undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointsbogantech1y ago0 comments

Firewalls exist, many network environments block everything not explicitly allowed.

Authentication is only part of the problem, networks are firewalled (with dedicated appliances) and segmented to prevent lateral movement in the event of a compromise

0 comments

4 comments · 1 top-level

klysm1y ago· 3 in thread

Isn’t that completely orthogonal? IP addresses aren’t authenticated, they can be spoofed

bogantechOP1y ago

It's not authentication. People aren't using static ips for authentication purposes

But if I have firewall policies that allow connections only to specific services I need a destination address and port (yes, some firewalls allow host names but there's drawbacks to that)

> IP addresses aren't authenticated, they can be spoofed

For anything bidirectional you'd need the client to have a route back to you for that address, which would require you compromising some routers and advertising it via BGP etc.

You can spoof addresses all you want but it will generally not do much for a stateful protocol

klysm1y ago

> People aren't using static ips for authentication purposes

Unfortunately they are! I’ve seen up whitelistijg used as the only means of authentication over the WAN several times

otabdeveloper41y ago

> People aren't using static ips for authentication purposes

Lol. Of course they do. In fact, it's the only viable way to authenticate servers in Current Year. Unlike ssh host keys, of which literally nobody on this planet takes seriously, or https certificates which is just make-work security theater.

j / k navigate · click thread line to collapse