Re: Proxy 2.0 secure?

[John McDermott <jjm () jkintl com>]

Brain,

--- On Mon, 29 Jun 1998 11:54:08 -0400  Brian Steele 
<steele_b () spiceisle com> wrote:

<snip>

> Interesting idea.  My lease time is short.  VERY short.  But I haven't 
come
> across a problem yet mapping between IP and MAC addresses.  See below...

<snip>


> We've got an asset database here that contains information about each PC,
> including the MAC address for the NIC employed therein.  To determine 
which
> MAC address belongs to which IP address, I could do a reverse-lookup on 
the
> IP address to get the name assigned to that PC, then look up the 
information
> in the database.

Here's the rub.  Let's say we discover a problem with 10.1.1.1 an hour ago 
(two assumptions 1) you do logging, 2) your leases are less than 1 hour 
long), we go to the asset database, but it was generated for the current 
lessor of the address, not the one an hour ago.  The consequence is that we 
look in the wrong place for the trouble.

By the way, if the lease time is short, and the database gets the 
information, just out of curiosity, what tool are you using to extract that 
information?  Do you pull it directly from your DHCP server (I gather it's 
MS), or do you snapshot the net at regular intervals?

> > How about placing a proxying
> > firewall or NAT device between you and the other business unit when you 
do
> > that.  That will allow you to use private addresses internally which you
> > can go to now.  A class A (network 10.0.0.0) is really nice to use...
>
>
> We are presently using private addresses internally.  So are some of the
> other business units.  Problem is that there's a few places where the
> address allocation overlaps.  We could perhaps use NAT between the 
business
> units, but there's a performance hit using NAT, as well as configuration
> issues (for example Netmeeting support).  I'd probably go for the
> re-addressing route, and dynamic DHCP allows me to change all the PCs over
> quite quickly, if ever it becomes necessary, with little cost to us.

I don't know about your level of trust with the other business units, but 
I'd sure like to have an internal firewall between me and any other 
business unit, personally.  Such a firewall need not be slow, and that 
performance hit need not be much of a hit unless we're talking many tens of 
megabits of transfer between the units.

This is why IPv6 is so nice...

I thought the result of the discussion on this list was that there was a 
way to get Netmeeting through a firewall, albeit with less security than 
other protocols.  Some security is better than none, IMHO.

> Brian Steele
--john

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------