Re: Proxy 2.0 secure?

["Brian Steele" <steele_b () spiceisle com>]

> I don't know who you are quoting (I forget the orig poster, sorry), but my
> problem with dynamic DHCP is less with the dynamic-ness than the short
> leases. The issue is that if the leases are short (e.g. less than a few
> weeks even), it is virtually impossible to track down a misbehaving system
> because it is difficult to map between MAC and IP addresses. This problem
> can be alleviated with long leases: I suggest a year or so.


Interesting idea.  My lease time is short.  VERY short.  But I haven't come
across a problem yet mapping between IP and MAC addresses.  See below...


> True WINS and DNS interact farily well now. That is not as much of an issue
> as being able to verify the proper MAC address for a paritcular IP address
> when troubleshooting.  You could probably make up some scheme with a
> database package and all that, but it might be spoofable.


We've got an asset database here that contains information about each PC,
including the MAC address for the NIC employed therein.  To determine which
MAC address belongs to which IP address, I could do a reverse-lookup on the
IP address to get the name assigned to that PC, then look up the information
in the database.


> How about placing a proxying
> firewall or NAT device between you and the other business unit when you do
> that.  That will allow you to use private addresses internally which you
> can go to now.  A class A (network 10.0.0.0) is really nice to use...


We are presently using private addresses internally.  So are some of the
other business units.  Problem is that there's a few places where the
address allocation overlaps.  We could perhaps use NAT between the business
units, but there's a performance hit using NAT, as well as configuration
issues (for example Netmeeting support).  I'd probably go for the
re-addressing route, and dynamic DHCP allows me to change all the PCs over
quite quickly, if ever it becomes necessary, with little cost to us.


Brian Steele