On Sep 6, 2006, at 3:48 AM, Darren Reed wrote: > Darren J Moffat wrote: > >> Darren Reed wrote: >> >>> Someone asked me today, will it be possible to use cards >>> such as SecurID with IPFilter to authenticate network access. >>> >>> While my response is sure, we can do this, how would this >>> fit in to the Solaris security model? >> >> >> Before we go to the details of how to implement it I think we >> first need to understand what authenticating network access means >> in this context. >> >> What is the identity that is to be authenticated ? >> user >> ... > > > At the higher level, the question for this comes from: > "when can I use IPFilter to control remote access like Firewall-1?" > > I don't yet have any further specifics on the requriements but I > have encouraged the requestor to participate in this discussion. > > From memory about Firewall-1 and its user authentication.... > > In general it is a combination of user and host (often "*") > that is authenticated using username/password (either from a > private database, NIS or Microsoft or SecurID or...) so that > the user can be given access to a remote service (Internet, > web server, etc.) that is defined by an ACL entry in the > firewall policy. > > What's different about 802.1x here is that it isn't necessarily > access to the network itself that is being controlled but rather > access to a particular service on the network where that service > doesn't have the capability to enforce its own authentication > checks. At least my understanding of 802.1x is that it is limited > to authenticating access to the network, not so much access to > devices on the network. > > Darren
Obviously I'm talking to someone who knows more than I do about IPFilter, but I thought it only checked link-layer stuff. Those things are inherently spoof-able, so its security value is in preventing "end-runs" around connection methods that have more specific security mechanisms. E.g. careful configuration of sshd only helps if you have XDMCP blocked. This sounds more like a scenario where a user would run one program to "unlock" a service and then run the normal, unsecured service. E.g. "ipf-secureid-unlock <server>" followed by "X --query <server>" (and hope nobody sneaks in between the two). No question there is a place for a setup like this, but I'd much rather use applications that have proper security built-in. So, what does the user want again? ------------------------------------------------------------------------ ---- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
