I can't stand it any more. Why not use an authenticating proxy firewall
instead of trying to contort a packet filter to make it work in higher
layers of the ISO model? If you really want to control outbound access by
user (which is what happens at this site) then an authenticating proxy
firewall will do that without breaking a sweat. There is even at least one
firewall (NT-based, which is not necessarily a Good Thing(tm)) which will
do authentication based on a pre-existing Windows domain login. This is
not foolproof (if you leave your workstation unlocked I could use your
login and gain an access I might not have had on my own) but it is pretty
transparent.
<flame suit on>
Ben Nagy <[EMAIL PROTECTED]> on 09/28/2000 06:58:25 PM
To: "'Johannes Kloos'" <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
cc:
Subject: RE: User level packet filtering
> -----Original Message-----
> From: Johannes Kloos [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 29 September 2000 5:52 AM
> To: [EMAIL PROTECTED]
> Subject: Re: User level packet filtering
>
>
> On Thu, Sep 28, 2000 at 11:33:30PM +0500, Abdul Basit wrote:
> > Hey
> > Is it possible to do user based packet filtering in *nix ?
> > say i need to allow telnet access to all but i want to block port
> > 80(outbound) to some users
> > while allowing others ?
> >
> > something like packet filter checks first checks uid and
> then apply the
> > exiting rule ?
>
> netfilter (aka iptables) on linux includes "owner matching",
> so you may say:
>
> iptables -A output -p tcp --dport 80 --uid-owner luser -j REJECT
And is there a way to match arbitrary streams from the internal network to
a
given uid?
As far as I can tell the uid matching only works for users actually working
on the firewall.
The payware solution I've seen that looks best is based on putting users in
certain VLANs based on their login.l The firewall can then just work out
access-control based on IP address. That's good as far as it goes, but
involves some heavy investment in switches and access servers.
Cisco support a thing called "lock and key" which supports users
"unlocking"
access lists for their IP address by telneting to the access device and
authenticating. This is pretty brittle, though - it works on a time base
from there, so when the legit user walks away someone can quickly log in
and
get elevated privilege.
Could we use IPSec - even with NULL encryption - to act as a de facto
circuit-level gateway? The IPSec SA would provide auth and integrity on a
per-user basis. If no encryption is required, which is likely in most LANs,
you wouldn't need a very beefy gateway to do the crypto for a fast ethernet
segment - especially with crypto offload NICS so cheap.
Of course this would mean that every user would need an IPSec client on
their desktop, but with Windoze carrying the flag and *nix only a quick
compile away this shouldn't be _too_ hard.
I know I'm kind of re-inventing the wheel - this is supposed to be what
SOCKS is for, right? But SOCKS doesn't look like it will ever be standard
issue on every desktop, and IPSec can easily be modified to use encryption
if your security model requires it.
Have I gone crazy again?
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
