[K12OSN] Best solution for Internet access, control, and caching?

Timothy Legge timlegge at gmail.com
Wed Dec 17 00:11:15 UTC 2008 

On Tue, Dec 16, 2008 at 3:49 PM, Joseph Bishay <joseph.bishay at gmail.com> wrote:
> network?  My setup is as follows:
>
> 1) cablemodem -> switch
> 2) Switch has LTSP internet NIC plugged into it
> 3) same switch has the windows computers that need internet access
> plugged directly into it.
>
> so would the squid machine go between the cablemodem and the switch?

Hi

I would replace the switch with a router (a cheap linksys).  I don't
really trust that the newer cablemodem/router combinations are very
secure.  It will stop the bulk of silly attacks.  I would place the
squid machine in-line so that all internet access has to flow through
that device.  In your example between the switch and cablemodem makes
sense.

My setup is as follows:

CableModem -> Router -> IPCop Firewall -> Switch

Into the switch I have two LTSP servers public network connection
(firewall rules applied).  Currently all our Windows and Apple
computers are in the private network of the LTSP servers with IP
forwarding.  I currently run DansGuardian with Squid and Squid Guard
on the LTSP server and all internet access flows through that.

I am rethinking that after realizing that DansGuardian with virus
scanning enabled put an unacceptable load on an LTSP server equipped
with a Quad core Xeon and 8 GB of Ram.  Disabling the virus scanning
reduced the load significantly.

If I was to redesign and have the hardware I would do:

CableModem -> Router -> IPCop Firewall -> Switch
     -> Router[0] -> LTSP Server[0]
     -> Router[1] -> LTSP Server[1]

The placement of Router[0] and Router[1] serves to separate LTSP
servers if they have different uses and security needs (which mine
do).  Of course, a small firewall would replace a number of
components.

If the system was sufficiently powered, I would run DansGuardian on
IPCop or place it between the IPCop firewall and the switch.  Given
the performance hit I saw, I probably would not run DansGuardian on
the terminal server.

If you are able to use the separate machine you may be able to enforce
the proxy use via iptables.  The only other thing I have been doing
lately is using OpenDNS.org for the DNS.  It allows you to setup web
filtering as well which is nice because it adds another level of
filtering without an impact on your servers.

Tim

More information about the K12OSN mailing list