Re: Proxy 2.0 secure?

[ark () eltex ru]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

"Brian Steele" <steele_b () spiceisle com> said :

> > Dynamic DHCP is _BAD_. I see no reason for anyone to use it.
>
>
> And why is it bad?  Almost everyone I've spoken with suggest dynamic IP
> allocation for the PCs on our LAN, and the use of WINS/DNS for name
> resolving (MS's implementation of DNS uses WINS to determine the names
> associated with each PC, so there's really no need for static addressing).

Just because you can't use tools that monitor and control network
access on IP address basis.

..and why is it good? Getting stuck with dirty hack like M$ DNS?
WHY??? Why don't just use static addressing scheme?

 
> > Use static DHCP and enforce it with switching hubs and tools like arpwatch.
> > That will provide much more control and monitoring features.
>
>
> A static addressing scheme will be a nightmare on our LAN, particularly as
> we're facing a potential IP renumbering exercise when our LAN is connected
> via TCP/IP to the other business units.

I don't see any problems with renumbering. I don't even see why dynamic
DHCP makes it more easy.
 
> > > Will I be able to move to another PC and continue to enjoy my
> > > privileged access to the Internet without any reconfiguration on the part
> of
> > > the PC or the server, while another user is only allowed HTTP access to
> > > certain sites from my PC, based on his authentication level under NT,
> again
> > > all transparently?
> >
> > Are you _sure_ you _need_ that?
> > Are you sure it is a good idea from the security viewpoint?
> > I'd better not to allow such things.
>
>
> I'm firmly on the side of the one username/ one password security scheme for
> an internal LAN - otherwise moronic users (and the level of "moronity" seems
> to rise the further you go up in management, which tend to have access to
> more confidential information than the rank and file) who are assigned
> multiple usernames/passwords would tend to write them down or otherwise take
> note of them to remember them - BIG security risk.

a) It fails completely on geterogenous environments (out of 'dose world)
b) you can't use any standard tools that deal with IP addresses
c) i am sure it is mandatory not to perform sensitive operations 
on computer that does not conform security requirements - like some
untrusted user's desktop machine. Should i tell why? 

Enforce physical security. And - for me - better security is much more
important than operation trasparency - i'd say non-transparent operations
are better because they give users chance to THINK what are they doing.

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNZfz/6H/mIJW9LeBAQEMDQQApiclC+KGmxf8miBQrgsvT16LKtg5trvZ
gq8jLo0G+Sw52egGxZyTJqGs0SYXsfaswdSUrw/vgU76lnCwmiSVzZOemUWyN0CQ
F3J3zpkTd/Q5MySQ92HH21eZ6JQqMfkhCVNeqw131Jp1XpVixKII/QPGL0Atd8i0
x/qoi763Kmg=
=62Ue
-----END PGP SIGNATURE-----