On Sat, 2002-03-16 at 16:18, David Talkington wrote: > > That's a help, but are you similarly able (administratively speaking) > to restrict destination IPs on all other ports? Otherwise, any > workstation could do the same thing on a different port, of course. > Restricting 80 in this way would make web browsing awfully difficult,
Well, if the contents of your network are terribly secret (say... propietary source code), then you can get draconian: Internet --- Firewall -- Proxies -- Firewall -- private net The external firewall passes packets on approved ports to one of the proxy servers. It only accepts packets on its internal interface from the MAC addresses of the proxy servers. The internal firewall, likewise, only accepts packets from the proxy servers (notably, not from the other firewall). All access between the private net and the internet is strictly controlled, and only through the proxy servers. > but it's the only way to stop it, unless all users are on rigidly > controlled workstations with noexec home directories ... home directories, and any other dir they have write access to. That works, but only on UNIX.
signature.asc
Description: This is a digitally signed message part
