On Sun, 12 Sep 2010 13:35:30 -0700 (PDT), devlin7 <it_at_wghs.school.nz>
wrote:
> Thanks I figured as much. So I need a layer 7 firewall like NUFW or Palo
> Alto.
>
> Would a captive portal work?
Squid can be considered both of the above. http_access is a kind of
layer-7 firewall just for HTTP.
I was about to suggest a captive portal approach, this is done with Squid
by;
* implementing WPAD/PAC on the network for all the software which supports
it
* manual configuration to use the proxy for all software sitting around
the network long-term which can't do WPAD
* interception of the remaining dregs.
The first two are the primary access levels, they allow you to use
authentication on any requests received that way. Thus assigning a much
higher level of trust and wider access.
The interception layer allows catching of all the broken clients and weird
traffic, suitable if you can design some cut-down level of access. Assuming
that the worst problem users will be coming in this way is not too far
short of reality.
Captive portals face a choice with this traffic whether to bounce it to a
splash page explaining how to configure their browser properly or to let it
through silently with a lot of extra limits.
Amos
Received on Sun Sep 12 2010 - 23:01:37 MDT
This archive was generated by hypermail 2.2.0 : Mon Sep 13 2010 - 12:00:02 MDT