[ale] Blocking Internet access for certain users
Joe Steele
joe at madewell.com
Tue Oct 28 14:43:20 EST 2003
On Tuesday, October 28, 2003 12:18 PM, Dow Hurst wrote:
>
> If the IP spaces for each building are separate then you can allow http
> packets to one range and not to another, even if all traffic goes thru
> one interface.
> Dow
>
The trouble with using a single interface is that you are granting
outbound access based on source addresses which are spoofable. All a
person would need to do is configure their box with the IP address
and/or mac address of some "privileged" computer on the LAN which is
not powered up (maybe somebody's laptop who travels a lot). It's
even easier if they are allowed to use an unassigned address on the
"privileged" subnet.
Use of a separate interface makes it easy to catch such attempts.
--Joe
More information about the Ale
mailing list