Firewall Wizards mailing list archives
Re: Proxy 2.0 secure?
From: ark () eltex ru
Date: Mon, 29 Jun 1998 21:12:45 GMT
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, "Brian Steele" <steele_b () spiceisle com> said :
Dynamic DHCP is _BAD_. I see no reason for anyone to use it.
And why is it bad? Almost everyone I've spoken with suggest dynamic IP allocation for the PCs on our LAN, and the use of WINS/DNS for name resolving (MS's implementation of DNS uses WINS to determine the names associated with each PC, so there's really no need for staticaddressing).Just because you can't use tools that monitor and control network access on IP address basis.
That's like saying I should buy a donkey-cart instead of a car because I can't use a donkey to pull a car. I don't NEED tools on my network that monitor and control access on a static IP basis. I don't WANT tools on my network that rely on assigning static IP addresses to my PCs.
Hmm ok, that's your choice. If you want to limit yourself to m$-aware thingies, then do. I just don't see what you get with that choice. And.. that looks much more like my solution is a car and yours one is a car too but with some strange devices to attach donkey to it. I mean the matter of choice is not MS vs Others (excl. MS). It is MS vs Others (incl MS). Except some (imho nearly useless) functionality lost.
I don't see any problems with renumbering. I don't even see why dynamic DHCP makes it more easy.Try reassigning IP addresses to 200 PCs. Or 2000. Remember, each PC at least on my LAN MUST have a registered name, they are not referenced by IP address, so your DNS config has to be updated as well.
~2 minutes to do search'n'replace in my DHCP configs, and nearly the same amount of time to do the same for DNS. + 5 minutes to view _carefully_ if everything goes the right way. sed,awk,perl,vi,emacs, any tool of choice.
And for your comments regarding single logon vs. multiple username/password schemes...a) It fails completely on geterogenous environments (out of 'dose world)This is more or less a question of how you configure your security mechanisms in your "heterogenous" world, so your statement is incorrect. For example, in our case users can use the same username/password to access the VMS boxes as well as the NT boxes. The VMS boxes were configured for external authentication via PATHWORKS server, which in turn gets its authentication information from the NT PDC for the domain.
Ok, i was incorrect. It will fail in heterogenous world, _except_ things that do have MS-aware hooks on it. I think it's better don't rely on MS hooks and just to use standard technologies.
c) i am sure it is mandatory not to perform sensitive operations on computer that does not conform security requirements - like some untrusted user's desktop machine. Should i tell why?But how will you go about enforcing a rule like this? Threatening users?
Yess ;)) I like that (evil laugher) ;) I
prefer to enforce security as transparently as possible, and NOT provide users the OPTION of whether or not they want to follow company security standards and guidelines.
You can't. That just means security can be bypassed more easily.
Enforce physical security. And - for me - better security is much more important than operation trasparency - i'd say non-transparent operations are better because they give users chance to THINK what are they doing.LOL - since when do users THINK about security issues? Brian Steele
_ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNZgDTaH/mIJW9LeBAQHFHAP/elcVJhWXCYjJQPjY/cz0SwWbd6+nWuGz ePUm7m1FP8Fp3b9/cOuSzq1EkA6SadQCAs7455+/0d4RHW8Lh/VBwdGfFtiTG2WF ys5lqdlCLqgSwwLUH8Yh1MMhgFJjwpy1hviqCANHI0J+DoIdILDMmdgeN0dpDnuY SwhD66PO+64= =r3lg -----END PGP SIGNATURE-----
Current thread:
- Re: Proxy 2.0 secure?, (continued)
- Re: Proxy 2.0 secure? Brian Steele (Jun 28)
- Re: Proxy 2.0 secure? Rodney van den Oever (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? NetSurfer (Jun 30)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? Ryan Russell (Jun 29)
- Re: Proxy 2.0 secure? tqbf (Jun 29)
- Re: Proxy 2.0 secure? Peter Jeremy (Jun 30)
- Re: Proxy 2.0 secure? tqbf (Jun 30)
- Re: Proxy 2.0 secure? ark (Jun 30)
- RE: Proxy 2.0 secure? Safier, Adam (GEIS) (Jun 30)