Firewall Wizards mailing list archives

Re: Proxy 2.0 secure?

From: "Rodney van den Oever" <roever () nse simac nl>
Date: Mon, 29 Jun 1998 07:55:04 +0200

Dynamic DHCP is _BAD_. I see no reason for anyone to use it.

And why is it bad?  Almost everyone I've spoken with suggest dynamic IP
allocation for the PCs on our LAN, and the use of WINS/DNS for name
resolving (MS's implementation of DNS uses WINS to determine the names
associated with each PC, so there's really no need for static addressing).


I agree with you here, authentication/authorization based on something
static, be it MAC-, IP-address or password is bad anyway.

A static addressing scheme will be a nightmare on our LAN, particularly as
we're facing a potential IP renumbering exercise when our LAN is connected
via TCP/IP to the other business units.


You probably need to use a firewall anyway, so NAT and/or proxies will solve
this one.

Will I be able to move to another PC and continue to enjoy my
privileged access to the Internet without any reconfiguration on the

part

of

the PC or the server, while another user is only allowed HTTP access to
certain sites from my PC, based on his authentication level under NT,

again

all transparently?


Just because the MS-Proxy supports this feature, doesn't mean its a
requirement for every other firewall. This feature requires that you
activate NT Challenge/Response authentication which locks out any Netscape
user unless you also allow basic authentication (which is not clear text,
but uuencoded and doesn't work transparently).

Are you _sure_ you _need_ that?
Are you sure it is a good idea from the security viewpoint?
I'd better not to allow such things.


I'm firmly on the side of the one username/ one password security scheme

for

an internal LAN - otherwise moronic users (and the level of "moronity"

seems

to rise the further you go up in management, which tend to have access to
more confidential information than the rank and file) who are assigned
multiple usernames/passwords would tend to write them down or otherwise

take

note of them to remember them - BIG security risk.


In this case users have use the same account for internal systems as for
access to the proxy. Some external website might convince users to type
their username and password one more time...

--
Rodney van den Oever / 0x06 3547CA1 / PGP Key ID 0x0A6CCE53
When asked by an anthropologist what the Indians called America
before the white man came, an Indian said simply "ours". - Vine Deloria, Jr.

Current thread:

Re: Proxy 2.0 secure?, (continued)
- - Re: Proxy 2.0 secure? Vanja Hrustic (Jun 26)
- Re: Proxy 2.0 secure? Brian Steele (Jun 25)
  - Re: Proxy 2.0 secure? tqbf (Jun 26)
  - Re: Proxy 2.0 secure? Kjell Wooding (Jun 26)
- Re: Proxy 2.0 secure? ark (Jun 26)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 26)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 26)
  - Re: Proxy 2.0 secure? Ted Doty (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 26)
- Re: Proxy 2.0 secure? Brian Steele (Jun 28)
- Re: Proxy 2.0 secure? Rodney van den Oever (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
  - Re: Proxy 2.0 secure? NetSurfer (Jun 30)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 29)

(Thread continues...)