Good home firewall (moitoring) solution

[scoop818]

Hey all, I wondering if you can spout out some recommendations for me. Got a call from a mother desperate to block/limit her 15 year old sons internet access (gaming, facebook etc). Getting more info from her I learn that this kid is smart, Verizon helped her set up parental controls on the router, he just hard reset the router. They put Net Nanny and a few other programs on his system, he just overrides the software.
I thought about OpenDNS, only to see on his PC that he set his DNS to Googles and has it password protected with an administrator account he claims to not remember the password to.

I'm thinking the solution has to be some kind of hardware appliance that can be setup to block and limit his activities.They said they have a $300 budget for an appliance. I only use Untangle, and those are usually on Boxes that I build. Does any one have any good experience with a router size box like (sonicwall, watchgaurd, etc)?

 

[tek9]

If he hard reset the router, what good will any appliance do you? You can set it up as much as you'd like, but he'll go ahead and reset it to defaults and all parental controls are now off.

 

[scoop818]

I was thinking it would have to be put in some sort of locked cabinet. But it has to be something he cant penetrate, that's why Iwas thinking of some sort of appliance. Is there something without a hard reset button?
Just grasping at straws here

 

[tek9]

I was thinking it would have to be put in some sort of locked cabinet. But it has to be something he cant penetrate, that's why Iwas thinking of some sort of appliance. Is there something without a hard reset button?
Just grasping at straws here

I don't think you'll find one without a reset button, but I'm definitely not the expert.
I usually use Zyxel USG stuff for edge antivirus, firewall, Web filter etc.
If you want to stick to OpenDNS, you can set firewall rules to only allow DNS traffic to OpenDNS servers.

 

[ComputerSharp]

This seems to be the "New Jersey" thread.

scoop818 - I believe there is a variety of parental control / content filtering software out there and I know it can be done on the SonicWALL. But tek9 brings up a good point that if the kid can hard reset an appliance, that isn't going to help much. What about convincing the mother to repurpose the PC with an Admin account that only she (and maybe you) have access to and simply making the son a user so that he can't override parental control / content filtering pages. If the son needs something installed, then he simply puts in a "support ticket" to mommy or you.

 

[scoop818]

This seems to be the "New Jersey" thread.

scoop818 - I believe there is a variety of parental control / content filtering software out there and I know it can be done on the SonicWALL. But tek9 brings up a good point that if the kid can hard reset an appliance, that isn't going to help much. What about convincing the mother to repurpose the PC with an Admin account that only she (and maybe you) have access to and simply making the son a user so that he can't override parental control / content filtering pages. If the son needs something installed, then he simply puts in a "support ticket" to mommy or you.

Yeah the administrator account was my first suggestion. According to the parents he somehow cracked the password, and locked them out.
The kid is smart it seems like every solution they come up come up with he has an answer for it. Google is a wealth of information.

 

[ComputerSharp]

I'd find it hard to believe that if they used a good password, created a user account for him with no Administrator rights (seriously - a user account, not even power user account) and maybe even use group policy files to really lock down the computer (no access to run command, command prompt, etc.) that he'd be able to crack that. If he's able to crack an Admin account, reset appliances, bypass software then probably the only thing they can do is just provide him with no access to the Internet on devices. Let me know if you need help with any of the above.

 

[jbartlett323]

PFsense on an older refurb computer, configured with Squid transparent proxy, SquidGuard filter, static IP's, logging, and custom service blocks. Password protect with VERY strong password, and lock it in a closet. If he wants to reset it, he will have to hack it first. If he reboots the box improperly, it will block internet completely, until someone rebuilds the SquidGuard database. I am currently using this setup in my home to control my son's surfing habits across all devices (and because it was fun to set up). Also makes it fairly easy to block a device completely, or limit bandwidth use. Big down-side though: its not end-user configurable; it needs a tech to setup properly, and may require one if issues occur depending on EU's knowledge level. Also, after you add in config time, any solution like this may be more than $300 (but less than a base level SonicWall @ $700+ subscriptions and config), but it really is the only way to do it with any reliability that I know of.

Personally, I don't offer these types of solutions to Home users, as they will always end up too expensive for either them or you. Remember, once a system like this is in place, you own it, and they will always expect you to fix when it breaks, and break it will. Get a service contract started when installing (treat it like a business), or in a month she will be tired of fooling with it and go back to the standard non-existent solution, and be unhappy with you for providing a solution that doesn't work. OR, take the safe way out and simply say its the parents issue to police this stuff, and if they can't/won't, then the child does not need the device/s.

I'd find it hard to believe that if they used a good password, created a user account for him with no Administrator rights (seriously - a user account, not even power user account) and maybe even use group policy files to really lock down the computer (no access to run command, command prompt, etc.) that he'd be able to crack that. If he's able to crack an Admin account, reset appliances, bypass software then probably the only thing they can do is just provide him with no access to the Internet on devices. Let me know if you need help with any of the above.

Windows security measures will never work for a kid like this, no matter how much you lock it down. He will simply download an offline password reset tool, and have full control back in under an hour. Maybe, if it was configured in a hardened Domain it might give him some trouble, but that is really cost prohibitive. Even then, sounds like he would become very proficient at reloading the machine from scratch very quickly if you did that, or learn to use a Linux Live disk to bypass all of it. No, you have to have a man-in-the-middle device to do any good at all.

 

[fencepost]

If he's hard-resetting the router, unless it's a single-piece unit that also handles ISP authentication you're out of luck. If it's a common cable modem - router - internal setup, he'll just hook to the cable modem directly. If it's something using PPPoE for authentication still you can probably get something that if he resets it will effectively be a non-routing brick until it's properly set back up, but if it's a cable modem good luck.

Software on the PC might work (particularly some of the "deep freeze" public lab lockdown stuff), but depending on what he's doing he may just boot from a USB stick.

It's like any PC - hardware access makes it very hard to control.

Hm, thinking about it, might this be a situation where a WinTerm (equivalent) and a cloud-hosted desktop might be a viable option? Perfectly viable for research, papers, surfing, even some videos most likely but not for gaming, etc. and whoever controls the hosting account controls when that machine's allowed to be on.

Edit: Or just have the parents do the unthinkable: cut the cord, get tethering plans, and set up a router to act as a wifi client to a phone or hotspot. "There will be no Internet unless I'm home, because there IS no Internet unless I'm home."

 

[glennd]

I'm thinking the mother needs to start teaching responsibility. She needs to clearly and unequivocally state the rules and the consequences of not following those rules. The decision is then up to the child.

btw, the best way to restrict internet access is to switch it off.

 

[altrenda]

Check with the ISP and see what parental controls they offer. I know ATT, Charter, Xfinity offer some type, but have never used them.

 

[1on1 Computer Services]

15 huh??? In three more years, he'll be on here and we'll be asking him questions

 

[MDD1963]

If someone explains that any password resets, browser history erases, or anything mysterious happens, illicit searches, etc., occur, his access will be forbidden/confiscated. Time to teach some young punks who is boss.....!

 

[fencepost]

"Since you've shown that we can't have controlled Internet at home, we just won't have Internet at home. You can work on things at the library. Oh, and we've turned off all data access on your phone as well."

 

[scoop818]

15 huh??? In three more years, he'll be on here and we'll be asking him questions

According to the mom, the kid has completed his high requirements and is currently taking classes at NJIT. His grades are slipping because he has become addicted to on-line games and plays late into the night. So they have trying to figure out how to prevent him from access.

Check with the ISP and see what parental controls they offer. I know ATT, Charter, Xfinity offer some type, but have never used them.

They have FIOS, apparently Verizon setup parental controls on the router and he just hard reset it.

Sadly, I may have to admit defeat to a kid 1/3 my age.

At this point it sounds like they have only two viable solutions.

1. Lock the Verizon router in a cabinet where he can't access it, maybe run ethernet to an access point so they can get signal.

or

2. Cut internet all together

 

[putz]

Even content filtering on UTM appliances like a Sonicwall is not 100% because they just arent effective at filtering HTTPS traffic which a lot of the larger sites on the internet use by default these days. Technology cant substitute for good parenting. Time to put the foot down. If the kid cant get his act together then time to take away privileges. If he needs the internet for 'classes' the parents should tell him to get his ass to the library and learn how to use an encyclopedia. In a situation like this its doubtful they would be happy with anything you could provide because it sounds more like a human problem than a technology problem.

 

[altrenda]

How about a drop of epoxy in the reset button hole?

 

[YeOldeStonecat]

The better UTM appliances don't have a reset button...they run on an linux operating system which is like an OS...settings are saved in it. You have to log into the web admin to change settings, or even reset to defaults.

But they're also not down in the 300 dollar range, would be difficult to get one under twice that. And then you'd toss in near or over another 1,000 bucks in setup and configuration within the first month...and probably have calls for more work at least once a month after that, to allow some new game through, lock down hours for it, etc. Setup for a business takes a while, but it's relatively easy, you have a short list of apps that doesn't change much. But for a home..with a new game every few weeks, troubleshooting games, locking down games, changing schedules of lock down hours....it's just not practical. And the kid will still probably learn to bypass the unit, (physically...remove his ethernet cable from it, plug directly into modem).

Nope...momma's gotta learn how to be a parent and control little johnny.

 

[ComputerRepairTech]

I guess you could lock the tower and router up in a cabinet make sure keyboard/monitor etc devices dont have extra usb ports that can be used to boot from. I say lock the tower up too so he doesnt just get a cheap wifi adapter and start connecting to nearby neighbors.

Watch him pick up lockpicking next =P

 

[ZenTree]

Unplug the router when they don't want him to get on it. If he's smart enough to crack passwords and bypass dns settings then he will figure out to bypass a UTM physically. Physically removing something critical to the internet is the only way to do this and even then you need to have the modem locked up securely. But beyond all that parental discipline is the answer. If he's on his xbox all night, don't disable the internet just take his xbox away.