Firewall Wizards mailing list archives
Re: Proxy 2.0 secure?
From: John McDermott <jjm () jkintl com>
Date: Mon, 29 Jun 98 08:29:05
Brain, I don't know who you are quoting (I forget the orig poster, sorry), but my problem with dynamic DHCP is less with the dynamic-ness than the short leases. The issue is that if the leases are short (e.g. less than a few weeks even), it is virtually impossible to track down a misbehaving system because it is difficult to map between MAC and IP addresses. This problem can be alleviated with long leases: I suggest a year or so. --- On Sat, 27 Jun 1998 11:00:03 -0400 Brian Steele <steele_b () spiceisle com> wrote:
Dynamic DHCP is _BAD_. I see no reason for anyone to use it.And why is it bad? Almost everyone I've spoken with suggest dynamic IP allocation for the PCs on our LAN, and the use of WINS/DNS for name resolving (MS's implementation of DNS uses WINS to determine the names associated with each PC, so there's really no need for static addressing).
True WINS and DNS interact farily well now. That is not as much of an issue as being able to verify the proper MAC address for a paritcular IP address when troubleshooting. You could probably make up some scheme with a database package and all that, but it might be spoofable.
Use static DHCP and enforce it with switching hubs and tools like
arpwatch.
That will provide much more control and monitoring features.
This is a really good idea especially if you have folks coming and going who are not regular employees at a particular site. It is easy for such folks to mistakenly use an incorrect IP address, for instance.
A static addressing scheme will be a nightmare on our LAN, particularly as we're facing a potential IP renumbering exercise when our LAN is connected via TCP/IP to the other business units.
This is indeed a problem at many sites. How about placing a proxying firewall or NAT device between you and the other business unit when you do that. That will allow you to use private addresses internally which you can go to now. A class A (network 10.0.0.0) is really nice to use...
Will I be able to move to another PC and continue to enjoy my privileged access to the Internet without any reconfiguration on the
part
ofthe PC or the server, while another user is only allowed HTTP access to certain sites from my PC, based on his authentication level under NT,againall transparently?Are you _sure_ you _need_ that? Are you sure it is a good idea from the security viewpoint? I'd better not to allow such things.I'm firmly on the side of the one username/ one password security scheme
for
an internal LAN - otherwise moronic users (and the level of "moronity"
seems
to rise the further you go up in management, which tend to have access to more confidential information than the rank and file) who are assigned multiple usernames/passwords would tend to write them down or otherwise
take
note of them to remember them - BIG security risk.
This can cause a problem with either scheme. I agree a single password is best, and I have clearly *no idea* how you have configured your Internet access, but I do believe that with static addresses you can still achieve single password authentication one way or another. [That kinda depends on your firewall structure: I'm assuming for instance that you restrict who can do what on the Internet in some way and that is the big issue here.]
Brian Steele
--john
-----------------End of Original Message----------------- ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Re: Proxy 2.0 secure?, (continued)
- Re: Proxy 2.0 secure? Kjell Wooding (Jun 26)
- Re: Proxy 2.0 secure? ark (Jun 26)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 26)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 26)
- Re: Proxy 2.0 secure? Ted Doty (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 26)
- Re: Proxy 2.0 secure? Brian Steele (Jun 28)
- Re: Proxy 2.0 secure? Rodney van den Oever (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? NetSurfer (Jun 30)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? Ryan Russell (Jun 29)
- Re: Proxy 2.0 secure? tqbf (Jun 29)
(Thread continues...)