True, assuming that the transmission is occuring over a wire (or wireless), that is, from a remote node/host. An application local to the application listening on a given port can easily spoof an IP address and do all sorts of other protocol mischief, because there is no intervening network or router that the receiver can use to assume implicit trust. How would the receiving port/application determine whether the communication actually originated on a remote host or the local host itself?
In your scenario, assume a low-level, non-root sys-admin in the Information Services department wishes to access an application that is restricted to an IP address space dedicated to the accounting or human resources department. With a little ingenuity, an IP address restriction is meaningless to an internal intruder or attacker with access to the machine running the application, even at the non-root level. If you're going to be secure, you also have to consider internal/local security. The bad guy isn't always on the outside. John > -----Original Message----- > From: Gary Gwin [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 08, 2003 1:35 PM > To: Tomcat Users List > Subject: Re: limiting access by IP address > > > An IP address cannot be changed mid-stream and cannot be easily faked > (without the cooperation of the intervening network systems). > The Apache > distribution has long included mod_access for this purpose, and it is > widely used. With Apache, you can either specify to deny or > grant access > to an IP address using regular expression syntax. See the Apache > documentation for more information. > > Using IP addresses for access control is very useful within company > intranets (e.g. the engineering department has access but the > marketing > department does not). It can also provide pseudo-firewall > capabilities > to deny Internet access to bad guys, or only grant access to > users from > a specific company. When accompanied with user authentication, it > provides an extra measure of security (known as two-factor > authentication). Generally, authentication (or identification more > specifically) is a function of: > > Something you know (a username and password) > Something you have (a smartcard or IP address) > Something you are (biometrics) > > Gary > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
