On Thu, Nov 27, 2014 at 05:09:02PM +0100, Martin Hanson wrote:
> Hi
> 
> So I am looking into authpf and I am wondering about some real world
> applications.
> 
> I have a bunch of users, but I also have just a bunch of machines.
> 
> The machines cannot login via SSH and should not try to do so (via some
> script or otherwise). However, these machines needs access 24/7.
> 
> So I was thinking about fixing rules to those machines before any
> anchors for users, but I cannot see how this provides any security at
> all - and bear with me if I am overlooking something.
> 
> If say machine 192.168.0.2 and 192.168.0.3 needs unrestricted access to
> the net, then wont it be as easy as "Joe" changing his machines IP
> address to 192.168.0.2 to gain access without authentication?

Here is a case where you trust the machines, but do not trust Joe.  

Commonly, trusted servers are deployed on network segments that are
separate from untrusted users - via Ethernet segments or VLANs.  It is
also possible to use VPNs to provide functional separation of servers
from users, if separate Ethernet tiers is not possible.

> And what about other kinds of access? Now I get a brand new box in that
> needs a fresh installation of some Linux distribution that we install
> over HTTP. This new box doesn't come with a SSH console and the install
> disk doesn't provide a console with SSH during installation.

The provisioning if performed on the untrusted network, would require 
the distribution server to be accessible.  Simple enough with a pass
rule to your organization's deployment server.
 
> Then I am beginning to see signs of "network segmentation" in my head,
> but that kindda makes authpf more or less useless then - unless I need
> to grant different people different access on the same segment I can
> just segment the entire net.
> 
> Anyway, I hope I make sense! :)
> 
> How do you use authpf in real life?
> 
> Kind regards.

Reply via email to