On Tue, 3 Oct 2000, Ben Nagy wrote:
> (As for development - How about an egress IPSec gateway that applies a VLAN
> 'colour' to user packets for matching by devices further out? How about a
> multi-NIC box that selects an exit NIC based on user class? What if we use
> per-user NAT (for a cheap, nasty solution) to make it easy for traditional
> firewalls to filter by IP address?)
sure it can be cheap nasty solutions, but very feasible. it would not take
too much to make a multi-NIC box first do authentication based on
Kerberos, then depending if your password is valid, your IP address is
then NAT'd to the src of an external nic. and if your session times out,
your translation is removed from the table.
i think i remember reading of a university that employed a BSD solution
doing NAT, and authenticating ethernet ports with telnet. for example, you
plug into a arbitrary port in the university, and get your address based
on dhcp. you are now completely blocked from communicating with
anyone. upon telnet'ing to a specific auth host, and putting in your
password, your port is now free to connect all over.
the bsd box modified its ipf.rules and ipnat.rules tables on the fly, and
loaded them into memory. the also constantly sent little heartbeats to
your host, and when you were no longer reachable, your ip address was
removed and the holes where closed back up.
.truman.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
