Re: ipfw plus authentication (authpf is cool but....)
On Wednesday 05 April 2006 04:22, Mark Jayson Alvarez wrote: Hi Nikos Nikos Vassiliadis [EMAIL PROTECTED] wrote: On Monday 03 April 2006 10:34, Mark Jayson Alvarez wrote: Hi I am looking for ways to manage our LAN by having each user register their ipaddress, mac address, workstation os, etc. in our ldap directory. Now in our pcrouter, the users will first send his login credentials to the pcrouter, and then the pcrouter will check against ldap if this login is correct, and if it is, then it will now do an ldapsearch/compare operation to see if the source address (ip/mac) of the user trying to gain network access is indeed belongs to that user. Only then, the ipfw ruleset will be changed to allow traffic originating from this source address... snip Does it have to be LDAP and ipfw? there is authpf which.. Ofcourse this does not cover the IP|MAC address checking you mentioned, but I don't see how this enhances security. It will be easy for a user to change his IP|MAC address. /snip Our main problem is that in our company, each user has his own workstation(no one else uses it).. However, due to poor implementation of ip allocation strategy, any user can change his ip to whatever ip address he wants, thus it would be hard for us to really monitor who is doing this and who is doing that (because it would be useless to see the ip address of the one who's eating up or bandwidth or doing p2p when we cannot determine who is this user this ip belongs to. This leads us to our decision to have every user assigned a static ip address and have him register his mac address, all stored in ldap directory, and have him authenticate to the pc router first before being allowed to access any server. All these are not problems with the solution I suggest below Authpf is somewhat close to this idea but perhaps it was designed for environment wherein users have no permanent workstation, or user can come from any location, even outside the company(at home) I have created a draft of my proposed solution: First, user will authenticate to a web based login form which is tied up against the ip[f|fw|tables] ruleset. When the user submits the form, the cgi will then verify if the user is really who he claims to be by doing an ldapbind using the credentials provided. Also, the script will check if the request is coming from an ip address that is assigned to that user, by comparing it to his ldap attributes (somewhat prevents users from using other user's ip address). If everything goes well, the script will happily change the router's firewall ruleset to allow the user to pass thru. (note that in our setup, we have allocated a single class C ip block for all the staffs(120) (no need to have separate blocks since all policies applies to all). Also, we have placed all the servers (mail, proxy, file, printer, im etc) in a different block to make sure that authentication will happen first before a user is allowed to access any of those servers. Next, we will also provide a logout form(the same as logging out from ssh session in authpf) so that the ruleset can be reverted back when the user does not want to access any network server anymore. The problem with this is that users may be too lazy to logout to the network authentication.. In authpf, even the user did not logout from his ssh session, when he turns off his computer, the ssh session will automatically be terminated. I'm thinking perhaps I can have a nagios server constantly monitoring each user's network connectivity and then changing the firewall ruleset once the user's machine is unreacheable... Another problem I am thinking is that, when a user has already authenticated to the router and have his ip address verified and has been allowed in the firewall, another smart user might immediately change his ip/mac address to that of the authenticated user, and thus making it hard to track his network activity again.. I'm still going to investigate if arpwatch can fill this need What do you think??? I think all these can be addressed with mpd RADIUS... read bellow If it isn't too much trouble you can use PPPoE and/or PPTP with mpd RADIUS. You'll then have: 1) username/password authorization 2) dynamic or static IP address assignment from predefined ranges 3) accounting per username 4) traffic control per IP address(ipfw dummynet)* 5) other interesting RADIUS or PPP features. For example: a) idle-timeout(the user is not using the network and will be logged off). b) session-timeout(the user will have a forced log-out after, let's say, 10 hours). c) session control. You will know if the connection is up, no matter the traffic. *) actually very few ipfw rules. Two rules per bandwidth category (384/128, 512/256 etc). I used ipfw tables for that. mpd can also do per-user ipfw-rules if you want that Something
Re: ipfw plus authentication (authpf is cool but....)
Hi Nikos Nikos Vassiliadis [EMAIL PROTECTED] wrote: On Monday 03 April 2006 10:34, Mark Jayson Alvarez wrote: Hi I am looking for ways to manage our LAN by having each user register their ipaddress, mac address, workstation os, etc. in our ldap directory. Now in our pcrouter, the users will first send his login credentials to the pcrouter, and then the pcrouter will check against ldap if this login is correct, and if it is, then it will now do an ldapsearch/compare operation to see if the source address (ip/mac) of the user trying to gain network access is indeed belongs to that user. Only then, the ipfw ruleset will be changed to allow traffic originating from this source address... snip Does it have to be LDAP and ipfw? there is authpf which.. Ofcourse this does not cover the IP|MAC address checking you mentioned, but I don't see how this enhances security. It will be easy for a user to change his IP|MAC address. /snip Our main problem is that in our company, each user has his own workstation(no one else uses it).. However, due to poor implementation of ip allocation strategy, any user can change his ip to whatever ip address he wants, thus it would be hard for us to really monitor who is doing this and who is doing that (because it would be useless to see the ip address of the one who's eating up or bandwidth or doing p2p when we cannot determine who is this user this ip belongs to. This leads us to our decision to have every user assigned a static ip address and have him register his mac address, all stored in ldap directory, and have him authenticate to the pc router first before being allowed to access any server. Authpf is somewhat close to this idea but perhaps it was designed for environment wherein users have no permanent workstation, or user can come from any location, even outside the company(at home) I have created a draft of my proposed solution: First, user will authenticate to a web based login form which is tied up against the ip[f|fw|tables] ruleset. When the user submits the form, the cgi will then verify if the user is really who he claims to be by doing an ldapbind using the credentials provided. Also, the script will check if the request is coming from an ip address that is assigned to that user, by comparing it to his ldap attributes (somewhat prevents users from using other user's ip address). If everything goes well, the script will happily change the router's firewall ruleset to allow the user to pass thru. (note that in our setup, we have allocated a single class C ip block for all the staffs(120) (no need to have separate blocks since all policies applies to all). Also, we have placed all the servers (mail, proxy, file, printer, im etc) in a different block to make sure that authentication will happen first before a user is allowed to access any of those servers. Next, we will also provide a logout form(the same as logging out from ssh session in authpf) so that the ruleset can be reverted back when the user does not want to access any network server anymore. The problem with this is that users may be too lazy to logout to the network authentication.. In authpf, even the user did not logout from his ssh session, when he turns off his computer, the ssh session will automatically be terminated. I'm thinking perhaps I can have a nagios server constantly monitoring each user's network connectivity and then changing the firewall ruleset once the user's machine is unreacheable... Another problem I am thinking is that, when a user has already authenticated to the router and have his ip address verified and has been allowed in the firewall, another smart user might immediately change his ip/mac address to that of the authenticated user, and thus making it hard to track his network activity again.. I'm still going to investigate if arpwatch can fill this need What do you think??? HTH, Nikos Anyone have gone with this solution before?? Thanks - Blab-away for as little as 1ยข/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] - New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw plus authentication (authpf is cool but....)
Norberto Meijome [EMAIL PROTECTED] wrote: On Tue, 4 Apr 2006 18:22:42 -0700 (PDT) Mark Jayson Alvarez wrote: Hi Nikos Nikos Vassiliadis wrote: On Monday 03 April hi there, I mentioned DHCP registration - i found the link : http://www.netreg.org/ it may do what you need. I have already looked into it, as well as the CMU version of netreg which is far more feature rich and matured. http://www.net.cmu.edu/netreg/ However, we are on the process of having a centralized LDAP directory of each equipment (including ip, mac address, os, owner, property number etc.) Both implementations uses a separate backend to store each machine's mac addresses. We don't want to have redundant data. Also, during our discussion: Another problem I am seeing with this kind of setup is that it doesn't prevent someone from using other user's network information. There's not that much of authentication happening in the process of dhcp. The server only looks if the mac address is already registered(in my case, a simple ifconfig will allow me to change my mac address to that of a registered user). There are a couple of suggestions and workarounds to this however, and with these at hand, were're only left with that redundancy issue.. Our main problem is that in our company, each user has his own workstation(no one else uses it).. However, due to poor implementation of ip allocation strategy, any user can change his ip to whatever ip address he wants, thus it would be hard for us to really monitor who is doing this and who is doing that (because it would be useless to see the ip address of the one who's eating up or bandwidth or doing p2p when we cannot determine who is this user this ip belongs to. have you considered changing the policy in this regards? do users need that much control over their own workstation? According to the policy, the NMG is the only responsible for software installation, removal, patching etc of each workstation.. However, the MIS has very few manpower, they cannot have full control over all of the user's workstation. That's why we have proposed another policy that the user will be held responsible for every outcome that will be originating from his machine... be it p2p, or worm flooding. This leads us to our decision to have every user assigned a static ip address and have him register his mac address, all stored in ldap directory, and have him authenticate to the pc router first before being allowed to access any server. Authpf is somewhat close to this idea but perhaps it was designed for environment wherein users have no permanent workstation, or user can come from any location, even outside the company(at home) I have created a draft of my proposed solution: First, user will authenticate to a web based login form which is tied up against the ip[f|fw|tables] ruleset. can you run iptables on BSD? | When the user submits the form, the cgi will then verify if the user is really who he claims to be by doing an ldapbind using the credentials provided. Also, the script will check if the request is coming from an ip address that is assigned to that user, by comparing it to his ldap attributes (somewhat prevents users from using other user's ip address). If everything goes well, the script will happily change the router's firewall ruleset to allow the user to pass thru. (note that in our setup, we have allocated a single class C ip block for all the staffs(120) (no need to have separate blocks since all policies applies to all). Also, we have placed all the servers (mail, proxy, file, printer, im etc) in a different block to make sure that authentication will happen first before a user is allowed to access any of those servers. and your pcrouter is the gateway between the users and the servers, right? and different physical segment too Yup.. just to make sure that they will have to get authenticated first before using any network services.. If they are known, that is the time when monitoring and accounting will make sense (since it is useless to know the ip address of the one doing p2p when we can't find out the user whom this ip is registered to.:-) Next, we will also provide a logout form(the same as logging out from ssh session in authpf) so that the ruleset can be reverted back when the user does not want to access any network server anymore. The problem with this is that users may be too lazy to logout to the network authentication.. In authpf, even the user did not logout from his ssh session, when he turns off his computer, the ssh session will automatically be terminated. I'm thinking perhaps I can have a nagios server constantly monitoring each user's network connectivity and then changing the firewall ruleset once the user's machine is unreacheable... what if they leave their PC on overnight downloading / uploading files? what if they leave their PC on , but