Re: [fw-wiz] Trust an IP? (IPTables)

From: Daniel Linder (dan_linder_at_yahoo.com)
Date: 05/01/03

  • Next message: David Lang: "Re: [fw-wiz] Trust an IP? (IPTables)" 
    To: chris@devidal.tv, firewall-wizards@honor.icsalabs.com
Date: Wed, 30 Apr 2003 20:45:55 -0700 (PDT)

    --- Chris de Vidal <cdevidal@yahoo.com> wrote:
    [snip -- Dan]
    > Locking it to the MAC address might be even better,
    > but perhaps even that can be spoofed. That's why I'm
    > asking the pros.

    This will only work if the device on the outside is on the same switch
    as the firewall. If you are backing up over the Internet (or a router
    hop away), then the MAC address that your firewall will see will be the
    routers...

    > So is it safe to trust an IP to connect to one port,
    > ala the old r* tools? If not, what is a good alternative?

    If you trust that all the networking equipment between your backup
    server and the client is secure then you are reasonably safe.

    A better solution might be to setup some sort of authenticated VPN
    connection between the client and backup server. An IPSec/PPTP/L2TP
    VPN would be a much more secure way to achieve this.

    If you use the VPN solution, make sure to put some sort of firewalling
    on the system which is inside the firewall -- if the client on the
    outside would get compromised, then the VPN tunnel would be a open
    route to your internal network.

    Dan

    __________________________________
    Do you Yahoo!?
    The New Yahoo! Search - Faster. Easier. Bingo.
    http://search.yahoo.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: David Lang: "Re: [fw-wiz] Trust an IP? (IPTables)"

    Relevant Pages

    • RE: Sandboxing
      ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
      (Focus-IDS)
    • Re: VPN Firewall for new webserver
      ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
      (comp.security.firewalls)
    • Re: Firewall Info/Recommendations?
      ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
      (comp.security.firewalls)
    • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
      ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
      (Firewall-Wizards)
    • Re: two winxp home machines, varied results
      ... >The only firewall I have on my machine *aside* from the Cisco VPN ... Please don't change "restrictAnonymoussam", only ... >Here is the IPCONFIG and BROWSTAT listings for each machine. ...
      (microsoft.public.windowsxp.network_web)
    • Quantcast