Brian Henning wrote:
The reason I don't want to use IP-based rules is that our problem
users are probably resourceful enough to try resetting their IPs.
But yeah, I was already on that track; glad to have some encouraging
suggestions. :-)
Thanks!
~B
So I'm like 5 days late in replying to this... but do you think they're
not also resourceful enough to change their MAC addresses? You could do
it by switch port if you're feeling particularly script-happy (and have
basic managed switches), but what keeps them from plugging into a new
switch port? If you're feeling like doing it right, use a managed
switch and 802.1x to lock them into a separate VLAN, from which
controlling access is a simple matter of only allowing http through
squid from the subnet associated with that VLAN. Anything else just
helps you sleep better at night, thinking you've actually achieved some
controls they can't get around. But perhaps sleep or plausible
deniability is all you're really after.
Aaron S. Joyner
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
