I rote:
>Is easy also to make the first line in your firewall ACL "Deny incoming
><your ip addresses>". Belt and suspenders are good 8*).
Brent wresponded:
>Note that this only keeps the spoofers from masquerading as a machine with
>one of your IP addresses. If you trust things at other sites, with other
>IP addresses, the rule Padgett mentions doesn't keep the spoofers from
>masquerading as those trusted things at other sites.
If you are extending "trust" in the clear over the Internet to sites out
of your control, better keep your resume updated. I have three classes
of nets/subnets - "Internal" e.g. controlled, "Untrusted" e.g. anything
directly connected to the Internet, and "Limited Exposure" such as
dedicated PNS links or encrypted Internet connections to customers/
suppliers with whom we have a formal agreement and is limited to specific
nodes/subnets.
The conditions that Brent describes as necessary for such activity, I do not
consider acceptable (not saying such do not exist, just that I am actively
trying to eliminate them - not an easy task when the mergers seem to be
hitting daily and this is at a "guns and dogs" corp., must be a nightmare
in the commercial world).
Warmly,
Padgett
|
|
