Toger Blog

Home Network Plan

I have several daughters, the oldest of which is just becoming familiar with the Internet. Her grandparents also bought her a WiFi tablet for Christmas. I know that keeping an eye on her usage is the best approach, but I wanted technology to help backstop that. And, because it is interesting to do, I want to way overbuild the environment Just Because.

The technologies:

  • Squid
  • DansGuardian
  • ElasticSearch/LogStash/Kibana
  • Logstash-forwarder
  • Raspberry Pi
  • AWS

She is not sophisticated enough to actively undo any of the protections I might put in (yet!!). So for the mean time the config has to be just good enough rather then prevent a determined attacker.

What I have done is set up a Raspberry Pi on the network that runs Squid+DansGuardian, and configure her devices to utilize that for a web proxy. Logstash-forwarder forwards the logs for Squid and DansGuardian to a EC2 t2.micro instance that parses/indexes them, and I’ve set up reports that show me what domains she’s connected to. Finally, I’ve configured the RouterBOARD 750GL to utilize NetFlow logging to send NetFlow data to EC2 as well, so I can track what domains non-http/https traffic uses.

I am utilizing EC2 for log processing as my Pi just isn’t big enough to run squid/dansguardian plus an ELK stack. I might migrate to a SaaS solution at some point.

I expect to utilize the ElasticSearch function to spool daily logs out to S3 and on to Glacier. I don’t have a specific reason to do this as the logs aren’t really meaningful after a week or so, but it is just something to tool around with. The NetFlow logs could be useful at some point if there was a question about the accuracy of my ISP’s metering though.

Future enhancements will be to put the wireless devices / her network jacks into their own VLAN and either transparently proxy them or disallow unproxied content. Further would be to upgrade Squid to the version that can MitM SSL connections and add a trusted cert to her devices.

The layout so far: