Home Network Plan - Toger Blog

I have several daughters, the oldest of which is just becoming familiar with the Internet. Her grandparents also bought her a WiFi tablet for Christmas. I know that keeping an eye on her usage is the best approach, but I wanted technology to help backstop that. And, because it is interesting to do, I want to way overbuild the environment Just Because.

The technologies:

Squid
DansGuardian
ElasticSearch/LogStash/Kibana
Logstash-forwarder
Raspberry Pi
AWS

She is not sophisticated enough to actively undo any of the protections I might put in (yet!!). So for the mean time the config has to be just good enough rather then prevent a determined attacker.

What I have done is set up a Raspberry Pi on the network that runs Squid+DansGuardian, and configure her devices to utilize that for a web proxy. Logstash-forwarder forwards the logs for Squid and DansGuardian to a EC2 t2.micro instance that parses/indexes them, and I’ve set up reports that show me what domains she’s connected to. Finally, I’ve configured the RouterBOARD 750GL to utilize NetFlow logging to send NetFlow data to EC2 as well, so I can track what domains non-http/https traffic uses.

I am utilizing EC2 for log processing as my Pi just isn’t big enough to run squid/dansguardian plus an ELK stack. I might migrate to a SaaS solution at some point.

I expect to utilize the ElasticSearch function to spool daily logs out to S3 and on to Glacier. I don’t have a specific reason to do this as the logs aren’t really meaningful after a week or so, but it is just something to tool around with. The NetFlow logs could be useful at some point if there was a question about the accuracy of my ISP’s metering though.

Future enhancements will be to put the wireless devices / her network jacks into their own VLAN and either transparently proxy them or disallow unproxied content. Further would be to upgrade Squid to the version that can MitM SSL connections and add a trusted cert to her devices.

The layout so far:

I want to underscore all th is is ‘Because I Can’ / it is an interesting challenge rather than because I strictly need this to provide all the protection from the darker places on the Internet. We keep an eye on what she does and restrict her Internet access to use in ‘public’ portions of the house — No private internet access.

NetFlow config on the 750GL:

/ip traffic-flow
set enabled=yes interfaces=<pppoe/outgoing interface>
/ip traffic-flow target
add address=<logstashhostIP:port> version=5

Logstash configuration on the remote end:

input {

lumberjack {
    port => 5043
    type => "squid"
    ssl_certificate => "/home/ec2-user/logstash-forwarder/logstash-forwarder.crt"
    ssl_key => "/home/ec2-user/logstash-forwarder/logstash-forwarder.key"
  }

    udp {
      port => 1234
      codec => netflow {
        definitions => "/home/ec2-user/logstash-1.4.2/lib/logstash/codecs/netflow/netflow.yaml"
        versions => [5]
      }
    }
  }

filter {
 # https://gist.github.com/sakalajuraj/6339942
 grok {
  type => "squid"
  pattern => "%{NUMBER:timestamp}\s+%{NUMBER:request_msec:float} %{IPORHOST:src_ip} %{WORD:cache_result}/%{NUMBER:response_status:int} %{NUMBER:response_size:int} %{WORD:http_method} (%{URIPROTO:http_proto}://)?%{IPORHOST:dst_host}(?::%{POSINT:port})?(?:%{URIPATHPARAM:uri_param})? %{USERNAME:cache_user} %{WORD:request_route}/(%{IPORHOST:forwarded_to}|-) %{GREEDYDATA:content_type}"
  add_tag => "squid"
 }

 geoip {
  source => "dst_host"
  type => "squid"
 }

 date {
  tags => "squid"
  match => [ "timestamp", "UNIX" ]
 }
}

output {
    elasticsearch_http {
       index => "logstash_netflow5-%{+YYYY.MM.dd}"
       host => "localhost"
       port => 9200
       type => "logs"
     }

    elasticsearch_http {
       index => "logstash-%{+YYYY.MM.dd}"
       host => "localhost"
       port => 9200
       type => "squid"
     }
}

I followed http://dave.cheney.net/2012/09/08/an-introduction-to-cross-compilation-with-go to cross-compile logstash-forwarder for ARM.