On Fri, 29 Sep 2000, mouss wrote:
> one way would be to allocate IP addresses based on user identity. yet,
> there is no
> "standard" solution, but the worst here is that this assumes mono-user hosts.
This is an intesting idea. Are you aware of any implementations of this?
>
> a second way would be to implement user authentication in IP filtering
> engines.
> once again, this is not an easy problem which explains the fact that this
> is not
> widespread.
The same sort of authentication in switches would make life much easier.
I really need to spend more time examining this.
>
> a reasonable solution is to use a web proxy that supports authentication.
> squid is an
> example.
>
> you can install the proxy on a specific host and configure your gateway to
> refuse web
> access unless it comes from this host. (make sure the guys do not have
> accounts on this
> host and that the only way to get out of it is to be authenticated by the
> proxy).
> then tell your users to use the proxy to go out.
>
> This works for protocols for which there is a proxy that implements
> authentication.
>
These all work for generic Unixes. It's possible to use a Trusted
System that extends it's trust into the networking layer to do such things
as well. Data General Unix with the B2 feature set is the only product
I'm aware of that does this, but I'm sure it's possible elsewhere.
Basically, you could set MAC layer authentication for either source or
destination addresses and ports. I'm not sure if you can wildcard to just
ports.
If you used one of the same type systems to do the normal
military-intellegence trusted multi-layer networking stuff, you could
exend it to other devices under the same control.
If the worry is stopping anyone from hopping through machines on the
network when they only have legitimate access to a single machine (such
as tech support dialed in to a server), it may be enough to set perms on
the socket code and provide trusted clients that restrict access
themselves.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
