From: Chris Higgins
Date: Mon 11 Jun 2001 - 13:31:58 IST
> Answers to your questions:
> 1. We are switching to DHCP for IP addressing from Static. Up until now,
> we manually added each individual address to the firewall access list to
> allow someone Internet access. With DHCP this can no longer happen. I
> basically need to be able to control who has Internet access and still have
> a dynamic IP address structure. I believe I need a proxy server.
Ok - so you want access control - your choice is IP based or userid/pass
If you want to retain IP based  access control, then the easiest way to
do it is have the DHCP server allocate the same IP address for specific
users - so that your machines and those who are to be granted access are
all given 'fixed' addresses via DHCP. Everyone else then gets an address
from a pool of addresses.
You could have 192.168.10.2->64 for fixed allocation, and then leave
192.168.10.65->254 for your pool of addresses for everyone else. If you
are using different blocks at different sites, then make it a rule that the
first X addresses in any address block are set aside for fixed use, and the
dynamic pool takes the rest.
Have your proxy then allow 192.168.10.2->64 and deny 192.168.10.65->254
On the other hand - and working on the basis that all someone has to do to
circumvent your access control is change their IP address - you could move
to user/pass based authentication.
It may be too much effort for your users though...
 I'm not going to get into an argument with anyone about the lack of
security with IP based access control - if your user base isn't IP
aware it might work for you.
> 2. Local caching point will be a side benefit, as I believe it can have a
> significant beneficial effect on the bandwidth, but my primary concern is
> to control who has Internet access.
How 'secure' do you want that control - proxy auth may be the way to do it.
> 3. I believe that NAT or masquerading is not the answer to my problem, am I
It's orthogonal to the issue you are trying to solve - you are only dealing
the http / (occasional) ftp usage. Although there is no reason why you couldn't
implement this with MASQ & IPtables.
> 4. I would like the proxy to be totally transparent if possible. IP
> services required will mainly be HTTP traffic, but with the option of
> allowing FTP or other such services to certain users if required.
> 5. The network is quite complex with multiple sites involved, but at the
> moment they are all coming through the same firewall in HQ, I believe I
> will be able to get away with one proxy, or at least, this is what I would
Single proxy should do the job for now - you may (depending on traffic volumes
want to add a second on later on and load balance between them (or have
You may also want to look at squid delay pools if all traffic is going to be
going through this point. http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8
> 6. Uptime is a business requirement during office hours, but not as
> essential during evenings or weekends. Certain downtime is acceptable, but
> the shorter the better.
> 7. At the moment there is no requirement for reporting or activity
> monitoring, but I believe that this will be a definite requirement in the
> near future, and thus I will be needing the ability to produce detailed
> logs without reinstalling a totally new product to achieve this.
Squid has some nice logging tools which generate some interesting / scary
usage reports. Loads of useful links on the Squid site. (
> Yes, I understand that most questions are answered by a multitude of other
> questions, I've no problem with that, as long as it helps the people in the
> know to provide a more useful answer to my problem. Thanks all.
-- ** Chris Higgins e: chris.higgins at horizon.ie ** ** Technical Business Development tel: +353-1-6204916 ** ** Horizon Technology Group fax: +353-1-6204949 **
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:37 GMT