Rajesh K. Bahl wrote:
Thanks but there is another constraint---- There is only one server
running Linux and all the "client PCs" are windows Boxes.
Also on top of it we need to prevent the users from "changing" their
own IP addresses (which some "denied" users do to get access to
internet ).
What to do in such a case ?
Regards
Rajesh K. Bahl
1) Remove administrator access on the client systems so IP addresses are not
changed
2) Statically assign IP addresses in two ranges. One for open access, other for
virus
update only. Either though manual IP config, or by configuring your DHCP
server to
serve the proper addresses by MAC address.
2a) (optional)) Set up port restrictions on your network switches so that only
your PCs
can get on the network (Restrict by MAC address). Need manageable switches
for that.
3) ACLs in squid that match on IP ranges you set up that restrict the two
classes of clients
in any way you want.
If you are unable to remove administrator access for some reason:
1) Break the network into two halves, either through separate network switches,
or VLANs if
you have maneagable switches.
2) Run two squids, one connected to the open half of the network, other on the
restricted.
You can do this on one server either by having two network cards and binding
each squid
to the appropriate card, or by using VLAN trunking. Each squid has the
appropriate restriction
rules.
3) Physically secure your network jacks so the users don't replug themselves
into the unrestricted
network.
First option is best, but for some reason you're letting users change their IP
addresses, so
there's some restrictons there we don't know about ;-)
--
Robert Borkowski
