Re: [fw-wiz] Firewalling at the domain users level instead of network level

From: Chuck Swiger (chuck_at_codefab.com)
Date: 07/19/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] iso 17799" 
    To: Santos <casd@netvisao.pt>
Date: Mon, 19 Jul 2004 14:15:35 -0400

    On Jul 18, 2004, at 2:41 AM, Santos wrote:
    > I'm implementing a "Windows clients, Linux servers" kind of network.
    > Some users may login at different machines, therefore, ip level is not
    > enough. I wonder if it's possible to control the access at the "domain
    > users" level instead of network or ip level.

    It's possible, yes. Lots of bad ideas are possible, but should be
    adopted only where necessary. :-)

    There are two major areas of concern. First, a good firewall is a
    self-contained unit which implements your security policy by deciding
    whether to pass or deny network traffic. If the firewall has to ask
    other machines on the network about information (such as looking up IP
    addresses in DNS to resolve hostnames, or looking up users from
    LDAP/Active Directory/whatever) in order to make decisions, it slows
    down and is vulnerable to the remote machines being down or providing
    wrong answers. This weakens your security.

    The second concern is a matter of policy: why do you want your firewall
    to treat users differently? If it's a bad idea for person A to do some
    type of network connection, why should it be OK for person B to do so?
    If you restrict things so that only the services which you trust all
    users to do are permitted, your security is likely to be much improved
    compared to a policy based on an ever-growing pile of per-user rules
    and exceptions. 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Devdas Bhagat: "Re: [fw-wiz] iso 17799"

    Relevant Pages

    • Re: install
      ... You just need to set up your network correctly. ... start by running the Network Setup Wizard on all machines (see ... Problems sharing files between computers on a network are generally caused ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ...
      (microsoft.public.windows.vista.installation_setup)
    • Re: Can find Vista box, cant share folders or printers.
      ... When I click 'Network' on the laptop the ... I've disabled Norton and Windows firewall entirely to make sure that's not ... public folder sharing - on ... start by running the Network Setup Wizard on all machines (see ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: share printer help needed
      ... But still have private network on new wireless laptop with vista and unable to get old desktop with xp connected with the laptop. ... xp network setup wizard sez: create a 3-1/2 floppydisk or use a Win xp cd and use on all machines. ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: EventID 1054 from Userenv for startup script
      ... So if you said "some machines don't have full access to the network ... at startup" the GPO's seems not to apply correct. ... startup script policy. ...
      (microsoft.public.windows.group_policy)
    • Re: Norton 2005 Int Security, Trend PCcillin or Zone Alarm ???????
      ... > I want security I can run on both machines. ... System overhead is higher than standard firewall applications. ... Symantec products do not remove (uninstall) well. ... Micro Trends PC-Cillan is very good (possibly the best in home network ...
      (alt.computer.security)
    • Quantcast