[1805] in WWW Security List Archive
Re: Is password good enough?
daemon@ATHENA.MIT.EDU (markd@ed.atl.sita.int)
Wed Apr 10 17:09:19 1996
From: markd@ed.atl.sita.int
Date: Wed, 10 Apr 96 13:41:57 PDT
To: bmanning@isi.edu
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 10 Apr 1996 09:17:14 -0700 (PDT) bmanning@ISI.EDU wrote:
>> Mariam Jazayeri asks:
>>
>> >I would like to know if this group feels password is sufficient for
>> >protecting sensitive information on Web inside the firewalls.
>> >I know most document servers provide password protection, but I'm not sure
>> You might consider additionally requiring connections to be from a specific >>IP address. This will give you an additional layer of verification before >>admitting a user.
> This approach is flawed, as the general direction of networking is to
> remove static IP address assignment in favor of dynamic IP allocation.
I'd have to still argue the worth of IP filtering. Suppose you have a client who needs access from a class C network. They come in via a SLIP account which assigns them a dynamic IP for the length of their session. I can define a filter (NCSA style) like:
<LIMIT GET>
order deny,allow
deny from all
allow from .random.isp.com
</LIMIT>
While of limited use against customers of the ISP, you still add an extra layer of defense between yourself and a vast majority of the net (approximately 99.99% even for a customer based on a class B network). As an additional security layer (not as a stand alone, since IP spoofing is fairly easy) I don't see why you'd term it flawed.
Sincerely,
Sincerely,
Mark Davis
-------------------------------------
E-mail: markd@medusa.ed.atl.sita.int
SITA Global Telecommunications
SITAWeb Project
Systems Administrator/Security Coordinator
"Just another Perl hacker"
-------------------------------------
