> -----Original Message-----
> From: Truman Boyes [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 3 October 2000 11:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: User level packet filtering
>
>
> On Tue, 3 Oct 2000, Ben Nagy wrote:
>
> > (As for development - How about an egress IPSec gateway
> that applies a VLAN
> > 'colour' to user packets for matching by devices further
> out? How about a
> > multi-NIC box that selects an exit NIC based on user class?
> What if we use
> > per-user NAT (for a cheap, nasty solution) to make it easy
> for traditional
> > firewalls to filter by IP address?)
>
[this level: truman]
> sure it can be cheap nasty solutions, but very feasible. it
> would not take
> too much to make a multi-NIC box first do authentication based on
> Kerberos, then depending if your password is valid, your IP address is
> then NAT'd to the src of an external nic. and if your session
> times out,
> your translation is removed from the table.
Yeah, I only call this "cheap and nasty" because using NAT often creates
some problems, so I'm a bit loath to use it to solve problems other than the
one it was meant for. Mind you, Cisco decided to base a whole firewall on
it, so what do I know. ;)
>
> i think i remember reading of a university that employed a
> BSD solution
> doing NAT, and authenticating ethernet ports with telnet. for
> example, you
> plug into a arbitrary port in the university, and get your
> address based
> on dhcp. you are now completely blocked from communicating with
> anyone. upon telnet'ing to a specific auth host, and putting in your
> password, your port is now free to connect all over.
That's cute. Exactly the same concept as the Lock and Key thing that Cisco
support. Some vendors are now pushing "Directory Enabled Networks" that
extend this concept (which is what I alluded to earlier). It's the same
thing - get placed in a "holding" VLAN, auth to something (LDAPPY), then
have the _switch_ reconfigure the port on the fly, expire your holding lease
and give you a new DHCP address in your appropriate network. Devices can
then just filter by IP addresses. Uh, after VLAN wrangling anyway.
Things I don't like about it - it's based on VLANS and it means you need to
buy more hardware / software. In addition, you need to munge your auth model
into something supported by the DEN equipment. Shouldn't be hard in most
cases though. Also, DEN requires switch smartness (which the open method
above doesn't).
>
> the bsd box modified its ipf.rules and ipnat.rules tables on
> the fly, and
> loaded them into memory. the also constantly sent little heartbeats to
> your host, and when you were no longer reachable, your ip address was
> removed and the holes where closed back up.
Yeah, the "little heartbeats" are part of why I don't like this solution.
Also, in effect, you're basing the security on IP address. A combination of
a DoS and fragrouter would enable a dedicated attacker to get around the
system. Kerberos itself is vulnerable to password guessing attacks and (in
special circumstances) replays. My crazy idea solves these problems, of
course, since IPSec uses strong auth and the protocol protects against
replays. Unless you're braindead and decide to use shared secrets or manual
keying. Which you wouldn't. That would be braindead.
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
