Re: Proxy 2.0 secure?

[ark () eltex ru]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

"Brian Steele" <steele_b () spiceisle com> said :

> > > > Dynamic DHCP is _BAD_. I see no reason for anyone to use it.

> > > And why is it bad?  Almost everyone I've spoken with suggest dynamic IP
> > > allocation for the PCs on our LAN, and the use of WINS/DNS for name
> > > resolving (MS's implementation of DNS uses WINS to determine the names
> > > associated with each PC, so there's really no need for static
> addressing).
> > Just because you can't use tools that monitor and control network
> > access on IP address basis.

> That's like saying I should buy a donkey-cart instead of a car because I
> can't use a donkey to pull a car.  I don't NEED tools on my network that
> monitor and control access on a static IP basis. I don't WANT tools on my
> network that rely on assigning static IP addresses to my PCs.

Hmm ok, that's your choice. If you want to limit yourself to m$-aware
thingies, then do. I just don't see what you get with that choice.
And.. that looks much more like my solution is a car and yours one
is a car too but with some strange devices to attach donkey to it.
I mean the matter of choice is not MS vs Others (excl. MS).
It is MS vs Others (incl MS). Except some (imho nearly useless) 
functionality lost.


> > I don't see any problems with renumbering. I don't even see why dynamic
> > DHCP makes it more easy.
>
>
> Try reassigning IP addresses to 200 PCs.  Or 2000.  Remember, each PC at
> least on my LAN MUST have a registered name, they are not referenced by IP
> address, so your DNS config has to be updated as well.

~2 minutes to do search'n'replace in my DHCP configs, and nearly the same
amount of time to do the same for DNS. + 5 minutes to view _carefully_ if
everything goes the right way.

sed,awk,perl,vi,emacs, any tool of choice.
 
> And for your comments regarding single logon vs. multiple username/password
> schemes...
> > a) It fails completely on geterogenous environments (out of 'dose world) 
> This is more or less a question of how you configure your security
> mechanisms in your "heterogenous" world, so your statement is incorrect.
> For example, in our case users can use the same username/password to access
> the VMS boxes as well as the NT boxes.  The VMS boxes were configured for
> external authentication via PATHWORKS server, which in turn gets its
> authentication information from the NT PDC for the domain.

Ok, i was incorrect. It will fail in heterogenous world, _except_ things
that do have MS-aware hooks on it. I think it's better don't rely on
MS hooks and just to use standard technologies.


> > c) i am sure it is mandatory not to perform sensitive operations
> > on computer that does not conform security requirements - like some
> > untrusted user's desktop machine. Should i tell why?
>
>
> But how will you go about enforcing a rule like this?  Threatening users?  
Yess ;)) I like that (evil laugher) ;)

I
> prefer to enforce security as transparently as possible, and NOT provide
> users the OPTION of whether or not they want to follow company security
> standards and guidelines.

You can't. That just means security can be bypassed more easily.

> > Enforce physical security. And - for me - better security is much more
> > important than operation trasparency - i'd say non-transparent operations
> > are better because they give users chance to THINK what are they doing.
>
>
> LOL - since when do users THINK about security issues?
>
>
> Brian Steele

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNZgDTaH/mIJW9LeBAQHFHAP/elcVJhWXCYjJQPjY/cz0SwWbd6+nWuGz
ePUm7m1FP8Fp3b9/cOuSzq1EkA6SadQCAs7455+/0d4RHW8Lh/VBwdGfFtiTG2WF
ys5lqdlCLqgSwwLUH8Yh1MMhgFJjwpy1hviqCANHI0J+DoIdILDMmdgeN0dpDnuY
SwhD66PO+64=
=r3lg
-----END PGP SIGNATURE-----