We don't actually use the Linux Authentication Gateway as a
firewall - another hardware "appliance" does that. That other
machine may be a Linux firewall, or it may not. The point is to
keep separate functions on separate boxes.
31/05/01 15:57:02, Colin McKinnon <[EMAIL PROTECTED]> wrote:
>At 09:28 30/05/01 +0100, Trevor Oxborrow wrote:
>>I have been setting up an "Authentication Gateway" using
>>ipchains and ncsa-auth in collusion with a local company. It
is
>>not complete yet, but the project is well under way. It runs
>>standalone on a dual-homed Linux box. The user logs in to the
>>box, and in doing so, his profile script amends the ipchains
>>table to allow him/her access to anything on the "other"
side.
>>On logout, the reverse happens.
>>
>>Regards, Trevor.
>
>Sounds interesting. Unfortunately its not really what I'm
looking for - if
>I've followed your description then its no better than what
I'm doing just
>now.
>There a couple of things I'd be concerned about:
>1) authenticating users seperately from the proxy makes it
more difficult
>to implement per-user configurations for URL re-writing /
access control.
>2) modifying your firewall on the fly is going to make it
impossible to
>prove it is correct at any point in time
>3) and debugging and proving firewalls is difficult at the
best of times.
>4) I beleive ncsa-auth uses its own password file - so I
couldn't use an
>existing account.
>5) The firewall user interface is the part of Linux which
seems to keep
>changing the most, and is largely incompatible with previous
versions (ipfw
>/ ipfwadmin / ipchains / iptables / ...) as a security device
this box
>should be kept up to date - but that could mean re-writing
large parts of
>the application software.
>6) if it's done on a network router / server, its still not
transparent (as
>per kerberos / NTLM / ident) in that they still have to
perform an
>additional logon to get access.
>7) if it's done on a seperate box it introduces another point
of failure.
>8) if, instead, it's run on the users workstation, then like
bad old NFS
>your granted access to a valued resource on the basis of the
assertion that
>the user and the device are behaving as you intended them to
(vs booted
>from floppy disk, changed root password ....) unless you're
doing something
>clever with VPN between the client the authenticating router.
>
>:(
>
>Colin
>
>--------------------------------------------------------------
------
>http://www.lug.org.uk
http://www.linuxportal.co.uk
>http://www.linuxjob.co.uk
http://www.linuxshop.co.uk
>--------------------------------------------------------------
------
>
Trevor Oxborrow
(Information Officer, Lomond and Argyll Primary Care NHS Trust)
(This email may have been received by you in error. If this is
the case, please delete it immediately and accept my apologies.
No use or reliance on the contents should be made by any party
not an intended recipient.)
--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------
