Firewall Wizards mailing list archives
Re: Proxy 2.0 secure?
From: John McDermott <jjm () jkintl com>
Date: Mon, 29 Jun 98 10:19:34
Brain, --- On Mon, 29 Jun 1998 11:54:08 -0400 Brian Steele <steele_b () spiceisle com> wrote: <snip>
Interesting idea. My lease time is short. VERY short. But I haven't
come
across a problem yet mapping between IP and MAC addresses. See below...
<snip>
We've got an asset database here that contains information about each PC, including the MAC address for the NIC employed therein. To determine
which
MAC address belongs to which IP address, I could do a reverse-lookup on
the
IP address to get the name assigned to that PC, then look up the
information
in the database.
Here's the rub. Let's say we discover a problem with 10.1.1.1 an hour ago (two assumptions 1) you do logging, 2) your leases are less than 1 hour long), we go to the asset database, but it was generated for the current lessor of the address, not the one an hour ago. The consequence is that we look in the wrong place for the trouble. By the way, if the lease time is short, and the database gets the information, just out of curiosity, what tool are you using to extract that information? Do you pull it directly from your DHCP server (I gather it's MS), or do you snapshot the net at regular intervals?
How about placing a proxying firewall or NAT device between you and the other business unit when you
do
that. That will allow you to use private addresses internally which you can go to now. A class A (network 10.0.0.0) is really nice to use...We are presently using private addresses internally. So are some of the other business units. Problem is that there's a few places where the address allocation overlaps. We could perhaps use NAT between the
business
units, but there's a performance hit using NAT, as well as configuration issues (for example Netmeeting support). I'd probably go for the re-addressing route, and dynamic DHCP allows me to change all the PCs over quite quickly, if ever it becomes necessary, with little cost to us.
I don't know about your level of trust with the other business units, but I'd sure like to have an internal firewall between me and any other business unit, personally. Such a firewall need not be slow, and that performance hit need not be much of a hit unless we're talking many tens of megabits of transfer between the units. This is why IPv6 is so nice... I thought the result of the discussion on this list was that there was a way to get Netmeeting through a firewall, albeit with less security than other protocols. Some security is better than none, IMHO.
Brian Steele
--john -----------------End of Original Message----------------- ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Re: Proxy 2.0 secure?, (continued)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 26)
- Re: Proxy 2.0 secure? Ted Doty (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 26)
- Re: Proxy 2.0 secure? Brian Steele (Jun 28)
- Re: Proxy 2.0 secure? Rodney van den Oever (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? NetSurfer (Jun 30)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? Ryan Russell (Jun 29)
- Re: Proxy 2.0 secure? tqbf (Jun 29)
- Re: Proxy 2.0 secure? Peter Jeremy (Jun 30)
- Re: Proxy 2.0 secure? tqbf (Jun 30)
- Re: Proxy 2.0 secure? ark (Jun 30)
(Thread continues...)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 26)