Service Outage and Public Wireless

There was a service outage yesterday at two of our branch libraries--Standish and Oscoda--due to a break in the fiber optic line that Merit uses to connect to the Internet. This was repaired and the branches reconnected by 4:45 P.M. EST.

Meanwhile, I finally received some feedback from a patron (in person) about our public wireless system. She, and at least four others, could not get on-line. After walking her through the sign-up process (which you'd think would be simple), I wrote step-by-step instructions that should make things more clear. This document is currently available at East Tawas Library; simply ask the librarian for the instructions. The same document will be made available on the Technology wiki.

I also want to remind people who plan to use our service that we are not responsible for the security of your personal data. This is a publicly accessible service. It is not recommended for online banking or other transactions where personal information, including credit card and social security numbers, are transmitted.

The same is true of any hotspot; especially ones that are free, totally open and unmonitored. This is one of the reasons why we opted to maintain a hotspot system that allows a measure of accountability. One kind of attack is creating a fake hotspots that can steal personal information. I suggest you read this article at PC World and remember, use at your own risk.

Content Filtering Server Problems

During Sunday, I found that the caching software had failed. After numerous attempts to repair the problem, I resorted to a full re-installation from the ground up.

Originally, I was going to switch it over to xubuntu, but I ran into problems getting iptables to work properly. Since I was on a time crunch, I decided to reinstall Mandriva 2006.

The installation and updates went smoothly, and very soon everything was back up and running. The tweaks--log file rotation, ups, sensors daemon (monitors temperatures, etc)--will come back on this week.

Originally, I was going to migrate the WifiDog software over to the server, but instead I'm going to need more time and some more research. I'm not going to stick with Mandriva, but instead switch over to Ubuntu Server Edition. It has a few advantages over Mandriva; no extraneous software, less system resources, and the fact that I use its light-weight desktop version Xubuntu on my Thinkpad.

Content Filtering Server Status

After a few network connectivity issues with the server yesterday, things are back up and running perfectly.

I was surprised that few, if any, patrons reported problems. On the other hand, we've had beautiful weather here.

Small Update on Content Filtering

While reviewing and compiling notes on the firewall policies for some yet-to-be-deployed equipment, it occurred to me that there was a potential security flaw in our content filtering and caching server.

Before, if you sent an e-mail or visited a web site, the IP address of the computer that made the request was the IP address of the server, not the client computer.

As of today, this has been changed for two important reasons:

1. Some sites may require the actual IP address of the computer being used to access the site.

2. If someone is using a public access computer to commit a crime, the trail won't dead-end at the content filtering server.

The second reason is especially important since it can save a lot of time tracking down a potential culprit without having to log into the server, go through the log files and even temporarily change how things are logged, and then change back when things are over.

How does this affect a patron's privacy? Simply put, it doesn't change it. All that's been done is that instead of showing only the caching server accessing a site, it now shows the address of a specific public access computer.

Improving Security - Or "What To Do With Unused Computers?"

With the planned installation of public wireless hotspots, there is the potential for opening up our local LANs to a host of security problems. Though the computers themselves have their own firewalls, are regularly patched and have other safeguards, you want to keep them invisible and inaccessible to the public (and the Internet). Toward that end, I'm planning on beefing up network security by building VPNs -- Virtual Private Networks -- to bridge together our networks and keep certain applications accessible to us, but inaccessible to the public.

Basically, I'd need a computer with a pair of network cards that'll handle traffic and create "tunnels." These "tunnels" are actually pieces of information (packets) that are encrypted at one end, sent over an unsecure medium (the Internet), decrypted at the other end and sent on to the receiving computer. In other worlds, a very powerful and flexible Internet Router.

This is very handy when you have certain applications that you'd want to access remotely (like VNC and Printer Administration) but want kept secure. Though you can buy commercial appliances, they can get expensive and use closed-source software; making changes and upgrades potentially problematic and expensive. On the other hand, I could build them in-house using open-source software and use off-the-shelf hardware to keep costs low.

Currently, I have three older Pentium 4 PCs just laying around that can be pressed into service as either a Staff, PAC (Public Access Computer) or server machine.

Since they are just laying around, I've decided to take two of these Pentium 4s and build them up as prototype VPN/firewall servers. They are Dell Dimension 8100 desktop PCs with 1.8Ghz Pentium 4 processors, 256MB of RAM, 20GB hard disks and on-board NICs. They're running Ubuntu Server Edition 6.10--no GUI (Graphical User Interface), or other extraneous software--running OpenVPN, IPtables, Shorewall and openSSH.

The "production" units will be smaller, rack-mountable, use a mini-itx motherboard with a low-power processor, have its operating system boot off a flash memory card, and have no moving parts. The connections will be site-to-site, with the headquarters unit being a bit more powerful to accommodate the other branches.

For more information, check out:
OpenVPN
Ubuntu Server Edition 6.10