IP source address filtering

Currently, IP source address filtering is the major mechanism used to implement authentication and access management for cross-institutional resource access. The way this works is that the licensee institution provides the resource operator with a list of IP addresses that are authorized access; this can include some wildcarding to permit entire subnets or networks to have access, and also occasionally incorporates exclusion lists (all hosts on a given net or subnet EXCEPT for the following specific hosts). There is general agreement that it is unsatisfactory for a number of reasons, and it is instructive to evaluate it against our seven functional requirements both to see where it works and where it actually falls short.

Feasibility and Deployment: This is relatively easy to deploy and manage from the perspective of both the institution and the resource operator. No special software is needed at the user side, and at the resource operator side the support is not difficult. There is some maintenance involved in keeping the tables at the resource providers up to date, but this is not unmanageable. It is necessary for the licensee institution to perform some analysis on access and use policies for the machines within the institution to make sure that machines that aren’t access-limited to the institutional community are excluded where necessary, and to educate members of the community that giving outsiders an account on a machine also gives them access to institutional resources that they may not be entitled to; there are some real dangers of access control breaches by the creation of proxies either through ignorance of the implications or deliberately.

Related posts

• Windows Vista – friend or foe? (0)
• Windows Live: undocumented links (0)
• Why p2p is dangerous (1)
• Why is security required for the Internet? (0)
• What google knows about you (0)