On Fri, Feb 10, 2012 at 1:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > I would think that this would be easier at the firewall - you could > just deny port 443 to www.google.com
That's tough with distributed destinations like Google, though. ("Cloud".) There's a lot of IP addresses, not every client will get the same IP address, and they change a lot. That's a good thought, though. An HTTP proxy should do the job nicely. You'd want to configure it to deny URLs containing bare IP addresses to make sure nobody's getting around things that way. > Using only whitelisting for port 443 (or any other port, > including 80), for the student's subnet seems to be the safest thing. > I know it's politically difficult, but life would be easier in the > long run. I don't think that's feasible for a general use network. Students often use the web as a research tool. Now you're talking about whitelisting every possible website they might visit -- and checking the whitelisted sites regularly to make sure they haven't changed. If students only have a very narrow selection of websites they need, that would work, but I don't think that's a realistic scenario anymore. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin