Re: Proxy 2.0 secure?

["Brian Steele" <steele_b () spiceisle com>]

> > > Dynamic DHCP is _BAD_. I see no reason for anyone to use it.
> >
> >
> > And why is it bad?  Almost everyone I've spoken with suggest dynamic IP
> > allocation for the PCs on our LAN, and the use of WINS/DNS for name
> > resolving (MS's implementation of DNS uses WINS to determine the names
> > associated with each PC, so there's really no need for static
addressing).
> Just because you can't use tools that monitor and control network
> access on IP address basis.



That's like saying I should buy a donkey-cart instead of a car because I
can't use a donkey to pull a car.  I don't NEED tools on my network that
monitor and control access on a static IP basis. I don't WANT tools on my
network that rely on assigning static IP addresses to my PCs.


> ..and why is it good? Getting stuck with dirty hack like M$ DNS?
> WHY??? Why don't just use static addressing scheme?


MS-DNS and WINS works fine for us. There is no need to use a static
addressing scheme with this configuration.


> I don't see any problems with renumbering. I don't even see why dynamic
> DHCP makes it more easy.


Try reassigning IP addresses to 200 PCs.  Or 2000.  Remember, each PC at
least on my LAN MUST have a registered name, they are not referenced by IP
address, so your DNS config has to be updated as well.


And for your comments regarding single logon vs. multiple username/password
schemes...

> a) It fails completely on geterogenous environments (out of 'dose world)


This is more or less a question of how you configure your security
mechanisms in your "heterogenous" world, so your statement is incorrect.
For example, in our case users can use the same username/password to access
the VMS boxes as well as the NT boxes.  The VMS boxes were configured for
external authentication via PATHWORKS server, which in turn gets its
authentication information from the NT PDC for the domain.


> b) you can't use any standard tools that deal with IP addresses


See my donkey-cart argument above.


> c) i am sure it is mandatory not to perform sensitive operations
> on computer that does not conform security requirements - like some
> untrusted user's desktop machine. Should i tell why?


But how will you go about enforcing a rule like this?  Threatening users?  I
prefer to enforce security as transparently as possible, and NOT provide
users the OPTION of whether or not they want to follow company security
standards and guidelines.


> Enforce physical security. And - for me - better security is much more
> important than operation trasparency - i'd say non-transparent operations
> are better because they give users chance to THINK what are they doing.


LOL - since when do users THINK about security issues?


Brian Steele