Greg_Z
Premium
join:2001-08-08
Springfield, IL | reply to slajoh01
Re: Preventing users on a Domain from installing apps??
You cannot do it with that router. You will have to using either Monowall, Smoothwall, or Clark Connect. The router that you have is only good for using in your Home network, not a Business network. |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Country!
 ·RoadRunner Cable
 ·AT&T CallVantage
| Concur. With 80 client workstations on a W2K3 domain, use business class equipment and applications. the Sonicwalls, Ciscos and the open source apps you mention are more appropriate.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
B
Premium,MVM
join:2000-10-28
| Sorry but I think you guys are just wrong.
The BEFSX41 seems MORE than capable enough of providing this kind of restriction. There's an entire section on Internet Access Policies (by MAC address) as described in the spec sheet and linked user manual at
»www.linksys.com/servlet/Satellit···76636538
-- B
--
In a realm outside causality and function |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | MAC address policies on Consumer Grade equipment can be worked around, and will not restrict persons from downloading, etc. You have to use the correct Proxies, and GPO on a workstation to do it effectively. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Netcong, NJ
| said by Greg_Z  :MAC address policies on Consumer Grade equipment can be worked around, and will not restrict persons from downloading, etc. You have to use the correct Proxies, and GPO on a workstation to do it effectively. Just curious, short of changing the MAC address, how do you bypass that? |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
·Vonage
·Insight Communicat..
| MAC scheming, will not restrict users from downloading & doing other stuff. It will only restrict at the router, from using certain ports, or connecting equipment, that is not listed in the MAC table. Also, besides the equipment described is nothing more then consumer grade. You need a product such as Smoothwall, Monowall, or Clark Connect, if you want to restrict users. |
|
B
Premium,MVM
join:2000-10-28
edit:
March 28th, @11:53AM
| Greg you're giving misinformation out.
First, you may not like Cisco/Linksys gear, but repeatedly calling it "Consumer Grade" as if that means anything in particular is a pointless exercise in personal bias. Yes, its feature set is not as complete as an enterprise router or firewall and its build quality may suck. But in this case it's probably perfectly suitable.
Smoothwall, Monowall, or ClarkConnect? Seriously? You'd rather run one of those software apps on an old PC than use a Linksys appliance for a small business? OK... Again, that's your opinion.
But MAC filtering works the same no matter what equipment you do it on. If you set it up so that my PC's Ethernet card can't reach the Internet... it can't reach the Internet! (Unless I change/spoof the MAC address or change NIC cards.) There's no magic in doing it on a PIX.
In other words, how does "MAC scheming" NOT restrict users from downloading? If you block their Internet access (that is, ALL those "certain ports"), it's blocked.
To KoolMoe, it's possible, and unfortunately common, for a Domain User to have administrative rights over his or her given PC. They will have ordinary user rights to server-based and other domain resources, but can install apps and do other damage as if they were administrator...
Edit: Yes, proxying is a more controlled way to limit Internet access, but that has its limitations and may be something the OP isn't interested in doing at present.
-- B
--
In a realm outside causality and function |
|
mboy
Premium
join:2001-04-13
Little Falls, NJ
| Linksys as business Grade?
Cisco, of course, but not linksys.
I would DEF not consider that Enterprise Class by any means.
MAYBE switches, but not routing!
I would look at Snapgear for inexpensive, yet powerful enterprise routing/firewalling. |
|
B
Premium,MVM
join:2000-10-28
| I can't imagine why. For a small business with a handful of servers and ordinary network architecture, there's nothing a Snapgear or Sonicwall (or software firewall distribution if you really like that sort of thing) can do that the OP's Linksys BEFSX41 can't, and with equal security.
I think for many IT people it's a matter of pride and of prejudice to disrespect and dismiss Linksys and Netgear out of hand, no puns intended. The things work.
-- B
--
In a realm outside causality and function |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
·Vonage
·Insight Communicat..
| reply to B
I would rather run monowall, Smoothwall, or Clark Connect on a machine, but not old. The packages out for them now, especially Clark Connect's latest release are written for 2.4ghz machines with at least 1gb of RAM, and 200gb of drive space for user use. Using the three packages listed, are more robust, then a POS off the shelf Linksys router. And just because Cisco owns the company, does not put those routers that you purchase at BB, or anywhere else in the same league as the Enterprise equipment. |
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs:
·Comcast Formerly ..
| reply to B
While I agree with you , there are ways around the network restrictions. Mac address blocking is easy. Especially if they are installing wares. Sniff and look for a mac going off the network for any data, clone all the macs bits except 1 and 9 outta 10 times you found a server or device group that is able to get out. Or simple just change the last bit and your unblocked.
The only way is layers one is to null gateway them. bad gateway , or have them use a fake gateway to a pc with no net connection , so they can't figure it out with sniffing. The proxy trick is null if they have decent tech skills. Even 0.0.0.0 proxies can be tunneled out of. But blocking all but certain ports is another layered approach that works in conjunction.
I personally null gateway the boxes anyway especially if they are servers that don't need to go out to the internet. Feed them bad dns entries except for local server names. When I need to update them I use the management nic. Enable it and let the box go do updates. Many of the people don't understand why my servers and workstations have 2 nics. And I use the back up hot swap routers as management.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" |
|
