Ip address and subnet mask restrictions, Dns-based restrictions, User time restrictions – HP Integrated Lights-Out 3 User Manual

Page 194

Advertising

range can be specified to grant or deny access to a single address. Addresses that fall within the
low-to-high IP address range meet the IP address restriction.

IP address and subnet mask restrictions

IP address and subnet mask restrictions enable the administrator to specify a range of addresses
that are granted or denied access. This format has similar capabilities as an IP address range, but
might be more native to your networking environment. An IP address and subnet mask range is
typically specified through a subnet address and address bit mask that identifies addresses on the
same logical network.

In binary math, if the bits of a client machine address, combined with the bits of the subnet mask,
match the subnet address in the restriction, the client machine meets the restriction.

DNS-based restrictions

DNS-based restrictions use the network name service to examine the logical name of the client
machine by looking up machine names assigned to the client IP addresses. DNS restrictions require
a functional name server. If the name service goes down or cannot be reached, DNS restrictions
cannot be matched and the client machine fails to meet the restriction.

DNS-based restrictions can limit access to a specific machine name or to machines that share a
common domain suffix. For example, the DNS restriction www.example.com matches hosts that
are assigned the domain name www.example.com. However, the DNS restriction *.example.com
matches any machine that originates from the example company.

DNS restrictions can cause ambiguity because a host can be multi-homed. DNS restrictions do not
necessarily match one to one with a single system.

Using DNS-based restrictions can create security complications. Name service protocols are not
secure. Any individual who has malicious intent and access to the network can place a rogue DNS
service on the network and create a fake address restriction criterion. When implementing
DNS-based address restrictions, be sure to take organizational security policies into consideration.

User time restrictions

Administrators can place a time restriction on directory user accounts (

Figure 106

). Time restrictions

limit the ability of the user to log in (authenticate) to the directory. Typically, time restrictions are
enforced using the time at the directory server. If the directory server is located in a different time
zone, or if a replica in a different time zone is accessed, time-zone information from the managed
object can be used to adjust for relative time.

The directory server evaluates user time restrictions, but the determination can be complicated by
time-zone changes or the authentication mechanism.

Figure 106 User time restrictions

User

LOM

Client

Workstation