whwb@cgch.UUCP (Hans W. Barz) (10/27/87)
I am currently planning a bigger productive TCP/IP network. I am searching for
a possibility inside TCP/IP to restrict the access to a part of a network.
This means, that I want to allow only certain IP-adresses to get access to a
machine or pass through a gateway.
This is necessary, since some services at the port level are open i.e. an
intelligent programmer can connect to these ports and find out how he has to
behave to get something out of the services behind that port. For Telnet and
FTP since is obviously solved since you have to enter a user plus a password.
But we are thinking of program-to-program communication between ports and the
user should not always type user/password-combinations. What we could do, is
checking the incomming IP-adress in every server program behind a port. But is
there no general more elegant approach incorporated in TCP/IP ?
#### ##### ####### # # H.W.Barz
# # # # # # # ST
# # # # # WRZ
# # # #### # R-1032-5.58
# # # # # CIBA-GEIGY
# # # # # # CH-4002 Basel
##### ### ##### # Tel.*41-61-374520
Electronic-Mail: cernvax!cgcha!whwb
'estrin@OBERON.USC.EDU (Deborah L. Estrin) (10/31/87)
If you have a serious interest in security then simply checking the IP addresses is not adequate because it is very easy to spoof IP addresses. In addition, you might find it cumbersome to have a static list of individual IP addresses if the network is large and decentralized. I dont know of any other existing mechanisms in tcp/ip but we are experimenting with something called Visa. If you are interested I can send you a paper describing the scheme. Its intent is to solve the exact problem that you describe and I would be very interested in finding out if you think it would actually do so! In addition, pls let us know if you discover other options as a result of your query. Deborah Estrin Computer Science Dept University of Southern California
AI.CLIVE@MCC.COM (Clive Dawson) (11/03/87)
If you have a serious interest in security then simply checking the IP addresses is not adequate because it is very easy to spoof IP addresses. Is it really THAT easy to spoof IP addresses? I agree that it's easy for me to put a bogus IP address on an outbound packet. But how do I get the remote host to send packets back to me instead of to the host I'm spoofing? Perhaps an improvement to the described security mechanism would be to match the various addresses appearing in the packet (IP header, TCP or UDP header, etc.) to see if there are disagreements. Clive -------
martillo@ATHENA.MIT.EDU (11/03/87)
I am interested in learning about Visa.
ron@TOPAZ.RUTGERS.EDU (Ron Natalie) (11/08/87)
CISCO and other IP gateways have access control lists that allow you to restrict which packets can go to which hosts passing through a gateway. We use this primarily to keep students on our public terminal servers off the arpanet.