Authentication by IP is a bad idea, restricting who can connect in the first place and proceed to authentication stage is a further line of
Having been an enterprise firewall admin in the midst of previously established enterprise firewall admins, the "going wisdom" is that you always set rules by IP rather than DNS. When pressed for a reason, especially given that Cisco PIX allow DNS rules, they always resorted to the koan of "that's the way it's always been done - DNS can be poisoned or the source of a DoS". phbbbttt My response: if someone is in the position to poison my DNS, they're already in the position to spoof a trusted IP and likely a whole lot more. For that matter, they're likely already inside my network. If the allow/block is critical enough to require the *tiny* edge provided by IP-based rules, then the client will be critical enough to have a statically assigned IP. RB --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
