Family Internet Safety using a Secure Home Internet Gateway: How to Make Your Home Safe for Kids and from Malware

By Supratim Sanyal
supratim [at] riseup [dot] net

1. Home Internet Gateway

Zentyal Screenshot
Zentyal Screenshot

Verizon FiOS has long provided a standard DHCP-enabled RJ45 female connector as their service end-point in the basement of our house. The first thing that I have connected to the FiOS endpoint is the ETH1 ethernet port of a old Pentium-4 tower happily and adequately running the Zentyal 3.5 open-source Small Office Server with 2GB of RAM. The other NIC of this server, ETH0, is connected to the rest of my home LAN (which I will document in a future note for my own sanity while debugging network problems). Zentyal 3.5 integrates Squid running in Transparent Proxy mode with Dansguardian content filter and Ad-Zapper ad blocker, ClamAV anti-virus, Suricata intrusion detection system (IDS) / intrusion prevention system (IPS) and more goodies. Along with the built in firewall, this out-of-the-box configuration immediately filters out most of the unwanted and harmful stuff with little configuration needed, thanks to Zentyal 3.5's awesome browser-based UI and beautiful design and implementation.

The version number (Zentyal 3.5) is extremely important for using it as a home internet gateway. This is because Zentyal 4.0 onwards drops a lot of the modules included till 3.5 because the developers want to focus on it's primary stated mission of a drop-in replacement for Microsoft's Small Business Server. From the press release announcing Zentyal 4.0: "In addition, a number of modules have been removed in order to focus on Zentyal Server’s goal: Offer a complete and easy-to-use Small Business Server, with native support for mixed IT environments. The dropped modules are: IPS, UPS management, Backup, Monitor, RADIUS, Webserver, Roudcube Webmail (replaced by SOGo Webmail) and IPsec (replaced by a new module supporting only L2TP). Also the Free Zentyal Account has been discontinued."

Advertisements are filtered out using the check-box in the HTTP Proxy settings page:

Zentyal Transparent Proxy with Ad Blocking
Zentyal Transparent Proxy with Ad Blocking

I also configured the proxy to enforce an Access Rule containing a Filter Profile "Home Filter" applied to all traffic all the time. Checking the "Filter Virus" check-box in the "Home Filter" settings results in incoming web content to be virus-scanned. In addition, I set the page phrase threshold to "Permissive" since too many legitimate web sites were being blocked with tighter filters in effect.

Zentyal Transparent Proxy with Anti-Virus and Content Filtering
Zentyal Transparent Proxy with Anti-Virus and Content Filtering

Note on auto-updating categorized blacklistsZentyal's Gateway -> HTTP Proxy -> Filter Profiles also allows using public blacklists to block categories of contents. I use the Shallalist fromhttp://www.shallalist.de.

Zentyal Domain categories
Zentyal Domain categories

2. DNS-Level Protection

Zentyal comes with a caching DNS server that needs little configuration. I signed up for the free OpenDNS and SafeDNS services, then configured Zentyal to forward DNS requests to them. I chose OpenDNS and SafeDNS because (a) they offer enough granularity for me to choose categories of web-sites to allow and override miscategorized URLs to allow or deny them, and (b) they support ddclient, the standard dynamic DNS client script, which makes sure my configuration is in effect across IP address changes initiated by Verizon. I do not use Verizon's DNS servers at all.

Zentyal Caching DNS Server with forwarding to OpenDNS and SafeDNS
Zentyal Caching DNS Server with forwarding to OpenDNS and SafeDNS

I have both OpenDNS and SafeDNS configured because OpenDNS is sometimes quite slow, and when used by itself, causes an occasional look-up timeout, resulting in family members complaining about their computers showing "Limited" network connections and similar symptoms.

OpenDNS IP addresses are 208.67.222.222 and 208.67.220.220. The free account offers enough functionality for my purpose, including some basic statistics. The service also allows limited customization of the page shown when a site is blocked, a feature that is unique to OpenDNS for free.

OpenDNS Free Safe DNS
OpenDNS Free Safe DNS

SafeDNS IP addresses are 195.46.39.39 and 195.46.39.40. They offer similar features like OpenDNS but are more sparse with their presentation.

SafeDNS Free Safe DNS
SafeDNS Free Safe DNS

The final two DNS IP addresses in my DNS Forwarding configuration are those for "OpenDNS Family Shield" - a different service from OpenDNS that is "Pre-configured to block adult content. Set it and forget it. Free." This is intended to be a backup DNS in case both OpenDNS and SafeDNS are not available. Other excellent free DNS services that offer family safety, but no control on what is blocked, include Norton Connectsafe 199.85.126.30 / 199.85.127.30 and Comodo SecureDNS 8.26.56.26 / 8.20.247.20.

Because I am not a FiOS fixed-IP subscriber, the Verizon-allocated IP Address changes quite often. Fortunately both OpenDNS and SafeDNS can be updated using the standard Dynamic DNS protocol that is implemented well by the ddclient perl script for linux. The relevant sections of my ddclient.conf look like:

# /etc/ddclient.conf

# Default global variables

pid=/var/run/ddclient.pid

ssl=yes

syslog=yes


##

## OpenDNS.com account-configuration

##

use=web, web=myip.dnsomatic.com

ssl=yes

server=updates.opendns.com

protocol=dyndns2

login=<your opendns login email address>

password=<your opendns password>

<your opendns network name here>


# safedns -

ssl=yes

protocol=dyndns2

server=www.safedns.com

use=web

web=http://www.safedns.com/nic/myip

login=<your safedns login email address>

password=<your safedns network name here>

<your safedns network name here>


3. Browser-Level Protection

I used to install the Adblock Plus and WOT (Web of Trust) plugins on all non-mobile browsers in the house, but the need for them inside the house is no longer there. However, they are still installed on the portable laptops, since they are often taken with us on travel and connected to hotel and restaurant wireless networks. For the mobile devices, news is not good - they still have to rely on filters in the wireless networks that weed out unwanted content before reaching them. For enhanced safety, my AdTrap unit provides a globally accessible proxy feature called AdTrap Anywhere which blocks ads but does little else. I could also open up the Zentyal transparent proxy to external access. Though this will take care of safety from other wi-fi networks, not much can be done when the mobile devices are on over-the-air cellular data connections.

4. Computer-Level Protection

The two must-have Microsoft tools that help in setting up a basic secure Windows installation are Microsoft Baseline Security Analyzer (MBSA) and Enhanced Mitigation Experience Toolkit(EMET).

Microsoft Baseline Security Analyzer (MBSA)
Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA) runs a set of checks against Windows installed on local, or one or more remote, PCs and produces a report listing basic security loopholes. It surprised me with the number of vulnerabilities in an internet-facing Windows XP Professional 64 bit edition box that I thought I had tightened up pretty well.

Microsoft Enhanced Mitigation Experience Toolkit (EMET)
Microsoft Enhanced Mitigation Experience Toolkit (EMET)

The Enhanced Mitigation Experience Toolkit (EMET) is a great tool that runs as a service and protects some of Microsoft's own as well as third-party executables by monitoring their characteristics at a deep operating system level. Every Windows system should have this running. It is capable of protecting the monitord executables from present and future viruses. Configuring EMET manually is tricky - I just stick with whatever the wizard identified, and set it to Maximum Protection.I maintain the following software on all computers in the household as much as permitted by the Operating Systems. Obviously, this is not possible on the older hardware, for example the Washington Bangla Radio stream server that runs 24x7 on a Pentium-III/Windows 2000 HP notebook.

Ad-Aware Free Antivirus+
Ad-Aware Free Antivirus+

Antivirus: Ad-Aware FreeFirewall: Comodo Firewall FreeAntimalware - On-Demand: Super Anti-Spyware, and Malwarebytes Anti-MalwareAnti Rootkit - Rootkits are the most dangerous of infections. They tap into low-level Operating System functions to effectively hide malware and viruses to make them almost undetectable. Kaspersky Lab have developed the great free toolTDSSKiller that can quickly detect and remove both known and unknown rootkits.

Secunia PSI

Secunia PSI

To check and update installed software to current versions, I visit the website of Secunia PSI (Personal Software Inspector) roughly once a month. This is an online service, and gets the job done pretty well, downloading and newer versions of most installed software by itself.McAfee's Site Advisor is a great browser plugin that flags unsafe web sites. I use it in conjunction with Adblock Plus and WOT.

5. Bandwidth Monitoring

I installed the "bandwidthd" tool on the Zentyal server that creates neat graphs on bandwidth usage of all traffic going in and out on daily, weekly, monthly and yearly scales. It appears we use around 65GB of incoming data and 10GB of outgoing data every week.

bandwidthd screen shot
bandwidthd screen shot

The other tool I use frequently to watch what's going on is the little "iptraf" utility that shows network activity as it is happening.

iptaf screen shot
iptraf screen shot

6. Testing

So how do you know your anti-malware filter is working ? Just try to visit the WICAR malware filter test site. It tries to break in through your browser through a known exploit and launch the Windows calculator. If it is successful, you are not safe!

Tenable Nessus - "The global standard in detecting and assessing network data."
Tenable Nessus - "The global standard in detecting and assessing network data."

For Penetration testing, I use Tenable's NESSUS - it runs on the same box as Zentyal, has a great web-browser interface, sends automated e-mails I configured weekly, and is free for personal home use. The free Metasploit Community Edition Penetration Tester is also great.

9. Essential Tools

Not directly to do with security or tackling virus / malware, I nevertheless find these little programs handy and much used.

Glary Utilities - free system utilities to clean, repair and maintain Windows installations
Glary Utilities - free system utilities to clean, repair and maintain Windows installations

Glary Utilities from Glarysoft: A fantastic collection of general-purpose utilities to keep a Windows PC streamlined and optimized. Includes tools for everything from registry cleaning and defragmentation to managing restore points. This replaces a bunch of stand-alone utilities from various sources.

Minitoolbox by Farbar from Bleeping Computer
Minitoolbox by Farbar from Bleeping Computer

MiniToolbox by Farbar from Bleeping Computer is a neat set of radio-button driven actions that repair and report on various aspects of a Windows PC, typically by opening up results in a text file in Notepad!

Finally, Microsoft's Sysinternals Suite includes a set of nifty command-line utilities that let you do all sorts of fun stuff, or help out in arcane situations the kind of zeroing out all unused space on a partition so that you G4L or Clonezilla image is much smaller than otherwise.

8. What Others Say

Real experts out there have their own sets of favorite multi-layered protection software installed on their computers. I have not had the time to check out all the permutations, but here are what some of them use.

- "Currently my home system is running the following freeware: Zone Alarm (3’rd most popular firewall among MakeUseOf readers), WinPatrol (system monitor), Avira AntiVir Personal – Free Antivirus, ThreatFire 3 (blocks zero-day attacks heuristically), SnoopFree Privacy Shield (anti-keylogger) and Spyware Terminator (spyware protection/removal). This is my minimum safety configuration; depending on circumstances, in addition, I will also use Sandboxie (a free sand box application)." - Bill Mullins, http://www.makeuseof.com/tag/spyware-terminator-%E2%80%93-free-real-time-spyware-protection

8. Links

Zentyal 3.5 Download: http://download.zentyal.com

Squid: http://www.squid-cache.org

Dansguardian: http://www.dansguardian.org

ClamAV: http://www.clamav.net

OpenDNS: http://www.opendns.com

SafeDNS: http://www.safedns.com

Norton Connectsafe: https://dns.norton.com/configureRouter.html

Comodo Secure DNS: http://www.comodo.com/secure-dns

Adblock Plus: https://adblockplus.org

WOT: https://www.mywot.com

Microsoft Baseline Security Analyzer (MBSA): http://www.microsoft.com/mbsa

Enhanced Mitigation Experience Toolkit (EMET): http://www.microsoft.com/emet

Ad-Aware Free Antivirus: http://www.lavasoft.com/products/ad_aware_free.php

Comodo Firewall: https://personalfirewall.comodo.com

Super Antispyware: http://www.superantispyware.com

Malwarebytes Anti-Malware: https://www.malwarebytes.org

TDSSKiller: http://usa.kaspersky.com/downloads/TDSSKiller

Secunia Software Inspector: http://secunia.com/software_inspector

McAfee Site Advisor: http://www.siteadvisor.com

Bandwidthd: http://sourceforge.net/projects/bandwidthd

iptraf: http://iptraf.seul.org

WICAR Browser Exploit Test: http://malware.wicar.org

Metasploit Community Edition Penetration Tester: http://www.metasploit.com

Tenable Nessus: http://www.tenable.com/products/nessus

Glary Utilities: http://www.glarysoft.com

MiniToolbox: http://www.bleepingcomputer.com/download/minitoolbox/

Sysinternals Suite: http://technet.microsoft.com/en-us/sysinternals/bb842062

G4L: http://sourceforge.net/projects/g4l

Clonezilla: http://clonezilla.org