S:
Thanks for your patience with me on this. :)
> > > In a typical setup, no sensitive information is stored on the firewall
> > > machine (or gateway, as we call it), so I'm afraid I don't understand
> > > your question.
> >
> > My impression was that the NoCatAuth process verified this
> > login-password-MAC thing, and so would need to store....something?
>
> True, but in a typical setup, none of this information is ever sent to
> or stored on the gateway. That all happens over SSL to a (theoretically)
> secure box elsewhere on the Internet. A large part of the design of
> NoCatAuth is intended to preserve trust -- you don't give your password
> to a gateway you don't necessarily trust, and the gateway doesn't trust
> *you* to tell it who you think you are.
Ah! This was one of my "other questions". :) There's another
box (say, a RADIUS server) that the user authenticates with, then?
Upon which...a go/no-go is delivered back to the gateway? I guess
I thought the gateway/firewall box *was* this authentication server.
> > From my perspective, I see 'theft of service' as, well, the
> > point of any authentication scheme. Perhaps my perspective isn't
> > that aligned with NoCat's?
>
> I'm afraid I don't understand your question, then. In a nutshell,
> NoCatAuth severely limits a client's access to network services (in a
> customizable fashion) until authentication occurs. What would we need a
> TCP hack like LaBrea for?
Well...not that I've done this...I was thinking that one way
of preventing a user from getting onto the WLAN in a useful way (say,
to attack another WLAN user that's behind the firewall) would be to
make LaBrea (on the gateway) consume all of the subnet address space.
Only after a user is authenticated would it "release" a specific IP
address from the tarpit, and give out that address to the user in a
DHCP lease. Again, just thinking out loud here: if the unused IP space
was tarpitted, it'd seem to me more difficult for someone to spoof their
way onto the WLAN and cause mischief.
-Scott
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
