Subject: | |
From: | |
Reply To: | |
Date: | Wed, 13 May 1998 10:55:26 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Ken after Mike:
> > No one has mentioned this, but the way I understand it is that
> > specifying the @ will let any node on the network attempt to
> > connect to the HP3000. This can be VERY significant in terms
> > of security.
>
> Yup..... That's why we took the "@" sign out again shortly after
> putting it in. By using the right level of subnet masking we were
> able to specify the valid IP ranges for all our users without going
> to pages and pages of individual entries. It's a nice security
> "feature": If the user's IP address is not in the configured range,
> all they get in response from the 3000 is.....: silence.
The "@" sign in the router config in NMMGR and all the fancy subnet
masking there do not have any effect on who can send packets *to*
the 3000. It only controls whether the 3000 knows where to direct
*replies* to these packets. Removing the "@" sign (i.e. not having
a default gateway) will do nothing to protect the system from UDP
datagrams, broadcast messages of various types, pings o' death, short
shameful connections, etc.
G.
|
|
|