[1821] in WWW Security List Archive
Re: Restrictions group without ask for the password
daemon@ATHENA.MIT.EDU (John Franks)
Sat Apr 13 11:55:12 1996
Date: Sat, 13 Apr 1996 08:29:58 -0500 (CDT)
From: John Franks <john@math.nwu.edu>
To: Adam Shostack <adam@lighthouse.homeport.org>
cc: jwalters@conicyt.cl, www-security@ns2.rutgers.edu
In-Reply-To: <199604121746.MAA07775@homeport.org>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 12 Apr 1996, Adam Shostack wrote:
> Jorge Walters wrote:
>=20
> | Hi, is it posible to have some pages with restriction to some netmask ?
> |=20
> | I know that is posible but I want don=B4t ask the user for password if =
it=20
> | has the correct netmask.
>=20
> =09I wouldn't bother. If you're going to be using IP to handle
> your authentication, your authentication will be so weak as to be
> worthless. The effort to set it up will be more than whats needed to
> break it.
>=20
Most HTTP servers have the capability to restrict access by IP address.
Some have the capability to ask for a password but exempt certain IP
addresses from needing a password.
Usually this is trivial to set up -- check your server documentation.
You can also use TCP-wrappers as suggested by someone else. =20
The level of security security of such a system can be good or not so
good. A common situation is the desire to limit access to certain document=
s
to a local subnet. If this subnet is linked via a router to the rest of
the world, it is likely possible to configure that router not to permit
any packets from outside your subnet to pass inside if those packets claim
to be coming from inside. This is pretty good protection against=20
IP spoofing.
John Franks =09Dept of Math. Northwestern University
=09=09john@math.nwu.edu
