Archived from groups: comp.security.firewalls (
More info?)
X-No-Archive: Yes
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d6cef233836a3a2989c1d@news-server.columbus.rr.com...
> In article <iIudnUq98OtucJ_eRVn-ig@comcast.com>, charlesnewman1
> @comcast.do.not.spam.me.net says...
>> X-No-Archive: Yes
>>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
>> > In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
>> > @comcast.do.not.spam.me.net says...
>> > > "Leythos" <void@nowhere.lan> wrote in message
>> > > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
>> > >
>> > > sites (their
>> > > > business partners). They also setup two sets of rules, one for
>> > > > generic
>> > > > users - no access, and then one for managers - full access.
>> > >
>> > > They only way you could do that would be with
>> > > two different proxy servers, one filtered, and one
>> > > non-filtered. That is how my network is set up.
>> >
>> > Funny, the way I do it is with one Firewall appliance and different
>> > HTTP
>> > rules. Seems to me that it works well and without a problem for me. I
>> > don't have ANY proxy servers in our network, but, if you must know, the
>> > firewall has many proxy type services for use - and HTTP is one of
>> > them.
>> >
>> > I can also setup users without the proxy and limit what they can access
>> > based on their IP, Subnet, authentication, all the same without the
>> > proxy service of the firewall - the proxy service allows me to use a
>> > Web
>> > Blocker tool and content filters that remove malicious content from the
>> > http sessions.
>>
>> I dont see how you can authenticate users
>> authorized for full access, without using a
>> program like ProxyPro. To me, it would
>> seem easier to use ProxyPro, add the
>> users authorized for full access, and be
>> done with it.
>
> The firewall appliance allows me to create Users and groups and assign
> users to groups. I have the option of having MANY HTTP rules that can
> either be Proxy or non-Proxy type HTTP rules and I can have BOTH at the
> same time in the same firewall. In this case, if I want a User to have
> specific access from ANY location in the company, I setup a User in the
> firewall and put them in the unrestricted HTTP rule group and then, whey
> at any workstation in the company, they can browse to the firewall
> authentication page, authenticate, and then get full HTTP access without
> any restrictions - when they close the HTTP authentication page it kicks
> them out of being authenticated as User X and they no longer have
> unrestricted access - they have what ever access any other user at that
> system would have.
>
>> Since AllegroSurf and ICS both
>> assign dynamic internal addresses to
>> PCs on the network, doing it by IP
>> does not work, and a lot of business
>> networks assign IP addresses
>> dynamically. That is the way that
>
> You seem to have missed DHCP Reservations - if you want to provide a
> group of systems (like Managers or Developers) with specific access by
> IP rules, you setup DHCP with reservations for their MAC and their IP is
> still DHCP assigned. I do this in most companies - especially for people
> that VPN in and then RD to their own desktop - this means I can create a
> rule that only allows them access by IP/Port to their specific
> workstation and I always know where it's going to be.
>
>> HTTP works. If you are using
>> static IPs in your network, then yes
>> you can block by IP. But for those networks
>> that are using dynamically assigned IPs
>> within the network, like mine, then my
>> solution is the only way you can do this.
>
> Wrong, see what I typed above. Reservations have long been a part of
> DHCP and it works perfectly for what it was designed for - to
> dynamically reassign the same IP to the same device. This works great
> since you can pass all your other settings via DHCP to the device and
> not have to manually change the devices settings.
>
>
>> If you are using DHCP, or any NAT
>> device that assigned IPs dynamically, then
>> you need a program like ProxyPro, that
>> supports authentication, if you want to
>> allow some users unfiltered internet access.
>> Virtually any NAT device, hardware or
>> software, is going to use DHCP and assign
>> addresses dynamically. The solution I refer
>> to is for the majority of networks that do this.
>
> But you don't want the NAT device assigning the IP, you want the
> domain's DHCP server doing it and only using the NAT device as the
> gateway router. In our case, we always disable DHCP on NAT devices (and
Well, AllegroSurf, which I use, has DHCP server,
router, and NAT, all in one program. Just install,
configure, and you are done. AllegroSurf does have
one problem I have found. You cannot print to
any network printers. I think Microsoft must have
put something into XP and later versions of Windows
to keep third party NAT devices from connecting
to network printers. This is because Microsoft ICS
only allows up to 10 users, but with AllegroSurf,
you can buy licenses for a lot more users. I think
that MS might well have done this to force people
to pay Microsoft, if they want more than 10 users
at a time to have full access to the LAN.
AllegroSurf, WinGate, ProxyPro, SpoonProxy,
and other programs thave NAT built in can
be licensed for more users, and probably at
a cheaper rate than what Microsoft would charge
to hook more than 10 users to ICS. I think
Microsoft must see this as a threat, and has
made it to where some network functions
wont work in a third-party NAT solution.
> our firewall appliances have NAT with DHCP also). If you don't disable
> DHCP on the NAT device you may not be properly setup when you provide
> the domain/networks DHCP information - most OS based DHCP services
> provide far more information than you can setup on those simple NAT
> devices to be passed to the devices via DHCP.
>
>> If you really serious about controlling
>> content, especially porn, you need a
>> software-based solution, as it can download
>> updates daily. CyBlock, CyberSitter, and
>> SurfControl are all good at this. They
>> can all be programmed to download updates
>> automatically. All you have to do in the
>> morning is just re-boot the machine the
>> software is running on for the changes to
>> take effect. ProxyPro will even support
>
> I control porn at the firewall, and I don't have to reboot anything for
> updates to work. In fact, I can select to enable/disable 14 categories
Well, most software based solutions do require
a reboot once a day. But software solutions can also
filter up to 67 categories of content. CyBlock can
filter up to 67 categories of content. It also has all
kinds of reporting, even down to an individual user
or IP address, something your hardware firewalls
have not learned yet. I am surprised you dont have
to reset your firewall everytime an update is
downloaded.