[TriLUG] MAC-based web blocking

[Brian Henning]

Heh.  Yeah, except we don't currently do in-house DNS (though 
eventually, if I ever have time for hobby projects like that, I would 
love to set it up..)

~B

Shawn William Taylor wrote:
> Why don't you use an IP rule based on their DNS entry?
> They shouldn't be able to figure that out.
> 
> Unless they monitor this list!
> 
> :)
> 
> shawn
> 
> 
> 
> 
> 
> "Aaron S. Joyner" <aaron at joyner.ws> 
> Sent by: trilug-bounces at trilug.org
> 09/11/2006 08:09 PM
> Please respond to
> Triangle Linux Users Group discussion list <trilug at trilug.org>
> 
> 
> To
> Triangle Linux Users Group discussion list <trilug at trilug.org>
> cc
> 
> Subject
> Re: [TriLUG] MAC-based web blocking
> 
> 
> 
> 
> 
> 
> Brian Henning wrote:
> 
>> The reason I don't want to use IP-based rules is that our problem 
>> users are probably resourceful enough to try resetting their IPs.
>>
>> But yeah, I was already on that track; glad to have some encouraging 
>> suggestions. :-)
>>
>> Thanks!
>> ~B
> 
> So I'm like 5 days late in replying to this... but do you think they're 
> not also resourceful enough to change their MAC addresses?  You could do 
> it by switch port if you're feeling particularly script-happy (and have 
> basic managed switches), but what keeps them from plugging into a new 
> switch port?  If you're feeling like doing it right, use a managed 
> switch and 802.1x to lock them into a separate VLAN, from which 
> controlling access is a simple matter of only allowing http through 
> squid from the subnet associated with that VLAN.  Anything else just 
> helps you sleep better at night, thinking you've actually achieved some 
> controls they can't get around.  But perhaps sleep or plausible 
> deniability is all you're really after.
> 
> Aaron S. Joyner

-- 
----------------
Brian A. Henning
strutmasters.com
336.597.2397x238
----------------