Well, here we are five months later and COVID-19 is still a thing. And like many parents we are facing the need to continue our daughter’s education at home. Our local school district has stated that all learning will be conducted online for at least the first nine weeks. And even if they allow for students to return, we will probably opt to keep her at home for awhile longer until things are more stable.
Now, our daughter is seven and will be turning eight in a couple months. So she’s at that age where she’s old enough to do some things independently. But, as most of us know, the Internet is not a safe place for a seven year old and we as parents need to exercise some level of control over the things they can access. And while the best solution is a set of eyes, we obviously can’t be everywhere at all times. So this is the solution I came up with.
Defense In Depth
My strategy for keeping my daughter safe relies on Defense in Depth. Basically it means there are multiple levels of control at various points, with the idea that most problems will be caught at some level. And it starts at the social level.
Her main computer that she uses for schoolwork is in the kitchen, in clear view of everyone. She also has a Kindle and a very old iPod. We also discussed with her what is appropriate on the Internet and what isn’t, and that you need to tell an adult if you see something that makes you feel unsafe or weird.
That’s the first level.
On Device Safety
The next level is on-device. We are using Apple’s Parental Controls to enforce time and usage limits on her computer, as well as Kaspersky Safe Kids. These are the first line of defense and are mostly about preventing excess usage. There was awhile there where she was getting up early to watch videos on YouTube, so time limits keep her from doing that. We also want her to not be around screens for the few hours before bed.
I am not really sure how well Kaspersky is working, so the jury is still out on that. Hopefully I will have something more to report later. I did also try Qustodio as well. It did “work” but it works by MitM‘ing her network connections (on the Mac). This actually broke a bunch of the stuff she needed for school like Google Classroom and a math game she plays, all of which had certificate pinning enabled. So that was a no-go.
On her Kindle, the browser is disabled and parental controls are turned on through our account. I generally allow her free range on books that are age appropriate or a little above. I think I have her age limit set at 11, since she is mature for her age and can handle some older stories like Harry Potter. The Kindle also has slightly longer time limits on it because I don’t mind her staying up a bit later to read.
Same with her iPod. The browser is disabled, but, truthfully, that thing is so old that it probably wouldn’t be any good even if it was.
Network Level Safety
The next layer is at the network level. And this is where pfSense, Unifi and NextDNS comes in.
I created a separate wifi network for kids devices (mine is called Eclipse-Kids) in the Unifi admin, and I tagged it with a separate VLAN ID. Over in pfSense, I added the VLAN as a separate network for kids devices, along with a separate DHCP server for them. I also added some rules around it. Besides the obvious pass rules to the WAN and LAN interfaces, I added some time-limiting rules to more fine-tune access control. Namely, they shut off almost all Internet access at 9PM (internal traffic is still allowed). Internet traffic is allowed from midnight to 4am primarily to allow devices to do automated updates, then is disabled again until 7:15am to keep her from getting up early.
And the final step is NextDNS. If you aren’t familiar with them, they are a DNS service that also has built-in blocking. You can select from a list of domains to block and also add your own as well. They block ads, trackers, malware, etc, as well as adult content if you opt in to it. They also purport to be able to block adult content out of search engines and YouTube results.