What is the simplest way to prevent one of the accounts on one of PCs on the lan from accessing the net? It does not have to be super secure, just require a modicum of knowledge to bypass, which the users will not have. Famous last words.
The account should have access to the LAN however for network printers. If its more convenient, it would also be OK to block all accounts.
Is this something best done through groups?
Al
On Fri, Mar 28, 2008 at 12:18:41PM +0000, Peter Alcibiades wrote:
What is the simplest way to prevent one of the accounts on one of PCs on the lan from accessing the net? It does not have to be super secure, just require a modicum of knowledge to bypass, which the users will not have. Famous last words.
The account should have access to the LAN however for network printers. If its more convenient, it would also be OK to block all accounts.
Is this something best done through groups?
Assuming you have a router of some sort between the LAN and the internet this sounds to me like it should be done in the router's firewall setup. Certainly both of my routers would allow this to be done very easily using the Web configuration utilities.
On Fri, 28 Mar 2008 12:41:43 +0000 Chris G cl@isbd.net allegedly wrote:
Is this something best done through groups?
Assuming you have a router of some sort between the LAN and the internet this sounds to me like it should be done in the router's firewall setup. Certainly both of my routers would allow this to be done very easily using the Web configuration utilities.
Yes and no. (Here I'm assuming that by "accessing the net" Peter means "accessing the web").
Any decent security policy will limit outbound web connection from a lan to the internal proxy (or firewall). All clients should be configured to use that proxy, and only that proxy (just as all clients should be configured to send outbound mail to the local mail server and only that mail server is allowed to make outbound SMTP connections).
So there shouldn't need to be any change to the router ACLs, it should already default deny outbound connections from clients :-)
This leaves the proxy or firewall as the place to enforce the deny policy on the client(s) in question.
Mick
---------------------------------------------------------------------
This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see:
http://www.gnu.org/philosophy/no-word-attachments.html http://www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------
On Fri, Mar 28, 2008 at 12:55:27PM +0000, mbm wrote:
On Fri, 28 Mar 2008 12:41:43 +0000 Chris G cl@isbd.net allegedly wrote:
Is this something best done through groups?
Assuming you have a router of some sort between the LAN and the internet this sounds to me like it should be done in the router's firewall setup. Certainly both of my routers would allow this to be done very easily using the Web configuration utilities.
Yes and no. (Here I'm assuming that by "accessing the net" Peter means "accessing the web").
Any decent security policy will limit outbound web connection from a lan to the internal proxy (or firewall). All clients should be configured to use that proxy, and only that proxy (just as all clients should be configured to send outbound mail to the local mail server and only that mail server is allowed to make outbound SMTP connections).
So there shouldn't need to be any change to the router ACLs, it should already default deny outbound connections from clients :-)
This leaves the proxy or firewall as the place to enforce the deny policy on the client(s) in question.
... but surely (at least on a small setup) it's *far* easier to do the settings all in one place (the router) rather than configuring each PC.
I'm thinking here of a small LAN (like a small office or SoHo LAN) where users may well have full (i.e. admin) access to their own PCs. The 'secure' place to configure their access to the outside world is on the firewall (be it a router or separate box) between them and the outside world.
Come to think of it that's certainly the way it's done at my place of work which is a moderate sized office with, maybe, 100 users or so. It's the (separate in this case) firewall box which controls who can do what and how to the outside world.
On Fri, 28 Mar 2008 13:05:01 +0000 Chris G cl@isbd.net allegedly wrote:
On Fri, Mar 28, 2008 at 12:55:27PM +0000, mbm wrote:
This leaves the proxy or firewall as the place to enforce the deny policy on the client(s) in question.
... but surely (at least on a small setup) it's *far* easier to do the settings all in one place (the router) rather than configuring each PC.
I'm thinking here of a small LAN (like a small office or SoHo LAN) where users may well have full (i.e. admin) access to their own PCs. The 'secure' place to configure their access to the outside world is on the firewall (be it a router or separate box) between them and the outside world.
Ummm - that's what I said.
The router denys all oubound access except from one point - the proxy.
Mick ---------------------------------------------------------------------
This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see:
http://www.gnu.org/philosophy/no-word-attachments.html http://www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------
On Fri, Mar 28, 2008 at 01:12:44PM +0000, mbm wrote:
On Fri, 28 Mar 2008 13:05:01 +0000 Chris G cl@isbd.net allegedly wrote:
On Fri, Mar 28, 2008 at 12:55:27PM +0000, mbm wrote:
This leaves the proxy or firewall as the place to enforce the deny policy on the client(s) in question.
... but surely (at least on a small setup) it's *far* easier to do the settings all in one place (the router) rather than configuring each PC.
I'm thinking here of a small LAN (like a small office or SoHo LAN) where users may well have full (i.e. admin) access to their own PCs. The 'secure' place to configure their access to the outside world is on the firewall (be it a router or separate box) between them and the outside world.
Ummm - that's what I said.
... and it's what I thought I originally said too! :-)
The router denys all oubound access except from one point - the proxy.
None of the places I know about have a proxy as such. It's surely not normal to have one on a small home/SoHo LAN, you just tell all systems (probably automatically) what their default route is and that's it.
We don't have one at work either.
Peter What is the OS / browser are they running? Its more specific then just "an account on one machine". I take it other accounts need full access too.
Chris I run squid on my home lan to block adverts / see the URLs the kiddies visit. The server is also my media server and (when I get around to it) my SIP server too.
Subject: Re: [ALUG] blocking net but not lan on one pc
On Fri, Mar 28, 2008 at 01:12:44PM +0000, mbm wrote:
On Fri, 28 Mar 2008 13:05:01 +0000 Chris G cl@isbd.net allegedly wrote:
On Fri, Mar 28, 2008 at 12:55:27PM +0000, mbm wrote:
This leaves the proxy or firewall as the place to enforce the deny policy on the client(s) in question.
... but surely (at least on a small setup) it's *far* easier to do the settings all in one place (the router) rather than configuring each PC.
I'm thinking here of a small LAN (like a small office or SoHo LAN) where users may well have full (i.e. admin) access to their own PCs. The 'secure' place to configure their access to the outside world is on the firewall (be it a router or separate box) between them and the outside world.
Ummm - that's what I said.
... and it's what I thought I originally said too! :-)
The router denys all oubound access except from one point - the proxy.
None of the places I know about have a proxy as such. It's surely not normal to have one on a small home/SoHo LAN, you just tell all systems (probably automatically) what their default route is and that's it.
We don't have one at work either.
On Fri, Mar 28, 2008 at 02:22:44PM -0000, keith.jamieson@bt.com wrote:
Chris I run squid on my home lan to block adverts / see the URLs the kiddies visit. The server is also my media server and (when I get around to it) my SIP server too.
Yes, I know it's perfectly possible to run a proxy on a small LAN, even on a single box, but I don't think it's common practice is it? Certainly it seemed unlikely that the OP was running one.
On Fri, 28 Mar 2008 13:53:06 +0000 Chris G cl@isbd.net allegedly wrote:
On Fri, Mar 28, 2008 at 01:12:44PM +0000, mbm wrote:
Ummm - that's what I said.
... and it's what I thought I originally said too! :-)
Yes, I agree. The only difference between us is that I would insert an application layer proxy between the router and the rest of the internal network. Routers are good at taking decisons based on packet contents. Decisons based on the contents higher up the stack are best left to devices which can intercept, and understand, the application layer protocols (so you leave mail routing decisons to mail servers, and web routing decisions to web proxies).
None of the places I know about have a proxy as such. It's surely not normal to have one on a small home/SoHo LAN, you just tell all systems (probably automatically) what their default route is and that's it.
Maybe not at home but....
We don't have one at work either.
I find that surprising. Certainly my experience is the opposite (my background is government). But even a relatively small network would benefit from the kind of defense in depth provided by:
packet filtering router - application proxy - client side AV and firewall.
If you don't have a proxy (or application layer firewall with proxy capability) how can you enforce a web usage AUP? And where would you put your web sheepdip?
Mick ---------------------------------------------------------------------
This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see:
http://www.gnu.org/philosophy/no-word-attachments.html http://www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------
On Fri, Mar 28, 2008 at 02:35:49PM +0000, mbm wrote:
On Fri, 28 Mar 2008 13:53:06 +0000 Chris G cl@isbd.net allegedly wrote:
None of the places I know about have a proxy as such. It's surely not normal to have one on a small home/SoHo LAN, you just tell all systems (probably automatically) what their default route is and that's it.
Maybe not at home but....
We don't have one at work either.
I find that surprising. Certainly my experience is the opposite (my background is government). But even a relatively small network would benefit from the kind of defense in depth provided by:
packet filtering router - application proxy - client side AV and firewall.
If you don't have a proxy (or application layer firewall with proxy capability) how can you enforce a web usage AUP? And where would you put your web sheepdip?
It's a (mostly) development office so there *aren't* any restrictions at all on web usage. One has to be moderately careful (for example) when doing Google searches that one doesn't drag up something a bit embarassing by mistake. :-)
On Fri, Mar 28, 2008 at 12:18:41PM +0000, Peter Alcibiades wrote:
What is the simplest way to prevent one of the accounts on one of PCs on the lan from accessing the net? It does not have to be super secure, just require a modicum of knowledge to bypass, which the users will not have. Famous last words.
The account should have access to the LAN however for network printers. If its more convenient, it would also be OK to block all accounts.
Is this something best done through groups?
Depending on what you really want and the circumstances of where this is the easiest way is to not give the machine a default gateway so it can't route anything to the internet, this would affect all users but you indicated this wasn't a problem?
Adam
-
Adam Bower -
Chris G -
keith.jamieson@bt.com -
mbm -
Peter Alcibiades