French (Fr)English (United Kingdom)
Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau
ALCASAR is an open source Network Access Controller (N.A.C.).
Simple to deploy and to manage, it controls, protects and imputes the access of an Internet consultation network.

We have 47 guests online
2 - Goals Print E-mail

Rond-Alcasar.pngAuthenticating and controlling connections

intercept_en_thumb.jpgALCASAR forbids access of non-authenticated users (login + password). It behaves like an access lock to all Internet services.

Control of connections permits, for example, to define users and/or users groups authorized to connect. For each users and/or users groups, it is possible to define validity period of connection, weekly time slot connections, as well as maximum on-line time, connection speed or maximum amount of data that can be downloaded. To manage users, ALCASAR is based on an internal database which can be combined to an external directory (LDAP or Active Directory ©).

Tracing and attributing while protecting privacy

ALCASAR allows people in charge of organization to meet access and use policies of Internet consultation networks requirements. In France, it allows to respect legal obligations to trace and attribute connections.

These requirements consist in authenticating users of the consultation network when they decide to connect to the Internet and to produce, for each of them, traces of all actions carried out (surfing, downloading, watching or listening of multimedia, mail, discussion, blog, secure connections, etc.). ALCASAR produces these logs in files that can be easily archived on external media in order to be exploited within the context of a judicial inquiry. Within the framework of the cyber-surveillance and to meet requirements of the CNIL (French ICO), the generation of these logs is associated to the following mechanisms in order to ensure non-repudiation and to guarantee privacy :

  • User authentication flows are encrypted. Users can change their password at any time. These passwords are stored encrypted in the internal database. Log files can be encrypted. These precautions allow to prevent accusations from another user or administrator to have taken, exploited or modified these data ;

  • Direct consultation of Internet nominative activities is impossible. Indeed, traces of connections are intentionally scattered in many files whose domains are split (authentications for one thing and Internet activities for another). Imputation of connections is made possible after a work of aggregate on these files (this work is reserved for judicial authorities). The graphical management interface of ALCASAR only shows connections statistics and no nominative data related to activities realized on the Internet.;

  • ALCASAR takes into account the protection against people who forget to log out. It automatically logs out users whose consultation equipment doesn't respond anymore (system shutdown, network failure, etc.). Furthermore, a plug-in permits to automatically disconnect user when the Windows session closes.

Securing the consultation network

ALCASAR integrates a firewall and a web antivirus in order to protect network consultation equipments from direct external threats. Moreover, a specific module has been created in order to protect authenticated users from internal hacker's attempts trying to spoof their sessions.

Security updates of consultation equipments (antivirus and patches) are possible and can be automated through declared URL which can be directly reached with no prior authentication (trusted sites).

The portal

The security of the portal has been worked out like a bastion in order to resist to different kinds of threat :

  • using and securing of a recent and minimalist operating system (Mageia Linux) ;

  • protection of the portal against internal attacks (hardening and anti-bypass) ;

  • free softwares which constitute ALCASAR are known as hardened and secured ;

  • for accesses to the graphical management console : encryption of all frames, authentication and accounting, separation between backup functions, users management functions and administration functions (with administration profiles).

Users

To protect users, Alcasar includes two filter mechanisms :

  • the first one forbids accesses to web sites that the content could be reprehensible. This mechanism is totally tunable (enable, disable, add or remove sites, etc.) ;

    access_deny_en_thumb.jpg

  • the second one forbids other traffic than the WEB in order to activate only the require one (https, ftp flaw, multimedia flaw, etc.).

These two optional mechanisms have been firstly developed for organisms welcoming young people.

 
Free template 'I, Gobot' by [ Anch ] Gorsk.net Studio. Please, don't remove this hidden copyleft!