B
Premium,MVM
join:2000-10-28
edit:
March 28th, @11:53AM
| reply to Greg_Z
Re: Preventing users on a Domain from installing apps??
Greg you're giving misinformation out.
First, you may not like Cisco/Linksys gear, but repeatedly calling it "Consumer Grade" as if that means anything in particular is a pointless exercise in personal bias. Yes, its feature set is not as complete as an enterprise router or firewall and its build quality may suck. But in this case it's probably perfectly suitable.
Smoothwall, Monowall, or ClarkConnect? Seriously? You'd rather run one of those software apps on an old PC than use a Linksys appliance for a small business? OK... Again, that's your opinion.
But MAC filtering works the same no matter what equipment you do it on. If you set it up so that my PC's Ethernet card can't reach the Internet... it can't reach the Internet! (Unless I change/spoof the MAC address or change NIC cards.) There's no magic in doing it on a PIX.
In other words, how does "MAC scheming" NOT restrict users from downloading? If you block their Internet access (that is, ALL those "certain ports"), it's blocked.
To KoolMoe, it's possible, and unfortunately common, for a Domain User to have administrative rights over his or her given PC. They will have ordinary user rights to server-based and other domain resources, but can install apps and do other damage as if they were administrator...
Edit: Yes, proxying is a more controlled way to limit Internet access, but that has its limitations and may be something the OP isn't interested in doing at present.
-- B
--
In a realm outside causality and function |
|
mboy
Premium
join:2001-04-13
Little Falls, NJ
| Linksys as business Grade?
Cisco, of course, but not linksys.
I would DEF not consider that Enterprise Class by any means.
MAYBE switches, but not routing!
I would look at Snapgear for inexpensive, yet powerful enterprise routing/firewalling. |
|
B
Premium,MVM
join:2000-10-28
| I can't imagine why. For a small business with a handful of servers and ordinary network architecture, there's nothing a Snapgear or Sonicwall (or software firewall distribution if you really like that sort of thing) can do that the OP's Linksys BEFSX41 can't, and with equal security.
I think for many IT people it's a matter of pride and of prejudice to disrespect and dismiss Linksys and Netgear out of hand, no puns intended. The things work.
-- B
--
In a realm outside causality and function |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
 ·Vonage
·Insight Communicat..
| reply to B
I would rather run monowall, Smoothwall, or Clark Connect on a machine, but not old. The packages out for them now, especially Clark Connect's latest release are written for 2.4ghz machines with at least 1gb of RAM, and 200gb of drive space for user use. Using the three packages listed, are more robust, then a POS off the shelf Linksys router. And just because Cisco owns the company, does not put those routers that you purchase at BB, or anywhere else in the same league as the Enterprise equipment. |
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs:
·Comcast Formerly ..
| reply to B
While I agree with you , there are ways around the network restrictions. Mac address blocking is easy. Especially if they are installing wares. Sniff and look for a mac going off the network for any data, clone all the macs bits except 1 and 9 outta 10 times you found a server or device group that is able to get out. Or simple just change the last bit and your unblocked.
The only way is layers one is to null gateway them. bad gateway , or have them use a fake gateway to a pc with no net connection , so they can't figure it out with sniffing. The proxy trick is null if they have decent tech skills. Even 0.0.0.0 proxies can be tunneled out of. But blocking all but certain ports is another layered approach that works in conjunction.
I personally null gateway the boxes anyway especially if they are servers that don't need to go out to the internet. Feed them bad dns entries except for local server names. When I need to update them I use the management nic. Enable it and let the box go do updates. Many of the people don't understand why my servers and workstations have 2 nics. And I use the back up hot swap routers as management.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" |
|
