Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?
From: SysAdm (wjones@sitesmith.com)
Date: 02/19/03
- Next message: wsbg: "Disabling GUID"
- Previous message: bobb: "Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- In reply to: adeveloper: "Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Next in thread: Dimitri Maziuk: "Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "SysAdm" <wjones@sitesmith.com> Date: Wed, 19 Feb 2003 19:12:53 +0000 (UTC)
"adeveloper" <adeveloper@test.com> wrote in message
news:b30ifg$p35$1@knossos.btinternet.com...
> Just to provide some more details that don't seem to have been clear from
> the last post (see below):
> We do have a firewall but it is set up to let all IPs access the open
> ports - we can and know how to restrict this to only allowed IPs but the
> question is should we. The decision I am considering is should we
restrict
> access on ports we use to administer the server to an IP range only?
if the only people who need admin access to the servers have static IPs then
yes, you could create specific rules containing just the
allowed IPs. however, thats not how most places do it -- I couldnt even
begin to imagine the administrative nightmare that would ensue...
> Some people mentioned practical considerations like access the server when
> travelling from a DHCP allocated address which is an interesting point. I
> just want to know what most people do here.
corporate firewalls (and many others) do not just have the ability to allow
access based on IP address. take a vpn client. user can be anywhere in the
world, all he has to do it connect to the web. once connected, he can then
start his vpn client software which will connect to his companys vpn
gateway - he is then prompted to *authenticate* -- the authentication
mechanism can be 1 of several, but many like one-time-password solutions
such as SecurID tokens - this is because even if the securID token is stolen
by someone, it is useless without the users own private code (which isnt on
the token). Once the user has been authenticated he is free to do whatever
he is allowed to do (determined by the firewall rulebase). Nowadays, VPN
technology has moved on, VPNs can be configured to dish out an IP address to
the remote user from the internal network - thus allowing the remote client
to browse the internal network (connect to drive maps etc) just like he
would if he were at work.
so - there are your options.
SysAdm
- Next message: wsbg: "Disabling GUID"
- Previous message: bobb: "Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- In reply to: adeveloper: "Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Next in thread: Dimitri Maziuk: "Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
