To Cache or Not To Cache

Untangle server continues to run beautifully. It is amazing to me how slick the interface is. For me, the interface, with it's virtual "rack" makes the whole package the perfect solution for those with limited knowledge in this area. Customization is easy and it is astounding how much power you get in the open source package. Add in the Commercial packages as needed and you have an easy to manage kick-butt gateway with options for any need. With my limited network administration background, the feature set combined with the interface and the availability of support was the clincher for me. See the screenshots here.

The one feature I do find missing however is a caching "rack". After doing some research on this recently, I have discovered that there is some disagreement among IT professionals as to the need for caching in the current online environment. Some argue that, since most pages are dynamically generated, that caching does little good and may actually cause a bottleneck in your network. Others counter that educational institutions often visit the same sites over and over again so caching is still a benefit. If you have thoughts on this debate, please leave them in the comments.

Firewall Success

Hallelujah! I finally have a fully functional open source firewall that is now installed at the school. It took a few months but we have done it!

Those of you who have read this blog (sparse though it may be) have read my trials and tribulations with IPCop. For a novice such as me, I found it a bit cumbersome and difficult to troubleshoot. Remember, my MAIN job is being my school's Computer Teacher. This IT stuff is an undesirable necessity. Don't get me wrong, I love training teachers in the use of technology, but when it comes to dealing with servers, I lack enough knowledge to really be comfortable with these duties.

I had installed IPCop over the Christmas break because we could no longer afford the ongoing subscription costs to filter our web content. It worked well, though it was still a bit confusing for me. With IPCop, however, we were experiencing regular browser messages stating that Internet Explorer could not load the page. The choice of browser didn't make a difference, nor did upgrading switches. In addition, all the information I collected about IPCop indicated that, while I was using a older machine (760 MHz), my hardware was still plenty capable of handling its tasks on a 50 user network. I even tried shutting off intrusion detection and caching, but the problem continued.

Enter, Untangle! Untangle is extremely easy to use. While the base package is free to download and install, Untangle offers some educational modules we plan to explore in the near future. For now, I installed the base software "bare back" on a server and 4 modules to define the roles of the server. These modules are easily downloaded and installed from within the Firefox browser supplied with the software. (Nice touch!) Once installed, they appear in your virtual "rack" and can be customized by entering the Settings for that module. I set up the Web Filter, Protocol Control, Firewall and Attack Blocker modules and was easily able to enter settings according to our needs.

I did have one small glitch, however. The Untangle server is connected to a gigabit switch and other workstations could not PING the Untangle server initially. After some tinkering (and sweating), I was able to accomplish a connection by setting both NIC's (inside and outside) to a speed of "10/100" instead of "Auto". Once that setting was changed, everything worked flawlessly.

I don't think IPCop failed me, however. First, the IPCop box was connected initially to 10/100 switch before I swapped it out for a gigabit switch, thinking my issue was with network traffic limitations. This proved not to be the case. Also, I decided to use a completely different repurposed computer which had more RAM and processing power, though I doubt the IPCop box was hindered in any way running on the slower hardware. The best I can come up with is a NIC driver issue or a bad Ethernet cable. Nevertheless, the system is working beautifully now and I am not going to question it. It's done and I don't have to worry about it anymore.

Now, back to teaching!

IPCop Clean Install

OK, so I screwed up.  After some comments left on this blog by "Anonymous" discouraged me from running IPCop over VMWare on a Win2003 Server for a "live" environment, I decided to do a clean install of IPCop running native. So far, everything is going fine.  I installed the URLFilter addon and setup Snort (intrusion detection) and have begun testing the new box in preperation for going "live".  All went smoothly once I decided to switch 320 GB HD out for a 80GB to avoid any 48-bit issues with drives over 136GB.  Besides, I don't need THAT much space.  The only glitch is that I accidently ran the install using IPCop 1.4.2 instead of 1.4.20, which are different animals. I suppose I could have downloaded the 1.4.20 ISO and do another install but, since I am a newbie with IPCop, I decided to run the approximately 18 patches in succession to get it up to 1.4.21.  Once I figured out the system (and that I didn't have to expand the .tar  files before uploading), everything went fine and I was able to see the changes as IPCop had grown since 2005.  It was a bit tedious but a good learning experience.  Thanks again, Anonymous!

IPCop Deputized

After much research and time, we have decided to try out the IPCop firewall with URL Filter for the school's needs. Our VERY limited budget made the decision even more difficult. So, we are currently testing it as a VMWare appliance on a Windows 2003 box. For the time being, we are directing 2 computer's traffic through it to test the waters. While IPCop is running in transparent mode, our LAN currently uses a Surfcontrol plugin on an ISA server and forcing the transparency to happen would require removing the MS Firewall client for all machines. A friend of mine will be scripting this so that the all workstations we be automatically run the uninstall.

One issue I am having is that I sometimes have to ping the IPCop box from the workstation in order to get internet access. For the testing phase, I am simply using IPCop as the gateway, but Linux seems to have an issue recognized other nodes on the network unless they are pinged. I haven't been able to find out much about this by Googling it. I guess I'm not using the correct keywords. If has any information on this, I would very much appreciate hearing about it. I suppose I could write a boot script but my guess is that there is an easier way. Anyone?? Does the fact that it is a VMWare appliance affect things? Thanks!!

Add your comments below.

Firewalls and Schools

I've been researching firewall/proxy software or Linux-based system for a small school serving 300 students. It's been a bit frustrating that there seems to be very little information on this topic relating to schools. Since schools are required by CIPA/COPA/ERATE to put these safeguards in place, you think that there would be more information on this topic.

I search eschoolnews.com, which is constantly pushing their Resource Center, but the most recent article on the topic was from 1999. (Maybe when I get some more knowledge in this area, my blog can be a useful resource for someone facing similar issues.)

We will be replacing our current Windows 2000 Server (ISA 2004 firewall with SurfControl plugin for web content filtering) with a Linux box. So here is my question...

Will the firewall/proxy on Red Hat Linux (for example) with DansGuardian be an adequate replacement for the current server or is there something more robust we need to consider?

If anyone has an answer to this, please respond in the comments. Thanks!