> As soon as someone can clearly define "misbehavin" we'll be on the > fast track to a solution. Shucks, we can't even agree with our walls ... > Kinda like a filtering router... programming the router ain't easy, > but it's a lot easier than trying to get the policies written and > approved! Starting point for "misbehavin" profile: 1. User attempts to log into someone else's account in a critical system by guessing the password. Proactive rule - don't let him access someone else's account. Reactive rule - turn off his access to the system until the information security folks turn it back on. 2. User on critical system attempts to connect to a site on the Internet. Proactive rule - block connections from critical systems to the Internet, like a packet filtering router. Reactive rule - generate a report of incident which will be automatically mailed to his supervisor. 3. Users on a given subnet attempt to access a sensitive system on a different subnet, to which none of those users are supposed to have access. Proactive rule - block their access to the sensitive system, like a packet filtering router. Reactive rule - introduce an additional authentication check which they must pass through to connect to any system off their own subnet. 4. User has an IP address which is outside the domain of IP addresses in use by legitimate users. Procactive rule - block access of all such addresses to everything on the network. Reactive rule - get the kid's mother on the phone and tell her what her son is up to. Finally, may I politely inquire "What policy"? Hog Farmer