From: Chris 

You're Welcome...

I'm a network Geek at heart (and I admit to being a geek too).

Btw, anyone who wants to see a variety of pictures of myself, my family,
and my hobbies may check out http://gallery.k7sle.com


Ellen K. wrote:
> Thanks very much!
>
> (I love this place.   :))
>
> On Tue, 29 Mar 2005 07:38:07 -0800, Chris  wrote in
> message :
>
>
>>Thanks to Rich for the post re: private ip addressing.  As for the IP
>>addresses I mentioned in the previous post, you do not *have* to use
>>those specific addresses.  You can use any subnet ranges.  The concept
>>behind it is that you would have all of your unrestricted internet users
>>on subnet A and the restricted users on subnet B.
>>
>>You would still want to use a proxy server because that will be the most
>>powerful, flexible, and easy-to-manage solution when compared to having
>>a network admin modify rules on the firewall (which often require a
>>reboot of the device to take effect) every few days as someone needs an
>>"exception" to the rules.
>>
>>What is a proxy server?  In this case, think of it as a "liaison"
>>between you and the Internet.  You ask this "liaison" for
a web page and
>>the liaison gets it for you.  If you configure him to do so, he will
>>write down in his little black book what URL you asked for and when,
>>too.  If the URL you want is not allowed, he tells you so and waits for
>>your next request.  Another way to think of it is when you vote for
>>corporate board members at a shareholders meeting.  A lot of times, you
>>will get in the mail a form allowing someone to vote for you *by proxy*.
>>
>>http://dictionary.reference.com/search?q=proxy%20gateway
>>http://dictionary.reference.com/search?q=proxy%20server
>>http://dictionary.reference.com/search?q=proxy
>>
>>Adam's suggestion is also a very good one about configuring the DHCP
>>server to only allow "trusted" computers (based on MAC
address) to get
>>an IP address.  The caveat to this is if a client comes in for a
>>presentation and wants to use their own laptop, then there can be some
>>confusion/difficulties in getting the laptop MAC address information
>
>>from the client and into the server, then back out again after the fact.
>
>> I've experienced that one.
>>
>>/Chris
>>
>>
>>
>>
>>
>>Ellen K. wrote:
>>
>>>Wow, thanks for the very clear explanation.   (Except I don't know what
>>>"private IP addressing" means.)
>>>
>>>So this does require a "proxy server".   Is that
software that we buy?
>>>Or does it mean how you configure that particular box?   Or is it
>>>another type of device?
>>>
>>>There are only a couple of addresses we want to let the users get to, I
>>>wouldn't see a problem configuring rules for them.
>>>
>>>But I think it could be a big problem to start over with the IP
>>>addresses as you are suggesting... I know for example that a lot of our
>>>servers have addresses in the 10's, and some people program to those IP
>>>addresses.
>>>
>>>
>>>On Mon, 28 Mar 2005 08:03:17 -0800, Chris  wrote in
>>>message :
>>>
>>>
>>>
>>>>Having managed a network behind a Pix 515 and a Pix 515e, I
do know what
>>>>you are talking about.  There is an easy solution to the internet
>>>>access, IF you want to block ALL internet access for those
users.  Let
>>>>me explain, with the following assumptions:
>>>>
>>>>1) You are using private IP addressing
>>>>2) Your managers are using a different IP subnet than the users who
>>>>should not have "unrestricted" access.
>>>>
>>>>Here is how I might try it (based on the assumptions and
information I
>>>>have):
>>>>
>>>>Management all uses addresses in the 192.168.1.0/24 subnet
(253 possible
>>>>addresses for use)
>>>>The "Users" (those with restricted internet
access) are on 10.0.0.0/24.
>>>>
>>>>Have a proxy server at 192.168.1.2.
>>>>On the firewall, enable the filters (called Access Control Lists, or
>>>>ACLs) to PERMIT unrestricted access on the internal port I to the
>>>>external port E from the source address range of 192.168.1.0/24
>>>>(255.255.255.0).
>>>>Add ACL rules to the firewall that DENY any internet access
from the IP
>>>>range 10.0.0.0/24 (255.255.255.0).  Force their browsers to
look to the
>>>>proxy on 192.168.1.2 for internet access.  IF there is a
specific site
>>>>that you don't mind them going to and you know the IP
address, you CAN
>>>>create rules to permit that traffic as well, but a proxy
server sounds
>>>>like a better solution for a large number of users,
otherwise you will
>>>>be forever editing those ACLs.
>>>>
>>>>Does this help?  If you want more info, please email me at
>>>>NOchris{at}SPk7sle.AMcom.  Take out the capital letters from the email
address.
>>>>
>>>>/Chris
>>>>
>>>>Ellen K. wrote:
>>>>
>>>>
>>>>>OK, I'm starting to get it.  So a "proxy
server" can be all software?
>>>>>
>>>>>Well, the reason the two cases seemed similar to me is
that they both
>>>>>require the firewall to know more than IP addresses.  
But it does seem
>>>>>like having to know who is trying to access you is
harder than knowing
>>>>>whom to access.
>>>>>
>>>>>No idea whether pix provides a proxy and maybe the guy
in charge of it
>>>>>doesn't know either, he was the one who said the
internal IP addresses
>>>>>would have to be fixed.   I do know that it lets you
configure rules on
>>>>>a port-by-port basis which can be IP-address-based
and/or time-based, I
>>>>>found that out when I was researching our FTP practices.
>>>>>
>>>>>On Sun, 27 Mar 2005 17:40:30 -0800, "Rich"
 wrote in message
>>>>>:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>The proxy server is what enforces the rules on what
can or can not be
accessed.  How you do this depends on the proxy server used.  Whatever
component knows about internal IP addresses would know about users instead.
>>>>>>
>>>>>>Using static IP for the proxy is more like the
reverse of the pcaw issue.
For pcaw you want to be able to access this machine from your client
system. For the proxy, it doesn't want to access the internal machines. 
They access it.  It would use this information to apply its machine access
rules.
>>>>>>
>>>>>>I don't know pix other than that it is a firewall. 
Does it provide a
proxy too?
>>>>>>
>>>>>>Rich
>>>>>>
>>>>>>"Ellen K."
 wrote in message
news:cdme41h26mnfona6m5sttd6huae03q9mvr{at}4ax.com...
>>>>>>Where does the authentication happen then?   Does
the firewall have to
>>>>>>know who all the users are?    Do you feel up to
explaining in simple
>>>>>>terms what a proxy server is?
>>>>>>
>>>>>>Re the pcAW, it sounds similar to what you are
saying about the other
>>>>>>question, i.e. if the firewall knows the machines
by name, it doesn't
>>>>>>have to know their internal IP address.   Is that
correct?   This
>>>>>>similarilty leads me to question whether maybe our
firewall -- or the
>>>>>>person in charge of it -- only knows how to deal
with IP addresses.  It
>>>>>>is a Pix firewall.
>>>>>>
>>>>>>On Sun, 27 Mar 2005 17:01:53 -0800,
"Rich"  wrote in message
>>>>>>:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I agree with the proxy though not the fixed
address.  Use proxy
authentication so that the rules apply to users and not the computers.
>>>>>>>
>>>>>>> You shouldn't need a fixed internal IP for
pcAW unless this is a pcAW
restriction.  As long as you have dynamic DNS or similar internal name
resolution you should be able to use a dynamic address.  Just refer to the
machine by name instead of IP.
>>>>>>>
>>>>>>>Rich
>>>>>>>
>>>>>>>"Ellen K."
 wrote in message
news:frie411ubovd2ghdv5f67hdqd2rdcd22vq{at}4ax.com...
>>>>>>>Not my area of responsibility but I always like
to help if I can:
>>>>>>>We want to restrict the rank-and-file users to
a few allowed sites like
>>>>>>>FedEx and UPS.  In our morning briefing the
other day it was stated that
>>>>>>>everyone would have to have fixed IP addresses
to do this (that part I
>>>>>>>understand, since the restrictions are not to
apply to everyone) and we
>>>>>>>would have to have a proxy server.
>>>>>>>
>>>>>>>I actually don't know what a proxy server even
is, but the IT director
>>>>>>>said it's complicated.   So first of all, is it
true that we would need
>>>>>>>a proxy server?   And secondly, if so, is it complicated?
>>>>>>>
>>>>>>>Alternatively, is there any other way to do it?
 We want to leave people
>>>>>>>like directors and IT with full internet
access.   Most boxes have no
>>>>>>>external IP address and a dynamic internal one.
 The only ones with
>>>>>>>fixed internal ones are people who pcAW in to
their desktop, which for
>>>>>>>all I know might only be me because when they
set up an additional
>>>>>>>desktop for me recently they left the internal
address dynamic and I
>>>>>>>couldn't get to it.
>>>>>
>>>>>
>

--- BBBS/NT v4.01 Flag-5