Re: ipfw plus authentication (authpf is cool but....)
- From: Mark Jayson Alvarez <jay2xra@xxxxxxxxx>
- Date: Tue, 4 Apr 2006 18:22:42 -0700 (PDT)
Hi Nikos
Nikos Vassiliadis <nvass@xxxxxxxxxxxxxx> wrote: On Monday 03 April 2006 10:34, Mark Jayson Alvarez wrote:
Hi
I am looking for ways to manage our LAN by having each user register their
ipaddress, mac address, workstation os, etc. in our ldap directory. Now in
our pcrouter, the users will first send his login credentials to the
pcrouter, and then the pcrouter will check against ldap if this login is
correct, and if it is, then it will now do an ldapsearch/compare operation
to see if the source address (ip/mac) of the user trying to gain network
access is indeed belongs to that user. Only then, the ipfw ruleset will be
changed to allow traffic originating from this source address...
<snip>
Does it have to be LDAP and ipfw?
there is authpf which..
Ofcourse this does not cover the IP|MAC address checking you mentioned,
but I don't see how this enhances security. It will be easy for a user to
change his IP|MAC address.
</snip>
Our main problem is that in our company, each user has his own workstation(no one else uses it).. However, due to poor implementation of ip allocation strategy, any user can change his ip to whatever ip address he wants, thus it would be hard for us to really monitor who is doing this and who is doing that (because it would be useless to see the ip address of the one who's eating up or bandwidth or doing p2p when we cannot determine who is this user this ip belongs to. This leads us to our decision to have every user assigned a static ip address and have him register his mac address, all stored in ldap directory, and have him authenticate to the pc router first before being allowed to access any server. Authpf is somewhat close to this idea but perhaps it was designed for environment wherein users have no permanent workstation, or user can come from any location, even outside the company(at home)....
I have created a draft of my proposed solution:
First, user will authenticate to a web based login form which is tied up against the ip[f|fw|tables] ruleset.
When the user submits the form, the cgi will then verify if the user is really who he claims to be by doing an ldapbind using the credentials provided. Also, the script will check if the request is coming from an ip address that is assigned to that user, by comparing it to his ldap attributes (somewhat prevents users from using other user's ip address).
If everything goes well, the script will happily change the router's firewall ruleset to allow the user to pass thru. (note that in our setup, we have allocated a single class C ip block for all the staffs(120) (no need to have separate blocks since all policies applies to all). Also, we have placed all the servers (mail, proxy, file, printer, im etc) in a different block to make sure that authentication will happen first before a user is allowed to access any of those servers.
Next, we will also provide a logout form(the same as logging out from ssh session in authpf) so that the ruleset can be reverted back when the user does not want to access any network server anymore. The problem with this is that users may be too lazy to logout to the network authentication.. In authpf, even the user did not logout from his ssh session, when he turns off his computer, the ssh session will automatically be terminated. I'm thinking perhaps I can have a nagios server constantly monitoring each user's network connectivity and then changing the firewall ruleset once the user's machine is unreacheable...
Another problem I am thinking is that, when a user has already authenticated to the router and have his ip address verified and has been allowed in the firewall, another smart user might immediately change his ip/mac address to that of the authenticated user, and thus making it hard to track his network activity again.. I'm still going to investigate if arpwatch can fill this need....
What do you think???
HTH, Nikos
Anyone have gone with this solution before??_______________________________________________
Thanks
---------------------------------
Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo!
Messenger with Voice. _______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@xxxxxxxxxxx"
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: ipfw plus authentication (authpf is cool but....)
- From: Nikos Vassiliadis
- Re: ipfw plus authentication (authpf is cool but....)
- References:
- Re: ipfw plus authentication???
- From: Nikos Vassiliadis
- Re: ipfw plus authentication???
- Prev by Date: Re: software recommendation
- Next by Date: Re: How to examine FreeBSD source changes with CVS? - SOLVED
- Previous by thread: Re: ipfw plus authentication???
- Next by thread: Re: ipfw plus authentication (authpf is cool but....)
- Index(es):
Relevant Pages
|
