[Previous] [Next] [Index]
[Thread]
Re: Is password good enough?
On Wed, 10 Apr 1996 09:17:14 -0700 (PDT) bmanning@ISI.EDU wrote:
>> Mariam Jazayeri asks:
>>
>> >I would like to know if this group feels password is sufficient for
>> >protecting sensitive information on Web inside the firewalls.
>> >I know most document servers provide password protection, but I'm not sure
>> You might consider additionally requiring connections to be from a specific >>IP address. This will give you an additional layer of verification before >>admitting a user.
> This approach is flawed, as the general direction of networking is to
> remove static IP address assignment in favor of dynamic IP allocation.
I'd have to still argue the worth of IP filtering. Suppose you have a client who needs access from a class C network. They come in via a SLIP account which assigns them a dynamic IP for the length of their session. I can define a filter (NCSA style) like:
<LIMIT GET>
order deny,allow
deny from all
allow from .random.isp.com
</LIMIT>
While of limited use against customers of the ISP, you still add an extra layer of defense between yourself and a vast majority of the net (approximately 99.99% even for a customer based on a class B network). As an additional security layer (not as a stand alone, since IP spoofing is fairly easy) I don't see why you'd term it flawed.
Sincerely,
Sincerely,
Mark Davis
-------------------------------------
E-mail: markd@medusa.ed.atl.sita.int
SITA Global Telecommunications
SITAWeb Project
Systems Administrator/Security Coordinator
"Just another Perl hacker"
-------------------------------------