Re: Proxy 2.0 secure?

["Brian Steele" <steele_b () spiceisle com>]

> Dynamic DHCP is _BAD_. I see no reason for anyone to use it.


And why is it bad?  Almost everyone I've spoken with suggest dynamic IP
allocation for the PCs on our LAN, and the use of WINS/DNS for name
resolving (MS's implementation of DNS uses WINS to determine the names
associated with each PC, so there's really no need for static addressing).


> Use static DHCP and enforce it with switching hubs and tools like arpwatch.
> That will provide much more control and monitoring features.


A static addressing scheme will be a nightmare on our LAN, particularly as
we're facing a potential IP renumbering exercise when our LAN is connected
via TCP/IP to the other business units.


> > Will I be able to move to another PC and continue to enjoy my
> > privileged access to the Internet without any reconfiguration on the part
of
> > the PC or the server, while another user is only allowed HTTP access to
> > certain sites from my PC, based on his authentication level under NT,
again
> > all transparently?
>
> Are you _sure_ you _need_ that?
> Are you sure it is a good idea from the security viewpoint?
> I'd better not to allow such things.


I'm firmly on the side of the one username/ one password security scheme for
an internal LAN - otherwise moronic users (and the level of "moronity" seems
to rise the further you go up in management, which tend to have access to
more confidential information than the rank and file) who are assigned
multiple usernames/passwords would tend to write them down or otherwise take
note of them to remember them - BIG security risk.

Brian Steele