Date: Sat, 29 Jun 2002 14:48:40 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Joao Carlos <jcrr@ieee.org> Cc: Luigi Rizzo <rizzo@icir.org>, Nielsen <nielsen@memberwebs.com>, Ken Ebling <kebling@us-it.net>, freebsd-hackers@freebsd.org Subject: Re: ipfw/dummynet suggestion Message-ID: <3D1E2B38.A70658EA@mindspring.com> References: <000801c21f1c$029cefe0$0201a8c0@Ken> <3D1D4EB3.9410011@mindspring.com> <20020629170251.65DDB43E13@mx1.FreeBSD.org> <20020629110237.A73787@iguana.icir.org> <001f01c21f99$3c363cc0$1e6eb0c8@pchome>
next in thread | previous in thread | raw e-mail | index | archive | help
Joao Carlos wrote: > > several viruses do change the MAC address. The only real > > security is to have one user per port and filter the ports. > > Next step (but not as safe) is to wire down the arp table and only accept > > things that are in there (will be easy to implement in the > > new ipfw) > > I think it would be easier to deny all mac address in the ipfw rules except > by those that you know, right? Particularly, you should limit access to the antivirus server this way, so that if anyone does get a virus that does this, they are screwed for all time. NOT. Seriously, I'm wondering what "security restrictions" are so onerous that users are willing to change their IP addresses to get around them, and why they are there in the first place? I'm also wishing I had your posting in time to wave in the face of someone who once forced the implementation of a stupid access control model that required network identification of particular users, on the theory that users wouldn't do exactly what your users appear to be doing. Finally, I'll suggest that if you truly want to implement this thing, that the "correct" way to do it is probably to use the per machine NT Domain Controller information via hacking up the code from the SAMBA project, so that you can *ask* the NT domain controller for the credentials associated with an IP address, since this access control model is why NT Domaons were designed. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1E2B38.A70658EA>