At 05:33 PM 7/16/02, Williams, Larry wrote: >I don't know enough to form an educated guess, and I would have to do >major research to make something like this work for me, but here's my >invention exchange. > >- You could use group membership to indicate who has returned their >forms. When someone does return the form, you add their user ID to the >group that affords them Internet access.
Obviously, this principle would have to be applied at some level -- but it might not be so straightforward in a mixed-client environment (there's not necessarily any correlation between a Windows NT/2000 "group" and a UNIX group)... unless, possibly, everything was centrally managed from something like an LDAP or RADIUS server. >- You could create a login script that first checks if the user belongs to >the Internet group and then issues an iptables command to grant access to >the user's current IP. >- You could create a logout script that removes their IP when they leave. >- If the logout script doesn't run, maybe when they drop the connection >(doesn't it run anyway?), a cron event could check for stale IPs and purge >any from iptables. BAD idea. Scenario: Joe Q. User (who belongs to the 'Internet' group) logs in -- a rule is added to iptables to allow Internet access from his IP (say 192.168.100.1). Jane A. Hacker (who is not in the 'Internet' group -- indeed, they wouldn't even need an account on the local domain! The only access required would be physical access to the network. Bring in a laptop with Linux installed and plug it into any convenient Ethernet jack...) performs a DoS attack (ping flood, exploit script, ARP spoofing, whatever) against Joe Q. User's machine. Once Joe Q. User's machine is knocked off the (local) 'net, Jane A. Hacker instructs her computer to assume an IP address of 192.168.100.1 (a MAC address takeover would also be likely). Voila! Jane A. Hacker now has Internet access through the company's pipe. In addition, your script to check for 'stale IPs' wouldn't work, because that IP address is in use (by Jane A. Hacker's machine). Also, if you logged IP address->username logins, anything that Jane A. Hacker does with that Internet access would be logged under Joe Q. User's name! In theory, a good idea. It would also work if you had a small, TRUSTED group of employees. But unfortunately, one can never rule out the possibility of an insider attack... running a proxy server which requires authentication would be a superior method in this case (among other possibilities). Just my thoughts... - Peter Kristolaitis
