Re: [fw-wiz] Firewalling at the domain users level instead of network level
- To: email@example.com
- Subject: Re: [fw-wiz] Firewalling at the domain users level instead of network level
- From: Santos <firstname.lastname@example.org>
- Date: Wed, 21 Jul 2004 04:37:07 +0100
- Message-id: <40FDE4E3.email@example.com>
- In-reply-to: <A0F682D2-D9AF-11D8-8C40-003065ABFD92@codefab.com>
- References: <40FA1B9E.firstname.lastname@example.org> <A0F682D2-D9AF-11D8-8C40-003065ABFD92@codefab.com>
Chuck Swiger wrote:
On Jul 18, 2004, at 2:41 AM, Santos wrote:
I'm implementing a "Windows clients, Linux servers" kind of network.
Some users may login at different machines, therefore, ip level is
not enough. I wonder if it's possible to control the access at the
"domain users" level instead of network or ip level.
It's possible, yes. Lots of bad ideas are possible, but should be
adopted only where necessary. :-)
There are two major areas of concern. First, a good firewall is a
self-contained unit which implements your security policy by deciding
whether to pass or deny network traffic. If the firewall has to ask
other machines on the network about information (such as looking up IP
addresses in DNS to resolve hostnames, or looking up users from
LDAP/Active Directory/whatever) in order to make decisions, it slows
down and is vulnerable to the remote machines being down or providing
wrong answers. This weakens your security.
Yeah, i decided to go with samba/ntlm authentication, let's see how it
will work out, but something tells that i should pick LDAP in the future...
The second concern is a matter of policy: why do you want your
firewall to treat users differently? If it's a bad idea for person A
to do some type of network connection, why should it be OK for person
B to do so? If you restrict things so that only the services which
you trust all users to do are permitted, your security is likely to be
much improved compared to a policy based on an ever-growing pile of
per-user rules and exceptions.
Because the people that contracted me wanted so :) Some people should
be working on other stuff instead of traveling on the web.