At 09:28 30/05/01 +0100, Trevor Oxborrow wrote:
>I have been setting up an "Authentication Gateway" using
>ipchains and ncsa-auth in collusion with a local company. It is
>not complete yet, but the project is well under way. It runs
>standalone on a dual-homed Linux box. The user logs in to the
>box, and in doing so, his profile script amends the ipchains
>table to allow him/her access to anything on the "other" side.
>On logout, the reverse happens.
>
>Regards, Trevor.
Sounds interesting. Unfortunately its not really what I'm looking for - if
I've followed your description then its no better than what I'm doing just
now.
There a couple of things I'd be concerned about:
1) authenticating users seperately from the proxy makes it more difficult
to implement per-user configurations for URL re-writing / access control.
2) modifying your firewall on the fly is going to make it impossible to
prove it is correct at any point in time
3) and debugging and proving firewalls is difficult at the best of times.
4) I beleive ncsa-auth uses its own password file - so I couldn't use an
existing account.
5) The firewall user interface is the part of Linux which seems to keep
changing the most, and is largely incompatible with previous versions (ipfw
/ ipfwadmin / ipchains / iptables / ...) as a security device this box
should be kept up to date - but that could mean re-writing large parts of
the application software.
6) if it's done on a network router / server, its still not transparent (as
per kerberos / NTLM / ident) in that they still have to perform an
additional logon to get access.
7) if it's done on a seperate box it introduces another point of failure.
8) if, instead, it's run on the users workstation, then like bad old NFS
your granted access to a valued resource on the basis of the assertion that
the user and the device are behaving as you intended them to (vs booted
from floppy disk, changed root password ....) unless you're doing something
clever with VPN between the client the authenticating router.
:(
Colin
--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------
