Suresh Ramasubramanian spewed into the ether:
>Actually, as (say) napster uses specific ports its a good idea
Until you meet something like napster over HTTP, or free nap.
Napster, and all IM clients can tunnel over HTTP, so that is not the
best way to block them.
>In squid, it's (fairly) simple -
>acl banned [string] (say mp3)
Best way.
>As several people will tell you, this will work for net.newbies.
>There are several (not so clever) ways to get past this.
Hmmm, over a NAT+MASQ network, dual homed gateway with properly
configured ipchains rules when the only way to go out is through squid
(as a transparent proxy, or not)?
>Only cure is, when the network gets bogged down because of an mp3 download
>
> 1. if you use ipchains for NAT cut off the guy's connection
> 2. go to the guy's terminal and yell at him (or have yr boss do it)
> 3. remove napster / messenger from the machine
> 4. set a policy allowing only administrator to install stuff
> [4 assumes that this is Win\NT workstation on the desktop]
Basically, this is a people problem. It cannot be solved by
technological means. 1 seems a bit too harsh, 4 is easily worked
around 2 and 3 are of course the only good solutions (people wause, non tech ones).
this topic has been discussed to death on securityfocus, and the exactly same
conclusions have been reached.
Devdas Bhagat
--
"Security is mostly a superstition. It does not exist in nature...
Life is either a daring adventure or nothing."
-- Helen Keller
------------------------------------------------------------
For Valentine's Day shop by Brand, Product, Price, Store and Location!
http://shop.storerunner.com/shop.asp?pdef=home&trsid=3080
----------------------------------------------
An alpha version of a web based tool to manage
your subscription with this mailing list is at
http://lists.linux-india.org/cgi-bin/mj_wwwusr
