[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Limiting which users have Internet Access



Why not just set up a proxy for required internet access, block all 
outgoing ports from any internal machines, and require a 
username/password for proxy access (probably using the logon username 
and password).  Then, in each user's logon profile, set up the proxy for 
the users who have internet access, and don't set up the proxy for other 
users.  That way, even if the blocked users figure out that there's a 
proxy, they can't get out because they don't have authorization to use 
the proxy.

You could do without the logins and only set up the proxy in the 
profiles of the users who can use the internet, depending on your 
threshold of work involved (easier to set up no auth than auth) v/s need 
to keep people off of the internet (more secure to require login info to 
use proxy).

Squid can proxy http, https, ftp.  Any mail gateway oughtta be able to 
proxy email.  Both can auth against anything with a pam module.  There's 
not much else that typical users should need to get to on the internet, 
is there?  Proxys have a bit of an "antique" feel to them, but they 
sound like they'd really do what you want in this case...

--Danny

Glenn Tofte wrote:
> I am getting ready to deploy a Linux firewall/content filtering solution
> (IPCop w/ Dansguardian) but I have one final hurdle:  We have some users
> who are not allowed to have Internet access (the exception rather than
> the rule).
> 
> OUR ENVIRONMENT:
> 70 Windows 2000/XP desktops
> Windows 2000 Servers w/ Active Directory
> Currently we are using M$ ISA for Internet accountability, which checks
> against Active Directory to see if the user is a member of the Internet
> Users Group before allowing access.
> 
> WE HAVE TRIED:
> With IPCop I can block by IP address, but not by user.  This doesn't (by
> itself)help  since the computers are shared between
> Internet/Non-Internet users.
> 
> One thought that I had was to give the non-Internet users a null gateway
> so they can access local resources, but not Internet resources.  We have
> been trying to use "netsh" to toggle the gateway settings on the network
> interfaces, but have not had much success.
> 
> Does anyone have any other ideas?

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.