Don't take the following as meaning there is no value to your approach. There is. It just has some issues from a strict security standpoint.
On Sep 6, 2006, at 12:47 PM, Dale Sears wrote: >> So, what does the user want again? >> ------------------------------------------------------ >> ------------------ >> ---- >> The opinions expressed in this message are mine, >> not those of Caltech, JPL, NASA, or the US >> Government. >> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu >> >> >> _______________________________________________ >> security-discuss mailing list >> security-discuss at opensolaris.org >> > > The user (me) wants to have a set of rules in the firewall that are > enabled > only after the client (a user at some random IP address) has > successfully > used some form of two-factor authentication. Ideally the authentication ought to be proof against MITM (man in the middle) attacks. > It would be nice to be able to configure a dedicated host as a > firewall > with a defined set of interfaces as public/private or internal/ > external > and allow authenticated IP addresses to send packets from one side > to the other. > > This leaves the rules invulnerable to spoofing during the time when > no IP > addresses have been authenticated. True. OTOH One Time Passwords aren't inherently proof against MITM. The OTP could be intercepted and used by a bad guy to open a different IP before or instead of the real user. > Also, this arrangement provides a level of flexibility such that > "authenticated" > users can come in from various address spaces without a priori > knowledge > of where said users are going to be. Yes, this is a good thing. > The term "authenticated" can be debated, but it is meant here as: > > [i]Distinct from any user on the Internet simply because > they were able to know something and have something > at the right time.[/i] > > Often this has the desired effect of limiting a service from "any > IP address" > to "any IP address from which a user has authenticated" > > Authenticating an IP address is a means of raising the bar and making > the attacker work a little harder, but it is understood that if the > attacker is > also at the right place and time (e.g. on a multi-user system which > has been > authenticated) then the service which was inaccessible can now be > accessed. I'd be more concerned about router cracks, or hidden NAT's, or ARP spoofing. Just because Cisco has suppressed presentations at Defcon doesn't mean there wasn't anything to present, if you know what I mean. > The attacker in this scenario is forced to attack clients which > authenticate > to the firewall because the firewall simply drops all packets from > non-authenticated IP addresses. > > Some thought must also be given to how and when such rules are > disabled. > Various options might be available such as: > > 1. Strict time limit after initial authentication > 2. Disable after specified time limit during which no traffic has > traversed the filter. > 3. Enabled/Disabled at a given time of day ( 2PM to 4PM PST) > > > I hope that clears up what I was thinking, but many words usually > bring > many troubles. > > > Dale > > > This message posted from opensolaris.org > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org
