Aaron wrote: > So I'm like 5 days late in replying to this... but do you think they're > not also resourceful enough to change their MAC addresses?
Honestly, yes. I don't think they're that resourceful. If they are, the log files will tell tales. The person in question isn't an idiot, but was amazed by the operation of iptraf, so I suspect his knowledge only goes so far. > You could do > it by switch port if you're feeling particularly script-happy (and have > basic managed switches), but what keeps them from plugging into a new > switch port? If you're feeling like doing it right, use a managed > switch and 802.1x to lock them into a separate VLAN, from which > controlling access is a simple matter of only allowing http through > squid from the subnet associated with that VLAN. Anything else just > helps you sleep better at night, thinking you've actually achieved some > controls they can't get around. But perhaps sleep or plausible > deniability is all you're really after. Pretty much. No managed switches to play with. All I have to be able to do is say to $boss, "yep, his access is controlled." If said employee proves resourceful (and insubordinate) enough to circumvent the MAC filter, then clearly more drastic measures will be required (and I suspect they'll be more of an HR matter than an IT matter--but that's just speculation). Personally I like to think $employee will behave himself. Time will tell. (man, I'm feeling more BOFHish every day..) Thanks for the input, though! Cheers, ~B -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
