[TriLUG] MAC-based web blocking
Shawn William Taylor
STaylor at torexretailna.com
Tue Sep 12 08:33:07 EDT 2006
Why don't you use an IP rule based on their DNS entry?
They shouldn't be able to figure that out.
Unless they monitor this list!
:)
shawn
"Aaron S. Joyner" <aaron at joyner.ws>
Sent by: trilug-bounces at trilug.org
09/11/2006 08:09 PM
Please respond to
Triangle Linux Users Group discussion list <trilug at trilug.org>
To
Triangle Linux Users Group discussion list <trilug at trilug.org>
cc
Subject
Re: [TriLUG] MAC-based web blocking
Brian Henning wrote:
> The reason I don't want to use IP-based rules is that our problem
> users are probably resourceful enough to try resetting their IPs.
>
> But yeah, I was already on that track; glad to have some encouraging
> suggestions. :-)
>
> Thanks!
> ~B
So I'm like 5 days late in replying to this... but do you think they're
not also resourceful enough to change their MAC addresses? You could do
it by switch port if you're feeling particularly script-happy (and have
basic managed switches), but what keeps them from plugging into a new
switch port? If you're feeling like doing it right, use a managed
switch and 802.1x to lock them into a separate VLAN, from which
controlling access is a simple matter of only allowing http through
squid from the subnet associated with that VLAN. Anything else just
helps you sleep better at night, thinking you've actually achieved some
controls they can't get around. But perhaps sleep or plausible
deniability is all you're really after.
Aaron S. Joyner
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
More information about the TriLUG
mailing list