tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Turner, John" <>
Subject [OFF-TOPIC] RE: limiting access by IP address
Date Wed, 08 Jan 2003 19:46:09 GMT

True, assuming that the transmission is occuring over a wire (or wireless),
that is, from a remote node/host.  An application local to the application
listening on a given port can easily spoof an IP address and do all sorts of
other protocol mischief, because there is no intervening network or router
that the receiver can use to assume implicit trust.  How would the receiving
port/application determine whether the communication actually originated on
a remote host or the local host itself?

In your scenario, assume a low-level, non-root sys-admin in the Information
Services department wishes to access an application that is restricted to an
IP address space dedicated to the accounting or human resources department.
With a little ingenuity, an IP address restriction is meaningless to an
internal intruder or attacker with access to the machine running the
application, even at the non-root level.

If you're going to be secure, you also have to consider internal/local
security.  The bad guy isn't always on the outside.


> -----Original Message-----
> From: Gary Gwin []
> Sent: Wednesday, January 08, 2003 1:35 PM
> To: Tomcat Users List
> Subject: Re: limiting access by IP address
> An IP address cannot be changed mid-stream and cannot be easily faked 
> (without the cooperation of the intervening network systems). 
> The Apache 
> distribution has long included mod_access for this purpose, and it is 
> widely used. With Apache, you can either specify to deny or 
> grant access 
> to an IP address using regular expression syntax. See the Apache 
> documentation for more information.
> Using IP addresses for access control is very useful within company 
> intranets (e.g. the engineering department has access but the 
> marketing 
> department does not). It can also provide pseudo-firewall 
> capabilities 
> to deny Internet access to bad guys, or only grant access to 
> users from 
> a specific company. When accompanied with user authentication, it 
> provides an extra measure of security (known as two-factor 
> authentication). Generally, authentication (or identification more 
> specifically) is a function of:
>     Something you know (a username and password)
>     Something you have (a smartcard or IP address)
>     Something you are (biometrics)
> Gary

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message