Firewall Wizards mailing list archives
Re: Proxy 2.0 secure?
From: "Brian Steele" <steele_b () spiceisle com>
Date: Mon, 29 Jun 1998 13:03:11 -0400
Dynamic DHCP is _BAD_. I see no reason for anyone to use it.And why is it bad? Almost everyone I've spoken with suggest dynamic IP allocation for the PCs on our LAN, and the use of WINS/DNS for name resolving (MS's implementation of DNS uses WINS to determine the names associated with each PC, so there's really no need for static
addressing).
Just because you can't use tools that monitor and control network access on IP address basis.
That's like saying I should buy a donkey-cart instead of a car because I can't use a donkey to pull a car. I don't NEED tools on my network that monitor and control access on a static IP basis. I don't WANT tools on my network that rely on assigning static IP addresses to my PCs.
..and why is it good? Getting stuck with dirty hack like M$ DNS? WHY??? Why don't just use static addressing scheme?
MS-DNS and WINS works fine for us. There is no need to use a static addressing scheme with this configuration.
I don't see any problems with renumbering. I don't even see why dynamic DHCP makes it more easy.
Try reassigning IP addresses to 200 PCs. Or 2000. Remember, each PC at least on my LAN MUST have a registered name, they are not referenced by IP address, so your DNS config has to be updated as well. And for your comments regarding single logon vs. multiple username/password schemes...
a) It fails completely on geterogenous environments (out of 'dose world)
This is more or less a question of how you configure your security mechanisms in your "heterogenous" world, so your statement is incorrect. For example, in our case users can use the same username/password to access the VMS boxes as well as the NT boxes. The VMS boxes were configured for external authentication via PATHWORKS server, which in turn gets its authentication information from the NT PDC for the domain.
b) you can't use any standard tools that deal with IP addresses
See my donkey-cart argument above.
c) i am sure it is mandatory not to perform sensitive operations on computer that does not conform security requirements - like some untrusted user's desktop machine. Should i tell why?
But how will you go about enforcing a rule like this? Threatening users? I prefer to enforce security as transparently as possible, and NOT provide users the OPTION of whether or not they want to follow company security standards and guidelines.
Enforce physical security. And - for me - better security is much more important than operation trasparency - i'd say non-transparent operations are better because they give users chance to THINK what are they doing.
LOL - since when do users THINK about security issues? Brian Steele
Current thread:
- Re: Proxy 2.0 secure?, (continued)
- Re: Proxy 2.0 secure? Ted Doty (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 26)
- Re: Proxy 2.0 secure? Brian Steele (Jun 28)
- Re: Proxy 2.0 secure? Rodney van den Oever (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? NetSurfer (Jun 30)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? Ryan Russell (Jun 29)
- Re: Proxy 2.0 secure? tqbf (Jun 29)
- Re: Proxy 2.0 secure? Peter Jeremy (Jun 30)
- Re: Proxy 2.0 secure? tqbf (Jun 30)
- Re: Proxy 2.0 secure? ark (Jun 30)
- RE: Proxy 2.0 secure? Safier, Adam (GEIS) (Jun 30)