[TriLUG] MAC-based web blocking
Brian Henning
lugmail at cheetah.dynip.com
Mon Sep 11 22:31:04 EDT 2006
Aaron wrote:
> So I'm like 5 days late in replying to this... but do you think they're
> not also resourceful enough to change their MAC addresses?
Honestly, yes. I don't think they're that resourceful. If they are, the
log files will tell tales. The person in question isn't an idiot, but was
amazed by the operation of iptraf, so I suspect his knowledge only goes so
far.
> You could do
> it by switch port if you're feeling particularly script-happy (and have
> basic managed switches), but what keeps them from plugging into a new
> switch port? If you're feeling like doing it right, use a managed
> switch and 802.1x to lock them into a separate VLAN, from which
> controlling access is a simple matter of only allowing http through
> squid from the subnet associated with that VLAN. Anything else just
> helps you sleep better at night, thinking you've actually achieved some
> controls they can't get around. But perhaps sleep or plausible
> deniability is all you're really after.
Pretty much. No managed switches to play with. All I have to be able to do
is say to $boss, "yep, his access is controlled." If said employee proves
resourceful (and insubordinate) enough to circumvent the MAC filter, then
clearly more drastic measures will be required (and I suspect they'll be
more of an HR matter than an IT matter--but that's just speculation).
Personally I like to think $employee will behave himself. Time will tell.
(man, I'm feeling more BOFHish every day..)
Thanks for the input, though!
Cheers,
~B
More information about the TriLUG
mailing list