Re: Is password good enough?

• To: bmanning@isi.edu
• Subject: Re: Is password good enough?
• From: markd@ed.atl.sita.int
• Date: Wed, 10 Apr 96 13:41:57 PDT
• Cc: www-security@ns2.rutgers.edu

On Wed, 10 Apr 1996 09:17:14 -0700 (PDT)  bmanning@ISI.EDU wrote:
 
>> Mariam Jazayeri asks:
>> 
>> >I would like to know if this group feels password is sufficient for
>> >protecting sensitive information on Web inside the firewalls. 
>> >I know most document servers provide password protection, but I'm not sure 
>> You might consider additionally requiring connections to be from a specific >>IP address. This will give you an additional layer of verification before >>admitting a user. 

>	This approach is flawed, as the general direction of networking is to
>	remove static IP address assignment in favor of dynamic IP allocation.

I'd have to still argue the worth of IP filtering. Suppose you have a client who needs access from a class C network. They come in via a SLIP account which assigns them a dynamic IP for the length of their session. I can define a filter (NCSA style) like:

<LIMIT GET>
order deny,allow
deny from all
allow from .random.isp.com
</LIMIT>

While of limited use against customers of the ISP, you still add an extra layer of defense between yourself and a vast majority of the net (approximately 99.99% even for a customer based on a class B network). As an additional security layer (not as a stand alone, since IP spoofing is fairly easy) I don't see why you'd term it flawed.

Sincerely,

Sincerely,

Mark Davis
-------------------------------------
E-mail: markd@medusa.ed.atl.sita.int
SITA Global Telecommunications
SITAWeb Project
Systems Administrator/Security Coordinator
"Just another Perl hacker"
-------------------------------------

• Previous: Re: Is password good enough?
• Next: Recent discussion-Sensing the presence of spiders
• Index(es):
  • Index
  • Thread