[WEB4LIB] Firewalls and Web access
Leo Robert Klein
leo at leoklein.com
Sun Aug 11 22:25:36 EDT 2002
on 8/11/02 6:23 PM, Bob Duncan at duncanr at mail.lafayette.edu wrote:
> Color me stupid, but I've just run into a situation that has me adrift in
> brain numbness. Any assistance would be appreciated.
>
> Our campus network folks just installed a new firewall, and now we have
> lost access to all our subscription resources which rely on authentication
> via IP-address recognition. Apparently this is because the firewall is
> stopping most incoming traffic and its IP address is not within the range
> of addresses we supply vendors.
>
> Our network folks are new at firewalls, and I am only familiar with the
> general concepts. What are the options for restoring access to all of our
> Web-based resources? Supplying the firewall address to vendors seems like
> less work than allowing inbound access for each vendor machine (which is
> also a bit of a moving target), but neither seems terribly palatable. Is
> there a way that IP-address recognition can work without compromising
> campus security? (And is this a typical configuration for a college campus?)
Bob,
Welcome to the wonderful world of firewalls. Being on the receiving end of
this mysterious form of networking, I can well commiserate with you.
Tears aside, the important thing to establish is just what your IP range is
when internal users access remote sites. Internally they can use whatever
number they want but the moment they go external they have to play by the
normal IP rules. If they didn't, it's hard to imagine anything online
working whether subscription or not.
So once your users go outside your network, the firewall slaps on a "public"
IP number. The range is something you'll have to get from the firewall
people themselves. Sometimes this is an outside contractor and sometimes
you can get your old range back. It depends.
When we went through this initiation rite about a year ago -- yes, right
before classes, how timely -- we found out that the firewall people had
given everyone a 128.*.*.* IP number when for donkey ages the world had
known us as 150.210.*.*. Of course, we only found this out when reports
started coming in that no one could connect to our subscription databases --
on campus!
In any case, the firewall/switch people weren't wedded to one IP range over
the other -- in fact, they had simply given us what they thought was our
"default" IP range. Once we got to the Right Person -- and that's the
hardest thing to find -- he switched us back to our old IP range after only
a moment or two of command-line wizardry.
LEO
---------------------------------------------------------------------------
Leo Robert Klein Library Web Coordinator
home ::::::::::::::::::::::::::::::::::::::::::::::::: http://leoklein.com
office ::::::::::::::::::::::::::::::::::::: http://newman.baruch.cuny.edu
radio station :::::::::::::::::::::::::::::::::: http://patachon.com/radio
---------------------------------------------------------------------------
More information about the Web4lib
mailing list