On Fri, Feb 10, 2012 at 1:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
> I would think that this would be easier at the firewall - you could
> just deny port 443 to www.google.com
That's tough with distributed destinations like Google, though.
("Cloud".) There's a lot of IP addresses, not every client will get
the same IP address, and they change a lot.
That's a good thought, though. An HTTP proxy should do the job
nicely. You'd want to configure it to deny URLs containing bare IP
addresses to make sure nobody's getting around things that way.
> Using only whitelisting for port 443 (or any other port,
> including 80), for the student's subnet seems to be the safest thing.
> I know it's politically difficult, but life would be easier in the
> long run.
I don't think that's feasible for a general use network. Students
often use the web as a research tool. Now you're talking about
whitelisting every possible website they might visit -- and checking
the whitelisted sites regularly to make sure they haven't changed.
If students only have a very narrow selection of websites they need,
that would work, but I don't think that's a realistic scenario
anymore.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
