Re: [fw-wiz] Firewalling at the domain users level instead of network level

[Santos <casd@netvisao.pt>]

Chuck Swiger wrote:

> On Jul 18, 2004, at 2:41 AM, Santos wrote:
>
> > I'm implementing a "Windows clients, Linux servers" kind of network. 
> > Some users may login at different machines, therefore, ip level is 
> > not enough. I wonder if it's possible to control the access at the 
> > "domain users" level instead of network or ip level.
>
>
> It's possible, yes.  Lots of bad ideas are possible, but should be 
> adopted only where necessary.  :-)
>
> There are two major areas of concern.  First, a good firewall is a 
> self-contained unit which implements your security policy by deciding 
> whether to pass or deny network traffic.  If the firewall has to ask 
> other machines on the network about information (such as looking up IP 
> addresses in DNS to resolve hostnames, or looking up users from 
> LDAP/Active Directory/whatever) in order to make decisions, it slows 
> down and is vulnerable to the remote machines being down or providing 
> wrong answers.  This weakens your security.

Yeah, i decided to go with samba/ntlm authentication, let's see how it
will work out, but something tells that i should pick LDAP in the future...

> The second concern is a matter of policy: why do you want your 
> firewall to treat users differently?  If it's a bad idea for person A 
> to do some type of network connection, why should it be OK for person 
> B to do so?  If you restrict things so that only the services which 
> you trust all users to do are permitted, your security is likely to be 
> much improved compared to a policy based on an ever-growing pile of 
> per-user rules and exceptions.
Because the people that contracted me wanted so :)  Some people should
be working on other stuff instead of traveling on the web.


Santos