RE: can you internally proxy a request more than once?

2012-03-25 Thread Brian Julin
Phil Mayers wrote: > I'm not entirely sure I buy that it ensures only the outer server is > affected; once compromised, the outer server can be used to send > arbitrary UDP packets to the inner server since the sockets are already > open. But I guess the same could be said of any perimeter defenc

Re: can you internally proxy a request more than once?

2012-03-25 Thread Phil Mayers
On 03/24/2012 10:26 PM, Brian Julin wrote: Can you explain what threat model you think this addresses? It limits the exposed fuzzable surface. Any vulnerabilities present or introduced in the low level RADIUS packet processing compromise only the external server. The packets that reach the

RE: can you internally proxy a request more than once?

2012-03-24 Thread Brian Julin
Phil Mayers [p.may...@imperial.ac.uk] wrote > I'm curious about what you mean here. I don't see the difference between > a single server performing attribute filter & auth, versus two separate > processes. > > Can you explain what threat model you think this addresses? It limits the exposed fuzz

Re: can you internally proxy a request more than once?

2012-03-24 Thread Phil Mayers
On 03/23/2012 04:02 PM, Brian Julin wrote: Not sure, but you should consider running non-virtual instances (not that hard to do) and using privilage separation such that there is little potential for exposure of your internal authentication structure or internally-utilized crypto material to an e

Re: can you internally proxy a request more than once?

2012-03-24 Thread Phil Mayers
On 03/23/2012 02:12 PM, mark.le...@stfc.ac.uk wrote: isn’t possible, do I have any other options? Would a solution be to make the virtual servers listen on two different IP addresses, and configure the NAS to use a different RADIUS server IP address for each SSID? That is the common solution,

Re: can you internally proxy a request more than once?

2012-03-23 Thread Alan DeKok
mark.le...@stfc.ac.uk wrote: > I may not have provided enough detail, but am I doing something that > obviously won’t work? I don’t know if it’s possible to internally proxy > a request more than once, e.g. to two different virtual servers. It's not. It will likely work (eventually) in 3.0.

RE: can you internally proxy a request more than once?

2012-03-23 Thread Brian Julin
Not sure, but you should consider running non-virtual instances (not that hard to do) and using privilage separation such that there is little potential for exposure of your internal authentication structure or internally-utilized crypto material to an externally presented service. Also, it is po