> -----Original Message-----
> From: Delmer Harris [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 30 September 2000 2:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: User level packet filtering
>
> I can't stand it any more. Why not use an authenticating
> proxy firewall
> instead of trying to contort a packet filter to make it work in higher
> layers of the ISO model?
> <flame suit on>
Ok, that's a good question. First of all, as has been mentioned, there are
some problems with full app proxies for certain protocols. But essentially,
I think that there's a lack of proxies that will do strong auth in a
cross-platform way.
I think that running IPSec internally as well as a remote access solution
has a lot of cool benefits.
o It authenticates user sessions - this gets rid of hijacking attacks. This
is still a problem with application-level gateways for most protocols.
o It can offer confidentiality, where required. Most ALGs don't - it's up to
the protocol being proxied to offer it (TLS, SSH etc etc)
o It can use strong authentication. Most ALGs don't. They use stupid things
like passwords or Windows credentials (which are as weak as passwords). Yes,
I know that some support SNK / KerbV etc. Sadly, most _clients_ don't. 8)
o It's cross-platform. I've seen IPSec clients for most of the major
platforms - *nix, windoze, Mac.
I don't actually see this as modifying a packet filter, anyway. You can use
IPSec as a circuit-level gateway to protect access to your egress network.
In other words, no ticket no ride - you don't auth, you can't get out of the
network. However, once your circuit is established, there may still be a
requirement for filtering. Your egress device can be a normal packet filter,
an SPF or a full ALG or some combo. You _could_ combine the filtering
features into the IPSec box. Personally I think that would reduce
functionality though.
I may yet be shown to be crazy, but the more I think about it, the more I
think that this is an architecture that has value. I don't think that we
need to cut code, either. I think we could build a system like this with
bits we have today.
(As for development - How about an egress IPSec gateway that applies a VLAN
'colour' to user packets for matching by devices further out? How about a
multi-NIC box that selects an exit NIC based on user class? What if we use
per-user NAT (for a cheap, nasty solution) to make it easy for traditional
firewalls to filter by IP address?)
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
