Proxy 2.0 secure?

John McDermott jjm@jkintl.com
Mon, 29 Jun 98 08:29:05


Brain,

I don't know who you are quoting (I forget the orig poster, sorry), but my 
problem with dynamic DHCP is less with the dynamic-ness than the short 
leases. The issue is that if the leases are short (e.g. less than a few 
weeks even), it is virtually impossible to track down a misbehaving system 
because it is difficult to map between MAC and IP addresses. This problem 
can be alleviated with long leases: I suggest a year or so.

--- On Sat, 27 Jun 1998 11:00:03 -0400  Brian Steele 
<steele_b@spiceisle.com> wrote:

>>Dynamic DHCP is _BAD_. I see no reason for anyone to use it.
>
>
>And why is it bad?  Almost everyone I've spoken with suggest dynamic IP
>allocation for the PCs on our LAN, and the use of WINS/DNS for name
>resolving (MS's implementation of DNS uses WINS to determine the names
>associated with each PC, so there's really no need for static addressing).

True WINS and DNS interact farily well now. That is not as much of an issue 
as being able to verify the proper MAC address for a paritcular IP address 
when troubleshooting.  You could probably make up some scheme with a 
database package and all that, but it might be spoofable.

>
>
>>Use static DHCP and enforce it with switching hubs and tools like 
arpwatch.
>>That will provide much more control and monitoring features.

This is a really good idea especially if you have folks coming and going 
who are not regular employees at a particular site.  It is easy for such 
folks to mistakenly use an incorrect IP address, for instance.

>
>
>A static addressing scheme will be a nightmare on our LAN, particularly as
>we're facing a potential IP renumbering exercise when our LAN is connected
>via TCP/IP to the other business units.
>

This is indeed a problem at many sites.  How about placing a proxying 
firewall or NAT device between you and the other business unit when you do 
that.  That will allow you to use private addresses internally which you 
can go to now.  A class A (network 10.0.0.0) is really nice to use...

>
>>> Will I be able to move to another PC and continue to enjoy my
>>> privileged access to the Internet without any reconfiguration on the 
part
>of
>>> the PC or the server, while another user is only allowed HTTP access to
>>> certain sites from my PC, based on his authentication level under NT,
>again
>>> all transparently?
>>
>>Are you _sure_ you _need_ that?
>>Are you sure it is a good idea from the security viewpoint?
>>I'd better not to allow such things.
>
>
>I'm firmly on the side of the one username/ one password security scheme 
for
>an internal LAN - otherwise moronic users (and the level of "moronity" 
seems
>to rise the further you go up in management, which tend to have access to
>more confidential information than the rank and file) who are assigned
>multiple usernames/passwords would tend to write them down or otherwise 
take
>note of them to remember them - BIG security risk.

This can cause a problem with either scheme.  I agree a single password is 
best, and I have clearly *no idea* how you have configured your Internet 
access, but I do believe that with static addresses you can still achieve 
single password authentication one way or another.  [That kinda depends on 
your firewall structure:  I'm assuming for instance that you restrict who 
can do what on the Internet in some way and that is the big issue here.]

>
>Brian Steele
>

--john

>
>

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm@jkintl.com>
Writer and Computer Consultant
-------------------------------------