Firewall Wizards mailing list archives
Re: Firewalling at the domain users level instead of network level
From: Chuck Swiger <chuck () codefab com>
Date: Mon, 19 Jul 2004 14:15:35 -0400
On Jul 18, 2004, at 2:41 AM, Santos wrote:
I'm implementing a "Windows clients, Linux servers" kind of network. Some users may login at different machines, therefore, ip level is not enough. I wonder if it's possible to control the access at the "domain users" level instead of network or ip level.
It's possible, yes. Lots of bad ideas are possible, but should be adopted only where necessary. :-)
There are two major areas of concern. First, a good firewall is a self-contained unit which implements your security policy by deciding whether to pass or deny network traffic. If the firewall has to ask other machines on the network about information (such as looking up IP addresses in DNS to resolve hostnames, or looking up users from LDAP/Active Directory/whatever) in order to make decisions, it slows down and is vulnerable to the remote machines being down or providing wrong answers. This weakens your security.
The second concern is a matter of policy: why do you want your firewall to treat users differently? If it's a bad idea for person A to do some type of network connection, why should it be OK for person B to do so? If you restrict things so that only the services which you trust all users to do are permitted, your security is likely to be much improved compared to a policy based on an ever-growing pile of per-user rules and exceptions.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalling at the domain users level instead of network level Santos (Jul 19)
- Re: Firewalling at the domain users level instead of network level Luca Berra (Jul 19)
- Re: Firewalling at the domain users level instead of network level Devdas Bhagat (Jul 19)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 19)
- Re: Firewalling at the domain users level instead of network level Chuck Swiger (Jul 19)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 19)
- Re: Re: Firewalling at the domain users level instead of network level Steve Lam (Jul 20)
- Re: Firewalling at the domain users level instead of network level Chuck Swiger (Jul 20)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 20)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 19)
- <Possible follow-ups>
- RE: Firewalling at the domain users level instead of network level Melson, Paul (Jul 19)