[ale] Blocking Internet access for certain users

Joe Steele joe at madewell.com
Tue Oct 28 14:43:20 EST 2003


On Tuesday, October 28, 2003 12:18 PM, Dow Hurst wrote:
>
> If the IP spaces for each building are separate then you can allow http
> packets to one range and not to another, even if all traffic goes thru
> one interface.
> Dow
>

The trouble with using a single interface is that you are granting 
outbound access based on source addresses which are spoofable.  All a 
person would need to do is configure their box with the IP address 
and/or mac address of some "privileged" computer on the LAN which is 
not powered up (maybe somebody's laptop who travels a lot).  It's 
even easier if they are allowed to use an unassigned address on the 
"privileged" subnet.

Use of a separate interface makes it easy to catch such attempts.

--Joe



More information about the Ale mailing list