PeerGuardian is Phoenix Labs premier IP blocker for OS X. PeerGuardian integrates support for multiple lists, list editing, automatic updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc), making it the safest and easiest way to protect your privacy on P2P. A PeerGuardian widget is included.
As the network administrator at the school I work for, I am running a Windows network domain with 2 Server 2008 domain controllers. Our gateway consists of a Sonicwall NSA 2400 firewall. Using the Reports feature on the Sonicwall, I can see which users, by their IP addresses, are using the most bandwidth. Streaming video is prohibited due to our terrible bandwidth (3.0 Mbps T1). I have blocked all known sites, but users still find ways around the filter. My question is, how can I quickly block a user from accessing the internet once they are identified other than to physically confiscate their machine? In an ideal scenario, staff should still be able to access our in-house Exchange server for communication purposes, just not the internet.
Students do not use email (at least they shouldn't be) so Exchange access for them is not a concern. Does anyone have any idea on how to achieve this?
Do you know if it is difficult or time-consuming to do that on the Sonicwall? I need to be able to cut them off immediately, if possible. It is an Active Directory environment, but many of the students' usernames are the same so that wouldn't work for me unless I give everyone a unique username, which I'd like to avoid if possible. I'm thinking that the firewall way may be the way to go, but have yet to find info on how to be able to quickly do this. Are you familiar with the NSA 2400, by any chance?
Thank you for the quick reply! Can't you add the IP to the ban/block list of Sonicwall?
Yes, all they would need to do is get assigned a new IP, but this would work for at least enough time for you to confiscate the machine, especially if the person does not have enough admin right to do renew the IP address manually. It would be quick and effective for the short term (since you would all ready have the IP, and as soon as you apply the block list the machine is blocked). Or are you wanting to simply block the machine permanently from the internet but not internal resources? I didn't read all the responses. But I've done something similar for a particular PC here that does not need internet access 90% of the time, but occasionally does.
I've got two batch files. 'internet on' and 'internet off' that I supplied to the person that is responsible for that PC. You would need psexec, but that's easy to get. Have at 'er if it works for you. ON @Echo Off cls @ECHO.
This will turn ON the internet on computer.domain.org @Echo. (155.155.155.236 Static) by restoring the gateway.
pause psexec computername netsh interface ipv4 set address 'Local Area Connection' static 155.155.155.236 255.255.254.0 155.155.155.1 @ECHO. Okay, computer.domain.org now has internet access, have a nice day. pause OFF @Echo Off cls @ECHO.
This will turn OFF the internet on computer.domain.org @ECHO. (155.155.155.236 Static) by setting the gateway to 0.0.0.0. pause psexec computername netsh interface ipv4 set address 'Local Area Connection' static 155.155.155.236 255.255.254.0 0.0.0.0 @ECHO. Okay, computer.domain.org no longer has internet access, have a nice day. pause I changed a bit of info to hide computer names and IP's. I also have a static assigned to that PC.
Now the end-user can just double click 'on' or 'off' to change that PC It works, and I'm sure there are better methods as well. I had to deal with this recently and took a different aproach: if i understand correctly, your offenders are emplyees not just students.
(if students are able to browse the web freely and hog resources away from employees on the same network, you need to look into doing something about that, especially since you are browsing on a T1) for employees, consider making a big HR/managers/supervisors big deal out of it. We had the same issues with people sitting on youtube for hours or running pandora 24/7. I sent a warning/policy reminder to everyone explaining that the web is for work only, and then spoke with the department heads about making a big deal out of abuses so this stops.
I stressed that point that even if we are ok with that person not having anything better to do, this is not allowed because of network resources and it affects everyone else trying to work. it only took a getting 2-3 guys in trouble and now even though youtube is open for every employee, they understand that it is ok to watch something work related for a bit. But nobody abuses that anymore. Since it was fair and clear, nobody hated me for it.
(well except for that one guy but who cares about him.) I am not saying don't do anything at all on the IT side, but I do believe this is a policy abuse first and foremost, and when employees realize that it can trigger a warning and a sit down with HR and their manager, it will make them think twice, respect policy more, and your IT life much easier. One device that can help big time is a NGFW, i recommend (and use) palo alto. It will do all your user specific policies, QOS, etc. Edited May 9, 2013 at 20:55 UTC. Wow, you all are great!
So many suggestions that I will have to do even more homework to figure out what is best for us (which is a good thing!). It's really frustrating when even the school staff is working against you even though they know that it is negatively impacting everyone else, including the students ability to research and learn. I will report back which avenue I took once I am successful as I know I'm not the only one facing this conundrum. Many thanks to all who chipped in with their time and expertise! With the content filtering you can block most sites by groups. Porn, Sports, Travel Etc.
You can block sites like Youtube or site like this. You can also block IP address at the firewall as a quick and dirty way to do it by finding out what IP address they are going to and create a rule to block that address. Thru the content filtering you can create a rule to block sites but in the rule you can say there will be access between 12pm and 1pm in this way if someone does need to stream a video for legit reasons they can do during the specified times and you can thru the rules and work with sever group policies to block groups of people but not others.
IE the principal, VP and yourself as a group who can have access while no one else can. I am not sure if this is available on your current security device however, this can be easily achieved with Identity-based Cyberoam Technology. Cyberoam is True AAA (Authentication, Authorization & Audit) appliance - where you integrate User-based policies (not IP addresses) in the entire feature set of the UTM appliance. The moment students log in - (whether their mobile devices, ipads or LAN via single sign-on or captive portal) - they are authenticated (due to tight integration with LDAP, Radius, AD etc). No matter where they login from - the same policies are applied to them. You dont need to physically control units or IP addresses, just create user access policies based on their role in the school/department by username (or you can put users in a group) We also have granular reporting (in-built on the appliance itself) available by usernames - so you know exactly who is doing what in your network. Check out - demo.cyberoam.com Click on NG Series.
Well, the verdict is in. Using the Sonicwall NSA 2400, I have set up an Access Object under Network named 'Bandwidth Hogs MAC'. Then I set up a firewall rule set to deny LAN-to-WAN access to anyone that has been added to the Bandwidth Hogs MAC access object. Using the Reports feature, once I identify a hog's IP address, I find their MAC address by checking the DHCP server's current address leases. I can then enter the offending MAC address and it goes into effect immediately. I know it takes a few steps to do this, but since I can do it all from my DHCP server, it only takes about a minute at most to both ID the scofflaw and add the entry. I just have to remember to remove the MAC at the end of the day.
Free Ip Blocker For Mac
It's a fairly simple solution that is free, which makes the boss happy. Thank you to everyone that offered their time and expertise!
Last Updated: 21 Sep 2015 Exposing your MAC address is of course not a security issue if you assume that you have full control of your network. Meaning security is in place and you trust people who manage your network. But of course this is not always the case. Mostly, people connect (mostly via wi-fi) to public spaces like coffee shops, hotels, airport or other networks that they do not control. Doing this exposes your MAC address and in turn can be used to identify your computer and the user.
You can change your MAC address. You should keep in mind that changing your MAC address is by no means enough to make you completely anonymous.
Check out the for tips on how to do this. While your MAC address is not permanently tied to your device's hardware, it will remain the same unless you change it yourself. As a result, it might allow someone to link your online activities, even if you take steps to keep them separate. If you sign into Facebook one day, for example, then return to the same network a week later to update your anonymous blog, anyone with access to the local network logs can easily learn that the same computer was used for both activities, even if you get a new IP address, use a different Web browser, clear your cookies, and sign in with a different username.