Re: Restrictions group without ask for the password

• To: Adam Shostack <adam@lighthouse.homeport.org>
• Subject: Re: Restrictions group without ask for the password
• From: John Franks <john@math.nwu.edu>
• Date: Sat, 13 Apr 1996 08:29:58 -0500 (CDT)
• cc: jwalters@conicyt.cl, www-security@ns2.rutgers.edu
• In-Reply-To: <199604121746.MAA07775@homeport.org>

On Fri, 12 Apr 1996, Adam Shostack wrote:

> Jorge Walters wrote:
> 
> | Hi, is it posible to have some pages with restriction to some netmask ?
> | 
> | I know that is posible but I want don┤t ask the user for password if it 
> | has the correct netmask.
> 
> 	I wouldn't bother.  If you're going to be using IP to handle
> your authentication, your authentication will be so weak as to be
> worthless.  The effort to set it up will be more than whats needed to
> break it.
> 

Most HTTP servers have the capability to restrict access by IP address.
Some have the capability to ask for a password but exempt certain IP
addresses from needing a password.

Usually this is trivial to set up -- check your server documentation.
You can also use TCP-wrappers as suggested by someone else.  

The level of security security of such a system can be good or not so
good.  A common situation is the desire to limit access to certain documents
to a local subnet. If this subnet is linked via a router to the rest of
the world, it is likely possible to configure that router not to permit
any packets from outside your subnet to pass inside if those packets claim
to be coming from inside.  This is pretty good protection against 
IP spoofing.


John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu

• Re: Restrictions group without ask for the password
• From: Adam Shostack <adam@lighthouse.homeport.org>

• Previous: Digest Access Authentication Draft
• Next: wwwwais - concern over security hole
• Index(es):
  • Index
  • Thread