Re: restrict implicit binding to interfaces
- From: Rick Jones <rick.jones2@xxxxxx>
- Date: Fri, 31 Oct 2008 21:06:53 +0000 (UTC)
David Schwartz <davids@xxxxxxxxxxxxx> wrote:
On Oct 31, 10:39?am, Rick Jones <rick.jon...@xxxxxx> wrote:
One example of where a strong end system model might be useful would
be a DMZ system. ?You might not want a server bound to the "internal
IP" to receive traffic routed via the external interface. ?So, if the
strong end system model is active, it will only accept datagrams
destined to the internal IP on the "internal" interface.
Right, but then you'd be trusting the service to bind to the right
place. If you could trust the service to manage its own security,
why wouldn't you want it bound to the external interface?
Simplicity. If I have a strong end system model all I have to do is
tell the applcation on which IPs it should listen and I'm done. I
don't have to teach it anything further about the topology of my
internal networks.
There are of course other ways to arrive at the same end condition -
configure the server application to only accept connections from a
configured range of intenal IP addresses, or setup firewall rules to
drop datagrams arriving on the external interface with the internal IP
as the destination - of course that last one is simply using the
firewall rules to make the system behave as if it were using the
strong end system model :)
Since a firewall is both necessary and sufficient, what does the
strong end system model add?
Firewalls may be sufficient, but IMO they are only necessary because
we either don't, won't or can't trust application/OS security.
rick jones
--
The computing industry isn't as much a game of "Follow The Leader" as
it is one of "Ring Around the Rosy" or perhaps "Duck Duck Goose."
- Rick Jones
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...
.
- References:
- restrict implicit binding to interfaces
- From: Wolfgang Draxinger
- Re: restrict implicit binding to interfaces
- From: David Schwartz
- Re: restrict implicit binding to interfaces
- From: Rick Jones
- Re: restrict implicit binding to interfaces
- From: David Schwartz
- Re: restrict implicit binding to interfaces
- From: Rick Jones
- Re: restrict implicit binding to interfaces
- From: David Schwartz
- Re: restrict implicit binding to interfaces
- From: Rick Jones
- Re: restrict implicit binding to interfaces
- From: David Schwartz
- Re: restrict implicit binding to interfaces
- From: Rick Jones
- Re: restrict implicit binding to interfaces
- From: David Schwartz
- restrict implicit binding to interfaces
- Prev by Date: Re: restrict implicit binding to interfaces
- Next by Date: Re: accessing Linksys DHCP Client Table
- Previous by thread: Re: restrict implicit binding to interfaces
- Next by thread: Re: restrict implicit binding to interfaces
- Index(es):
Relevant Pages
|
