[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Renumbering... ACLs etc.



I wish I could agree not just with the "should" but with "we can persuade them to." I worked behind an actively managed and supervised firewall for a while. They had a quite strict security policy in place. Their policy was to block all inbound connections to their VPN device unless those connections, and the IP addresses for them, had been explicitly authorized. Yes, they know that IP addresses can be spoofed. But this sort of filtering made the barrier to penetrating the firewall significantly higher. (It meant I could not use the VPN, as they would not authorize any dynamic IP addresses.) Trying to tell them that their policy is wrong, and that they can not do that, is not going to work. We have to provide them something else to get the same capability if we do not want them using locators for this.

Yours,
Joel

PS: The one we ought to be able to persuade folks to fix is the "trick" of tying software licenses to server IP addresses.

Tony Li wrote:
Hi Robin,


|OK - I understand that you are suggesting that the routers not
|filter by IP address at all, but by "something else".


Not exactly.  What I'm suggesting is that firewalls cannot reliably filter
on any remote information.  It will be spoofed unless it's strongly
authenticated, such as an IPsec tunnel.

They *can* reasonably filter on local information (e.g., destination IP
address, destination port, protocol, destination identifier, destination
locator).  These are under the control of the local administration and can
conceivably be well coordinated.

Tony


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg