Thanks Adam: I agree. All the authentication mechanisms I've listed except for IPSec/VPN lack bi-directional authentication making them suceptible to man-in-the-middle attacks, lack flow integrity allowing them to be hijacked, and some even use cleartext passwords. Probably most important, none support privacy which is a concern when some users deal with sensitive data.
SSL/TLS is good for a limited set of protocols like HTTP and FTP, but can't be used for a variety of protocols like NFS and POP. Is IPSec a viable solution for exclusive access to a secure Enterprise or Internet Data Center? I believe better authorization is becoming available, for instance Lucent's router will enforce authorized access lists from a radius user profile. Eric Bomarsi --- Adam Safier wrote: > You left off token based authentication (SecurID, > Cryptocard, etc.), one > time passwords (S/key), PKI, smart cards as well as > a proxy web server and > various Single Sign On sytems. > > At my prior company we had SecurID which works > nicely. The problem with > most authentication systems on clear connections is > that once a user is > autheticated the session could still be hijacked or > sniffed. You really > only have one A of AAA. We had a gateway that > required logging into and then > logged key strokes for selected systems but that > isn't AAA either. Finally, > we also used SSH for encrhypted telnet to routers. > > VPN can be used for internal system and gives you > authetication, limited > authrization and limited audit. The user LAN can be > the equivalent of > Internet and the protected systems are your secured > domain. You can use two > factor authentication with it for stronger > authentication. > > Tumbleweed and other make web based gateways that > you set up to access > specific applications and you can force user > authentication over SSL. But > they take a bit more setup. > > Good luck, > > Adam > > ----- Original Message ----- > From: "Eric E. Bomarsi" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 05, 2002 10:31 PM > Subject: User AAA into a Secure Data Center > > > > I am interesting in hearing from people who have > > implemented user based AAA for internal access to > a > > secure data center or similar deployment. I've > listed > > the methods I am familiar with: > > > > 1) Dynamic ACLs (Cisco Lock-and-key, Checkpoint > > client/session auth). Basically a one-time user > > authentication which opens a dynamic hole from the > > user's machine. > > > > 2) Application Proxying > > Firewall intercepts specific applications, > > authenticates user, then stitches connection > through > > to server. Limited to small set of apps like FTP, > > HTTP(s), and telnet. > > > > 3) 802.1x > > Very new, but recently recently made available on > > Microsoft O/S's for both WLAN and LAN. Is anyone > > looking at this? > > > > 4) IPSec VPN > > Very strong, offers privacy, but typically only > used > > for external access. > > > > Others? > > > > Thanks > > Eric Bomarsi > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Try FREE Yahoo! Mail - the world's greatest free > email! > > http://mail.yahoo.com/ > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
