On Fri, Feb 10, 2012 at 10:43, Ben Scott <[email protected]> wrote: > On Fri, Feb 10, 2012 at 1:03 PM, Kurt Buff <[email protected]> wrote: >> I would think that this would be easier at the firewall - you could >> just deny port 443 to www.google.com > > That's tough with distributed destinations like Google, though. > ("Cloud".) There's a lot of IP addresses, not every client will get > the same IP address, and they change a lot. > > That's a good thought, though. An HTTP proxy should do the job > nicely. You'd want to configure it to deny URLs containing bare IP > addresses to make sure nobody's getting around things that way.
That's perhaps reasonable - a combination of www.google.com and bare IP addresses. >> Using only whitelisting for port 443 (or any other port, >> including 80), for the student's subnet seems to be the safest thing. >> I know it's politically difficult, but life would be easier in the >> long run. > > I don't think that's feasible for a general use network. Students > often use the web as a research tool. Now you're talking about > whitelisting every possible website they might visit -- and checking > the whitelisted sites regularly to make sure they haven't changed. > > If students only have a very narrow selection of websites they need, > that would work, but I don't think that's a realistic scenario > anymore. Perhaps just 443 - that would probably help a great deal. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
