When the Internet was first conceived, it was housed in academic institutions. It next grew into commercial institutions, where it achieved a wider audience but remained strictly in the realm of adults. Few controls were necessary other than those imposed by the institutions that provided network connectivity. This lack of censorship has often been credited for the explosive growth of the Internet; it is one of the few remaining frontiers where literally any business or venture can be conducted.
Government controls are not likely to be effective on the Internet. The total amount of daily network traffic has far surpassed the ability to effectively filter it. Attempts by any government to censor any type of content will simply result in the publisher of that content moving to a jurisdiction that is more conducive to the business at hand. The Internet has become the first truly global human resource. The only way such an enormous fount of information can possibly be controlled is by the individual user.
This paper presents the design of a software system being developed by DoBox Inc. to address these concerns in a home setting. The founders and principals of DoBox are technologists who have families of their own, and who want to provide their families access to the riches of the Internet at the earliest possible opportunity, while not exposing them to the dangers of the Internet.
DoBox has made a carefully studied decision to base the DoBox system on BSD operating systems and other open source software. This paper presents our research and reasoning behind these decisions.
Wide availability of broadband access in homes will provide many new opportunities in the entertainment and communications industries. Low cost voice and telephony, streaming audio and video, and network games will be commonplace in the very near future. What is needed for all of these to work, and to work well together, is a secure platform to deliver services into the home, and a simple way for customers to choose new services and add them to their existing selections.
Inside the home, the same need for control of content exists. Families must be able to plan and implement who is allowed to purchase and use services, and perhaps when and where these services can be employed.
While offering numerous opportunities for learning, education and entertainment, the Internet is replete with its own brand of thieves and evildoers.
Attacks on computers connected to the Internet range from simple probes by the idly curious; hijackings for such activities as distributed denial of service attacks; and theft of important and highly personal information.
The insecure default configuration of most personal computers contributes to this weak security posture. Products for the PC market are developed seemingly without a thought given to security or the privacy of the users. Widely used Internet service companies change their information privacy policies at a whim; many do not even have an information privacy policy.
The design of the Internet contributes to this problem as well. Many of the basic protocols of the Internet were designed in an era when the Internet was much smaller and network connectivity was confined to research institutions. Many common Internet protocols exchange security related information such as usernames and passwords in clear text, capturing such information is often trivial.
Internet users who do not understand the consequences of their actions can often defeat even a careful security plan. An FTP server down-loaded from the Internet and started to enable friends to share files can inadvertently disclose the contents of personal or work related information, or open the system to data destruction by a malicious intruder.
Parents justifiably feel uncomfortable providing unsupervised Internet access to children within the home. Parents and other guardians do not have the time to stay with the child during all Internet access, or do not have the ability to monitor multiple children using the Internet from different computers.
The Internet is rich in content, and there is much to be admired available via a web browser or FTP client. Not all of this content is suitable for children, but PC software vendors and Internet connectivity providers have not presented viable alternatives for parental use.
PC software vendors have tried, a few have even made significant sales in this market. These products have many failings, however. Most ``personal firewall'' products must be installed and configured on every PC in the house, an administrative task that even small companies are not willing to undertake. Many of these products rely on the integrity of the user to correctly function, allowing any user to modify the configuration. One popular PC firewall product can be defeated by simply removing its configuration file and rebooting the PC. Insecure products like this offer little assurance to the concerned parent.
A strong and pervasive Internet firewall, that cannot be simply or inadvertently disabled, and that will protect all of the connected computers within the home is needed. It must have a simple user interface so it can be administered by family members, and yet offer industrial strength (or better) security to protect the family.
Electronic mail and online chat sessions can be problematic as well. The greatest feature of the Internet is the ability to enable person to person communications with anyone anywhere in the world, but this is not suitable for all family members. A mechanism to protect family members from the dangers of communicating with strangers who might do them harm is required for safe Internet access.
Many families ``go online'' to share with family and friends located near and far. They wish to publish a family scrap book, picture album, or family history, share calendars, and exchange information.
Unfortunately, there are predators who use such family information to locate targets of interest: families that will be away from home, leaving the house vulnerable, or worse, young children that can be preyed upon. What is needed is a mechanism to share family information by invitation only, and to have the invitations securely enforced.
Family members themselves may need access to private information from outside the home. Parents may need to access information from the workplace, children from school, or any family member while traveling. Strong security and a reliable method of authenticating outside access allows the family to place confidential information in the family portal with the secure knowledge it cannot be compromised by uninvited intruders.
In assigning trust to remote users, great care must be taken not to allow the trust model to become a mechanism for attack. A family portal that trusts two other families with access to calendar information does not imply any trust between the other two families. Care must also be taken in what information is shared: allowing somebody to view the summer vacation pictures must not allow them to also view medical records or the family investment portfolio.
One of the failings of many of the Internet security products sold today is the assumption that the vendor can determine or dictate what family standards should be. Web ``nannies'' contain lists of URLs to be blocked, email servers block sites others have reported as producing spam or other unsuitable content, and chat servers offer restrictions to buddy lists but do not verify the identity of their users.
DoBox does not set policies for the family. We wish to provide, in terms familiar to all UNIX workstation users, ``mechanism, not policy.''
In a family setting, this means providing a simple, intuitive user interface that allows parents or other family leaders to define both a security plan and filtering rules that meet the needs of the family, and to enforce them continually.
In order to provide this mechanism, we have designed the DoBox residential gateway software system. Physically, a DoBox powered residential gateway is an unassuming device, designed to act as a smart network hub connecting the computers in the home to the broadband network connection. The power lies within the software, which includes:
The OpenBSD operating system. OpenBSD was chosen for its overall focus on security, and for the secure default configuration. Having the Apache web server, OpenSSL and OpenSSH integrated into the system made it simple to configure a base system that is fast, reliable, and secure.
A secure firewall. The DoBox Family Firewall® provides families the ability to define and implement security and content filtering based on their personal wants and need. The Family Firewall is based on ipfilter and ipnat, with DoBox customizations to enable the home administrator to easily enable or disable services by name.
Pervasive use of transparent proxies. The Family Firewall software also employs transparent proxies to avoid configuring individual computers. Since the residential gateway is the router between the home network and the Internet, usage of the proxy is assured. Transparent proxies are used to monitor and enforce policies on many forms of Internet access, including web browsing, sending and receiving electronic mail, and participation in online chat sessions. The original model for the transparent proxy mechanism is transproxy in conjunction with ipnat.
A Family Portal where family members may publish information only to those persons that have been assigned a level of trust by the parents or guardians. This allows the family to share online resources like photos, songs, or schedules with trusted friends and family. The Family Portal and the DoBox administrative user interface are based on the Apache web server and the PHP4 language interpreter.
A secure electronic mail server. Providing secure and reliable access to electronic mail and enforcing policy rules about who is allowed to send and receive mail, and who they are allowed to communicate with. The secure email server is based on qmail, along with custom mail filters developed by DoBox using the qmail libraries.
Another facet of the DoBox system with much appeal is the Application Programming Interface, or API. The DoBox is essentially a small server located in the home. Based on the well known BSD API, this makes it simple for software or service vendors to deliver server applications into the home. The residential gateway has direct access to the broadband Internet connection and the local area network in the home, the perfect location for deploying server applications.
Residential gateways will be equipped with a fast processors and substantial storage capacity. This makes the gateway a capable platform for delivering multimedia content into the home via the Internet connection. A number of recent articles touting the ability of content providers to provide just-in-time or well-ahead-of-time multimedia streams to the home via broadband network connectivity have made this feature of great interest to customers.
The network-centric nature of the OpenBSD system also lends itself to updating and adding software to the DoBox system in the home. OpenBSD software is usually installed in the form of packages; OpenBSD includes a mechanism for signing packages and verifying the signature. We have added a format for X.509 digital signatures to this mechanism. We have also added a web interface that allows the user to check a server for available software updates or new applications, and to download, verify, and install packages.
The DoBox system version 1.0 is now in field trial. Future versions are being developed by an expanding team of dedicated programmers and architects, with feedback from the field trial. The capabilities of the base system are being extended, and additional applications being developed. Some of the applications under consideration at this time include:
A family directory server. This central repository for contact information will help the family gather, sort, and maintain contact information. Access to the directory from the Family Portal or via LDAP will enable family members to use the directory from home, work, school, or while traveling.
PDA synchronization. The ability to synchronize calendar and contact information, download notes and email, and generally support users of Palm and other PDA platforms will greatly enhance the usefulness of the DoBox as the virtual refrigerator door. As Palm platforms gain more advanced network capabilities, it will be necessary to extend the synchronization features to the Internet.
Integrated voice services. As telephone access moves from the traditional PSTN to broadband access channels, users gain the ability to automate processing of voice messages via the home server. Recording date and time of call, caller ID information, providing individual voice mail boxes, and web based message checking are all possibilities in this realm. The ability to record voice messages and forward them as email with voice attachments holds promise as well.
On-demand media access. Cable modem and DSL do not provide sufficient sustained bandwidth to stream broadcast quality image streams, but such a stream can be recorded to disk during non-peak hours and replayed when the family is ready for view. As a secure platform, the DoBox system provides assurance to vendors that the users will be able to purchase and view downloaded media on as provided in their sales contract.
Automatic data backup. Several vendors already provide backup services over the internet. Integrating such a service into the DoBox system provides the user with peace of mind for disaster recovery. A simple web interface will allow even the novice user to configure and purchase the level of service that meets their own needs.
Enabling telecommuting. Inclusion of industry standard VPN protocols such as IPSec allows the DoBox to enable telecommuting from within the home environment. Firewall controls and VPN features will allow the telecommuter to create an end-to-end solution directly to one single workstation in the home in the case where two or more VPNs must be joined simultaneously.
Providing controls for smart appliances. Future generations of entertainment devices include support for networking and digital media streams. These appliances will communicate with each other and exchange media via a network protocol like Jini or Universal Plug N Play. Some sort of controls will be necessary to simplify configuration of these devices, and to provide parental controls on content and viewing location.
In addition to the DoBox, we have planned for computing appliances to support the vision of computing throughout the home.
Several companies have announced lightweight Internet appliances in the recent past, including the Netpliance I-Opener and the Gateway Instant AOL device. These low-end devices have two shortcomings: they are designed to use analog modems for Internet access, and they rely on a remote Internet Service Provider (ISP) for data storage.
With a powerful server like the DoBox residential gateway already running in the home, these problems are eliminated. Internet appliances can rely on the gateway for storage, and to share the computing load. High speed connections based on Ethernet or IEEE 802.11 wireless networks will allow the appliance to fully utilize the capabilities of the server and the broadband connection.
Future portable appliances - work pads - will ``cut the cord'' by using a wireless network to communicate with the DoBox or other personal server in the home. Since it is primarily a user interface device, the work pad can be designed with processors and memory sized according to the task, enabling long battery life.
The work pad is intended to be primarily a handheld device. Large versions roughly the size of a small tablet may feature a stylus interface and some form of handwriting for limited data entry, as well as a keyboard for extended data entry tasks. Smaller versions designed for enhanced portability may use a thumb-controlled pointing device or a stylus, and feature a detached infrared keyboard that can be employed when needed.
DoBox has experimented with a proof of concept work pad, based on a small ``handheld PC'' running the NetBSD hpcmips port and the X Window System. Wireless networking is provided by a Lucent Orinoco Silver PCCard connecting to a DoBox via another Orinoco card. Applications run on the DoBox to conserve memory in the work pad.
The goal of these thin client appliances is not to replace the desktop computer in the home, but rather to supplement it. They are designed to be small enough and inexpensive enough to locate several throughout the home. The work pad is intended to be portable enough carry along to the back yard or throughout the home. A portable device of this sort could also serve as a super remote control for the home entertainment system, connecting stereo and television to the DoBox residential gateway to enable the playing of digital media.
Other wireless devices to be integrated into the home network include Personal Digital Assistants (PDAs), such as Palm devices and HandHeld PCs. This will alleviate the need to manually insert such devices into a docking cradle
Obviously DoBox owes a lot to the BSD and Open Source communities. Much of the functionality of the DoBox and prototype work pad system is provided in OpenBSD, NetBSD, and other public software. We also use FreeBSD for certain services within our development organization, and plan to use FreeBSD for some of the online services we will offer in support of DoBox users. We have a policy to pick the best software available for a given task; each of these systems provides tremendous value to their users, whether they know they are using BSD or not.
Wes Peters is a System Architect at DoBox Inc. Wes holds a Bachelor of Science in Computer Science from Weber State University. While a senior at Weber State, he worked on celestial navigation (where's the bird?) and data downlink software for the NUSAT-1 satellite project. Following graduation, Wes worked for the United States Air Force for eight years on a variety of projects, receiving a thorough grounding in computer and data security.
Since 1990, Wes has worked in a number of design and development positions in the software industry. At Axent Technologies, he designed the first Internet security software product, Security Toolkit for UNIX. At Dayna Communications, now a division of Intel, he designed the software for the Internet Station dial-up router.
Wes has been a user of FreeBSD since version 1.0 and a committer on the FreeBSD project for three years. He has used NetBSD off and on since version 0.8, and OpenBSD since version 2.4 He co-writes the Daemon's Advocate column for Daemon News (http://www.daemonnews.org), a web magazine dedicated to BSD systems.
When not glued to a computer screen, Wes can be found sailing his J/22 dJinni on the Great Salt Lake. He is a member of USSailing and the Great Salt Lake Yacht Club, and races dJinni with more zeal than success. He maintains the dream of one day racing in the NOOD (National Offshore One-Design) regatta.
PostScript version