> > > [ {Jackboots on} Touch playboy.com and die ]
> > > [ Use someone else's IP.. Hee Hee.. ]
> > > [ But I filter on MAC adresses ]
> > > [ MAC addresses can be spoofed ]
> >
> >The only way to have accountability is with authentication-dependent
> >service access. No (secure) password, no service. Think Kerberos, or
> >something similar.
> >
>
> I second that suggestion. Anything less can be trivial to spoof.
>
Not in this case I don't. Keeping IP or MAC based logs is one
thing, but I think if your company tells you you need to put in that
level of secure authentication to go *out* just to keep people from
getting to playboy.com, I think you should get a new job. Fast. If
your users are so determined to screw around at work that they'll be
forging mac addresses and spoofing packets just so they can get to
some porno sites to waste huge amounts of time at work your company is
*doomed*. If they weren't going to waste huge amounts of time, why
are you doing so trying to prevent it? Ditto if your managers think
it's worth you spending so much time to prevent it. Sure, it's
possible, sure, it's an interesting technical exercise, but I doubt
it's cost effective, and I doubt you'll be getting much respect from
the rest of the company that your time is well spent helping people be
productive. Solve it in HR. Concentrate your efforts on stuff that
really matters, and make sure you only leave jackboot marks on your
users for stuff that's really important. Otherwise you'll get no
respect and you won't have universal participation in the rest of your
security plans.
I can see an exception to that in an educational site, but
those are pretty different. My solution in that case is make sure the
users don't have root-level (i.e. have root or DOS/Windows) access on
the net. Then you can simply use ident for connection logging/access
untill they break root or bring in a laptop, at which point
playboy.com is the least of my concerns.
-Bob
Follow-Ups:
References:
|
|
