[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Firewall Rules by MAC Address. IS it possible?
 Date:  Thu, 30 Sep 2010 21:39:27 -0400
On Thu, Sep 30, 2010 at 9:02 PM, Heinz Teichmann
<heinz dot teichmann at wanews dot com dot au> wrote:
> If it is such a big issue a proper proxy appliance would be the way to go?!?
> Or is it a cost issue? Most enterprises I worked for used proxies for that and it worked.
>

Yes that's the way to properly control such things, requiring using a
proxy with authentication for all users. But going on the theme of the
rest of this thread, you could say "but then he/she can just get
someone else's credentials!"

That's why you take the approach of not trying to come up with a
bulletproof technical solution to a people problem, which is
impossible - there are always going to be ways to get around
something. If you assign a DHCP reservation, let them know they are
not authorized for web access, and the person goes to the extent of
changing their IP and/or MAC to get around restrictions you have in
place, that's generally grounds for termination.