On Fri, Mar 28, 2008 at 12:55:27PM +0000, mbm wrote:
On Fri, 28 Mar 2008 12:41:43 +0000 Chris G cl@isbd.net allegedly wrote:
Is this something best done through groups?
Assuming you have a router of some sort between the LAN and the internet this sounds to me like it should be done in the router's firewall setup. Certainly both of my routers would allow this to be done very easily using the Web configuration utilities.
Yes and no. (Here I'm assuming that by "accessing the net" Peter means "accessing the web").
Any decent security policy will limit outbound web connection from a lan to the internal proxy (or firewall). All clients should be configured to use that proxy, and only that proxy (just as all clients should be configured to send outbound mail to the local mail server and only that mail server is allowed to make outbound SMTP connections).
So there shouldn't need to be any change to the router ACLs, it should already default deny outbound connections from clients :-)
This leaves the proxy or firewall as the place to enforce the deny policy on the client(s) in question.
... but surely (at least on a small setup) it's *far* easier to do the settings all in one place (the router) rather than configuring each PC.
I'm thinking here of a small LAN (like a small office or SoHo LAN) where users may well have full (i.e. admin) access to their own PCs. The 'secure' place to configure their access to the outside world is on the firewall (be it a router or separate box) between them and the outside world.
Come to think of it that's certainly the way it's done at my place of work which is a moderate sized office with, maybe, 100 users or so. It's the (separate in this case) firewall box which controls who can do what and how to the outside world.