6

I want to connect to my home install of phpmyadmin. I restricted the connection for this to my 2 IPs.

But I don't really understand this whole OSI layering. I do know that the IP is saved in the second layer, and I guess that the IP restriction will just look for this layer.

Is it possible to read out the password from the 7th layer, even if I have an IP restriction?

yonetpkbji
  • 545
  • 2
  • 8
  • 15
Harrys Kavan
  • 193
  • 4
  • 2
    Yes it's posible for a third party to sniff the password, further, if iptables stops doing it's job at some point in the future or the client is compromised then the security is compromised. Further, sending queries over HTTP means that you are vulnerable to MITM. It might be safe for now, but this really demonstrates why defence in depth is a good idea. Use HTTPS – symcbean Feb 21 '13 at 11:04

2 Answers2

11

The OSI layers are a model which was not meant for IP but for an older, competing protocol. IP does not fit well in that layer, especially when envisioning SSL (which must be both in layer 6 and layer 4, which is logically impossible). These layers are just confusing, so don't use them.

IP restrictions means that your server will refuse to pursue connections which are tagged with the wrong IP address. This does not protect the data against eavesdroppers.

Let me take an analogy: suppose that your connections are good old letters, with a destination address, and a sender address. The envelopes are transparent. The equivalent of IP restrictions is when the recipient refuses to even open, let alone respond to, envelopes which are not tagged with a "known sender" address. But nobody guarantees that the sender address written on the envelope is genuine; sending a letter with a fake sender address is easy. Of course, if I, an attacker, send a letter with your address as alleged sender, I won't see the response (unless I plunder your mailbox). But the recipient may have already have acted upon the letter contents, believing them to originate from you. Moreover, since the envelopes are transparent, every postman may read the contents of the letters.

For real protection, you need opaque letters, entrusted to armed conveyers in an armored vehicle. In the Internet world, this is called SSL (aka HTTPS in a Web context).

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
4

Having an IP address based restriction will help to stop unauthorised users from connecting to the application, however it doesn't protect information in transit from the authorised PCs to the server.

Say for example that one of the authorised systems uses a wireless network to access your server. without SSL it might be possible for an attacker to sniff your password as it goes over the network and use that to get unauthorised access to your server.

So implementing SSL (and ensuring that you have a trusted certificate installed to help stop Man-In-The-Middle attacks) is a good additional security measure.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 1
    Not only would an attacker be able to read your messages, they may also be able to modify them. This could (for example) be catastrophic, as they could change a SELECT statement to return all of the data in the database (which they then read on the return journey), or change the statement to an UPDATE or DELETE. – Tinned_Tuna Feb 21 '13 at 11:56
  • thank you to rory, unfortunatly i do not have enought reputation for giving you at least some more then words, but thats all i have right now^^ – Harrys Kavan Feb 21 '13 at 12:52