Need tips on good security for an Internet cafe

Posted on 2006-04-03
Last Modified: 2010-03-18
A client is interested in having my company support an Internet cafe where kids could come and play Internet games like Warcraft.  W2K3 server + 10 PCs.  System is already basically in-place they say.  Machines h ave been looked down with something called "Smart Launch", a "Cafe Manger" software (that is a GUI for Group Policy).

What special needs would an Internet cafe have in comparison to any other small business.  Would you recommend hardware firewall like Watchguard or is that overkill?

Question by:supportoranges
    LVL 18

    Expert Comment

    ghost, true image or other enterprise solution for resetting systems at night.

    for security I would either use  ISA server on a separate server, or build a custom linux firewall.  I would usually advocate for hardware firewall, higher end the better, but here I would stronlgy advocate either of the above.

    The reason is I have done a couple of internet cafe's and my approach is fairly straight forward-
    Proxy all web and ssl web.
    leave the games on running via NAT unproxied because it will kill the game.
    restrict anything that isnt the game or web/https
    LVL 1

    Author Comment

    thank you for your quick response.  if you don't mind i'll dig into this the rest of the day and assign points. tomorrow.  your response is very helpful.
    LVL 18

    Expert Comment

    this should say:
    leave the games on running via NAT unproxied because it will kill the game, if proxied or otherwise interfered with, limited filtered, etc.
    LVL 1

    Author Comment

    when i recommended ISA on a separate machine, the client downplayed his need for security because it's just a teeny-weeny business that nobody would ever bother to hack (ha ha).

    i may be better off with Watchguard Firewall because I am familiar with it and setting up ISA on separate box could take longer.  If you pay Watchguard $400/yr I think y ou get
    pretty good support from them.  

    I'd have a learning curve on the ISA and I'm trying to weigh cost/benefit.  ISA seems nice from the point of view of content filtering (filtering out bad web sites).  Do you know if
    it has a list of bad sites like SOnicWall?
    LVL 18

    Expert Comment

    all major content filters are compatible with ISA, you subscribe to them, otherwise you can manually feed in a white/black list.

    the main issus is not hacking per se, but legatimate users (who have paid) coming in and turning the systems into zombies after hours or something, which is mostly fixed by re-cloning daily.

    Also the might bring in a computer or laptop and plug it in without permission.

    If you can get watchguard or other box to do proxy, you are good to go.  I am unaware of them supporting proxies anymore
    LVL 18

    Expert Comment

    how many screens of WOW is he thinking?
    how many screens of web only/ less intensive stuff?

    Is it in a place where people will actually use a web kiosk, or is this from what I assume from your post, a hardcore gaming cafe?
    LVL 1

    Author Comment

    Environment:  W23KSP1 on non-Raided Dell machine (SATA only).  10 clients running XPProSP2.  SmartLaunch deployed throughout.  Some vritual CD mount software from  

    Plan is that kids can play games from CDs which are virtually mounted (don't ask) or go on line to browse or play Internet games.    

    He has SmartLaunch deployed which keeps track of kids' 'accounts' so that's pretty important!  SmartLaunch also locks down the machines fairly well it seems but doesn't do any content

    I get your point on the proxy (central point of control).  I will remember that.  

    I guess without the web proxy things can get out-of-control.

    Although I do realize that firewalling is important, I worry sometimes that I'm overselling technology.  I've been in situations with ZoneAlarm where everyone is griping about
    popups and inconvenience.  Home users don't understand the need to know what they are allowing/denying.  

    Small businesses expect things just 'to work' once they are 'set up' and don't realize security is an ongoing process.  I am less expert on firewalling in comparison to O/S, programming, apps, hardware, etc. so that is why all of the questions about firewall.  

    NetNanny is the only time I got into content filtering and it was a disaster because the second time the customer had to tweak a setting it was too much.  There is so little patience anymore.

    The customer we are discussing now has decided to make the PDC a file server for saved games.  This is already a problem as I know when I did an FTP server that everyone said
    don't put customer data there.  They did anyway.  Now it looks like I'm facing the same thing.  People don't appreciate the concept of isolation.

    I really do appreciate your specific recommendations.  I esp. like the one about reimaging nightly.  

    ISA is sounding like the way to go but I have no idea how long it would take for me to deploy, what the learning curve is, etc.  This is one of those gigs where the client
    stands over your shoulder so that he 'can learn'.  So in his eyes I may look stupid if I don't hit a key every four seconds.  Real world consideration.  If I had the place
    to myself I could get the job done and charge him  a flat rate of what 5 hours?  Hidden costs include building out a w2k box for it, etc.

    Thank you for the reminder about subscriptions.  These clients get awfully sore if you don't tell them all the costs up front.

    Not sure what WOW means.  

    LVL 18

    Accepted Solution

    WOW; world of warcraft.

    it's funny, just last year I talked a guy out of buying a supposedly lucrative gaming hall.  He was a non-techie, and if he had made the purchase, the owner (a grand techie, of course) was moving to Hawaii! (I'm in NY)
    I told him that the owner or operator of a gaming site MUST be very technical, in fact I can't see anybody doing it without devotion of all thier time and high technical skill to survive.  It is a little like buying a small restaurant and you can't cook, and don't know much about food or business.  You will have to hire someone to run the whole thing and take most of the profits.

    also it was supposedly lucrative because it was almost entirely cash.
    LVL 1

    Author Comment

    Thank you.  I was looking at WOW for the first time yesterday.  OK, cool.

    Your last post is very comforting.  Someone has to RUN THE THING on a day-to-day.  The owners want to hear that 'after the initial setup' the thing will run by itself.

    Oh maybe just a few tweaks here and there but nothing major.  Yeah, right.

    I had to call MS the other day for something annoying me in Outlook and it was basically 2 hours.  i didn't mind but the customer then rants about costs.

    Never mind that the customer runs his own business on a single loaded PC (read single-point-of-failure).  They don't even want to pay to back it up. ("Why can't
    you just use a diskette?!?!")

    So thank you for putting this in perspective.  I'll just sit back and wait now as his IT friends in the city start to refuse to come up to the burbs to get rid of spyware.

    Thank you so much!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
    Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now