Re: Trust an IP? (IPTables)

[Daniel Linder <dan_linder () yahoo com>]

--- Chris de Vidal <cdevidal () yahoo com> wrote:
[snip -- Dan]
> Locking it to the MAC address might be even better,
> but perhaps even that can be spoofed.  That's why I'm
> asking the pros.

This will only work if the device on the outside is on the same switch
as the firewall.  If you are backing up over the Internet (or a router
hop away), then the MAC address that your firewall will see will be the
routers...

> So is it safe to trust an IP to connect to one port,
> ala the old r* tools?  If not, what is a good alternative?

If you trust that all the networking equipment between your backup
server and the client is secure then you are reasonably safe.

A better solution might be to setup some sort of authenticated VPN
connection between the client and backup server.  An IPSec/PPTP/L2TP
VPN would be a much more secure way to achieve this.

If you use the VPN solution, make sure to put some sort of firewalling
on the system which is inside the firewall -- if the client on the
outside would get compromised, then the VPN tunnel would be a open
route to your internal network.

Dan

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards