At 08:38 29/09/00 -0400, Paul D. Robertson wrote:
>On Fri, 29 Sep 2000, mouss wrote:
>
> > one way would be to allocate IP addresses based on user identity. yet,
> > there is no
> > "standard" solution, but the worst here is that this assumes mono-user
> hosts.
>
>This is an intesting idea. Are you aware of any implementations of this?
I'm not sure whether Checkpoint's acquired MetaIP does this or not.
according to their web site, there is a user-to-address correlation but it is
not clear if the correlation is "automatic" (ipaddr=function(uid)) or not (you
have to ask their server to get uid). automatic is clearly better.
also, Cisco's service selection gateway is a possible solution, but seems
"reserved"
for ISP's.
>The same sort of authentication in switches would make life much easier.
>I really need to spend more time examining this.
there are also other ways to do that:
1. implement a simple authentication server an run it on the FW. then users
are asked
to first telnet to this server, authenticate and keep the connection open
until they finish
surfing. the server then does ioctl calls to update the ip rules (this
should work for all
open source filters: ipfilter, ipfw, ipchains, iptable, ...). It adds a
rule to allow the ip address
of the authenticated user. when the user session with this serve is closed,
the rule is removed.
This is a very simple mechanism, and is not hard to do.
would it be a good thing?
2. Modify current filters to manage "authenticate users sessions". that
would be a form of
keeping state. when a packet is received from a host, the filter checks the
user sessions table.
if none is found, a user process is signalled to ask authenticating the
user. This requires that
a "facilitator" server is running on the client host. For unix, identd is a
candidate (and though it's
not full proof, it is ok if the internal net is relatively trusted and the
root password is not given to
anyone). other mechanisms are better but they are not widespread.
Anyway, this seems to require more work than 1.
3. one could also code some server to modify DNS entries when users are
authenticated, so as
the hostname becomes username.mydomain. then the FW would only need to do a
DNS lookup
instead of authenticating the user. this seems easier...
...
however when authentication is desired, user level proxies are more natural
to consider.
>[snip]
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
