I wondering about the best way to restrict access to only certain sites when these sites utilize Akamai disk caches. Keeping track of those IPs seems futile. Would a proxy server help me out here?
Thanks,
Mark
You need a URL filtering device. A proxy passes http unless you setup rules/filtering which is essentially the same thing.
URL filters can be easy - they can sit on a SPAN port and listen the headers promisciously, and issue a TCP RST when an unwanted site is found. Typically these are not cheap since you're paying for the support of the databases.
You could build your own using `squid' and implement it transparently depending on your setup (have the router forward to the cache so no client side changes needed). There's some open source 'redirectors' for filtering.
alan
Hum. I have never heard of filters operating in this manner. In some ways it is trivial to do so. However I would be concerned that this would be sub optimal. But hay, what ever works for you. ;)
Indeed this will work. However, I like the idea of blocking out bound 80 and 443 directly and not using Squid in transparent proxy mode. It does help make it easier to find things that are not configured correctly and thus ""blessed by the IS department. Rather that is to say that transparent proxying lets things get access unnoticed which I do not like. Different ideas for different political problems.
Grant. . . .
Not suboptimal at all. I've run these with 50,000 users with no performance hit. The good part is these just hang on the wire, if they fail there's no network impact other than filtering not working.
Good luck blocking outbound 80 and 443. Do you realize any clever user can simply proxy to another anonymous server on the Internet and bypass this?
Your problem is an HR problem, not technology.
alan
Indeed.
Not if the network is a closed network with only explicitly allowed traffic, which is usually the case when I'm shutting down 80 an 443.
What problems are not usually caused by PHBs and their HR counter parts?
Grant. . . .
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.