Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?

From: SysAdm (wjones@sitesmith.com)
Date: 02/19/03


From: "SysAdm" <wjones@sitesmith.com>
Date: Wed, 19 Feb 2003 19:12:53 +0000 (UTC)


"adeveloper" <adeveloper@test.com> wrote in message
news:b30ifg$p35$1@knossos.btinternet.com...
> Just to provide some more details that don't seem to have been clear from
> the last post (see below):
> We do have a firewall but it is set up to let all IPs access the open
> ports - we can and know how to restrict this to only allowed IPs but the
> question is should we. The decision I am considering is should we
restrict
> access on ports we use to administer the server to an IP range only?

if the only people who need admin access to the servers have static IPs then
yes, you could create specific rules containing just the
allowed IPs. however, thats not how most places do it -- I couldnt even
begin to imagine the administrative nightmare that would ensue...

> Some people mentioned practical considerations like access the server when
> travelling from a DHCP allocated address which is an interesting point. I
> just want to know what most people do here.

corporate firewalls (and many others) do not just have the ability to allow
access based on IP address. take a vpn client. user can be anywhere in the
world, all he has to do it connect to the web. once connected, he can then
start his vpn client software which will connect to his companys vpn
gateway - he is then prompted to *authenticate* -- the authentication
mechanism can be 1 of several, but many like one-time-password solutions
such as SecurID tokens - this is because even if the securID token is stolen
by someone, it is useless without the users own private code (which isnt on
the token). Once the user has been authenticated he is free to do whatever
he is allowed to do (determined by the firewall rulebase). Nowadays, VPN
technology has moved on, VPNs can be configured to dish out an IP address to
the remote user from the internal network - thus allowing the remote client
to browse the internal network (connect to drive maps etc) just like he
would if he were at work.

so - there are your options.

SysAdm



Relevant Pages

  • Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?
    ... > ports - we can and know how to restrict this to only allowed IPs but the ... take a vpn client. ... such as SecurID tokens - this is because even if the securID token is stolen ... he is allowed to do (determined by the firewall rulebase). ...
    (comp.security.firewalls)
  • Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?
    ... > ports - we can and know how to restrict this to only allowed IPs but the ... take a vpn client. ... such as SecurID tokens - this is because even if the securID token is stolen ... he is allowed to do (determined by the firewall rulebase). ...
    (alt.computer.security)
  • Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
    ... What does a firewall do that an IPS doesn't ... >as long as the IPS can do layer-4 access lists? ... Tenable Network Security ... FREE Network Security Webinar - How to implement IPSec security into VPN appliances ...
    (Focus-IDS)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: Analysing and configuring IPS/IDS Policies
    ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
    (Focus-IDS)