:
We have a home Local Area Network (LAN) with an ADSL router providing Network Address Translation (NAT) fire-walling from the internet.
That then connects to a multi-switched network, one switch also providing b/g/n WiFi
There are six client PC's, one printer, four netbooks, three iPods, an eReader and a Wii connecting to the network
  • The Wii, iPods and eReader all use the WiFi. 
  • The Netbooks can be cabled or WiFi 
  • The rest are all cabled.
Two of the cabled systems run XP Prof 24x7 . One acts as a "data backup server" and hosts the CCTV security system (local and off-site access), the other has a dual function of being my primary workstation and acting as the "shared resources" server (shared data, individual home drives, printers, scanner and fax). Another two of the workstations are located in our "living" area for the kids to do their homework on (so we can monitor usage and homework progress).
It is these two PC's and the kids two iPods which I have set out to manage, because despite reasonable self-control, both kids can "loose" an inordinate amount of time in their use of Facebook, Tumblr, Picnik etc.

First Criteria - be a Windows based proxy
...for the reasons stated above.
It also needed to be able to run on XP workstation (not server - as I don't currently have server running on anything but my testbed machine)
It should not be too resource intensive because the CCTV software chews a vast amount of resource when running a large number of cameras

Second Criteria - MAC filtering
While the network is pretty tightly locked down with static IP addresses on all the cabled devices and individual internet security suites on each of the clients, it just wasn't going to be practical to assign static IP addresses to all the radio devices because we wanted to use them in other DHCP ( Dynamic Host Configuration Protocol) enabled environments such as MacDonalds, the school network, coffee shops, etc.
DHCP allocates an IP address to a device from a range of possible addresses, so for the the iPods and Netbooks we wanted to control, the first selection criteria was that Media Access Control (MAC) address filtering had to be possible, because that is a fixed address no matter what the IP address the device has.

Third Criteria - scheduled internet (web) access
We wanted to be able to completely deny all web access after certain times at night (e.g. 9~11pm) and not re-enable before certain times in the morning (e.g. 5~7am)

Fourth criteria - different per-person schedules (i.e. per-device)
Because of age and work commitment differences we wanted to be able to allow more "social" web access time for one than the other, yet more "overall" web access time for the older one who now uses the web for a lot of legitimate research and resource acquisition.

Fifth criteria - constrained site access within allowed web access window
Not too many products seemed to provide this!
So the objective here was to allow general web access from morning till night but at certain times, preclude  access to certain time-consuming sites such as Facebook(R), Tumblr(R), Picnik(R) Twitter(R) and the like.
To add complexity, we wanted the applications and the duration of those limited access times to also be tailored to the individual.

How CCProxy met ALL those criteria
I downloaded the trial (3-user limited) installer from the Youngzsoft(R) download site. (1.4MB)
On the P4 2.4GHz 2GB RAM XP Professional CCTV/Backup system, I set a System Restore Point then following the ccproxy_quick_start.pdf, executed the CCProxy trial installer.
A couple of minutes latter it was installed! That was all there was to it!
The installation relies on the installation machine having the correct default gateway defined for access to the internet.

From there I followed the clearly explained quick start guide, to set up my first user, a simple web filter and a schedule, before moving on to the slightly more complex task of defining a scheduled-web-filter then multiple scheduled-web-filters set within each other ... as I'll describe below.

I started by using my own workstation as the test target to make sure I could;
  • redirect my browser via the proxy
  • filter a particular web site, then multiple web sites
  • set a schedule when my web access was allowed/prohibited
I discovered that (unlike some other products) I could control each of the seven week-days differently and could have multiple segments throughout every day when access was/was-not limited by the proxy

All I had to do on my workstation was go into my web browser (Firefox(TM) in this instance) and under
Tools-Options-Advanced-Network-Settings, select Manual Proxy Configuration: and enter the IP address of my system where I had installed CCProxy.
I also ticked the Use this proxy server for all protocols checkbox
[Note: an Internet Explorer(TM) example is provided in the quick start guide]

One thing to remember when you are testing if its all working, is that if you have allowed access to and accessed a web site, then closed the browser (or tab), reconfigured the proxy  to prohibit that site then retried accessing the site, it may appear that the proxy is not prohibiting access!
Clear the browser cache on your client and again try accessing the site and you will get the proxy warning  regarding time or site access restrictions.

 With the simple stuff all working, I moved on to the more complex task of seeing if I could schedule not only overall web access times, but also when certain sites were blocked (or allowed).
That turned out to be as simple as going into the Edit option of a particular client (my workstation) and selecting not EITHER a Web Filter OR a Time Schedule but rather selecting BOTH, at which point the chosen Web Filter is applied according to the chosen Time Schedule (simple eh!)

OK so I created a Time Schedule called Time0500-1700_2000-2300 and set each day as shown here:

Using a Permit Category: Permit Only and an Auth Type: MAC address I created an account which I called WebAllowed using the MAC address of my client.
I checked all the protocol boxes (www, Mail, Telnet etc) along with Time Schedule: where I selected my already defined Time0500-1700_2000-2300 schedule
This meant my workstation (based on it's MAC address and regardless of it's IP address) would be granted internet access for all selected protocols from 5am to 5pm then again from 8pm till 11pm every weekday; from 5am to 10am, midday to 2pm and 5pm to 11pm Saturday
from 5am to 11pm Sunday

Next I created a complementary Time Schedule to "fill-in-the gaps" of the first schedule

No effect Sunday
Applies 5pm to 8pm
Applies 5pm to 8pm
Applies 5pm to 8pm
Applies 5pm to 8pm
Applies 5pm to 8pm
Applies 10am-12 and 2pm-5pm

I also created a HomeworkDeny Web Filter thus:

 As you can see , I chose to forbid web sites using the Site Filter checkbox then set "Forbidden Sites" filters for both un-secure (http) and secure (https) traffic (which uses port 443) for both Facebook and Tumblr
 You can't quite see it in the graphic but to define the port you want to filter you specify colon{port-number}after the site address.
e.g. *.tumblr:443

Now the nifty bit.
You create a second account for the same device (using the same MAC address)
So again ...
Using a Permit Category: Permit Only and an Auth Type: MAC address I created an account which I called WebRestricted again using the MAC address of my client.
I again checked all the protocol boxes (www, Mail, Telnet etc) along with Time Schedule: where this time I select my already defined second (complimentary) Time1700-2000 schedule

This now means my workstation (based on it's MAC address and regardless of it's IP address) will still be granted internet access for all selected protocols from 5pm to 8pm every weekday;
from 10am to midday and 2pm to 5pm Saturday
with no access-control (by this schedule) on Sunday

So when the two schedules are combined, the effect is that this one device (based on its MAC address) has web access all the way from 5am to 11pm every day 
But now ...
In this second account definition we also apply a Web Filter using the HomeworkDeny filter we defined previously, so the times specified in the schedule for this second account (for the one machine) prohibits the sites specified in the HomeworkDeny filter during the times specified in the Schedule for this second account definition, yet still allowing all other internet traffic to all other sites during these times  

Web access only between A(5am) & D(11pm) and within that, 
restrict certain sites during period B(4pm) thru C(8pm)
A(5am)------ all web ---------B(4pm)---web without some sites---C(8pm)--------- all web ---------D(11pm)------- No Web ------->A 

The catch with this approach is that it appears to consume TWO client licenses so in our case we need a minimum of FOUR licenses per child (2 per iPod and two per desktop - per child) so there go eight licenses immediately. This means we are forced to buy the minimum paid license which happens to be 10-user for US$70 (as at Jun 2011). Still that is a one-off cost so for the flexibility its not bad.

Two other noteworthy points:
  1. To configure the iPod Safari browser to use the proxy.
  2. Go into Settings Turn WiFi ON Scroll down to Proxy Select Manual Supply the IP address of the CCProxy installation Supply the port (which if using default settings will be 808)
  3. Because this is a fully-fledged proxy offering, web-caching can be enabled on the proxy installation, however it does consume additional disk, memory and CPU resources, so that must be considered when deciding if there is value in avoiding repeated downloads of sites and potentially faster page delivery

      No comments: