Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!

[Mark Jayson R. Alvarez]

Hi,

> Mark Jayson R. Alvarez wrote:
> > Hello!!
> >
> Greetings, Jayson,
>
> Yes, I think NuFW can help you solve your authentication problems quite
> simply.
> Most admins have this same problem : "how to make sure this user keeps
> on this IP?"
>
> We at NuFW believe this is a bad question. Keep in mind that IP/DHCP/Mac
> address were never designed to provide any kind of authentication. They
> are just technical addresses, used by computers so that "it works".

But in our company, each user uses only his workstation and no one else. We 
are planning to have each workstation be registered in LDAP. Although 
IP/Mac/DHCP were'nt designed to provide any kind of authentication, in our 
case, most of the monitoring tools that we are planning to deploy such as 
flowtools, mrtg, arpwatch, nagios, snort etc. do their monitoring by looking 
at ip address. If only I could just do it by looking at userid(like what nufw 
does), then that would be no problem to us..

Also, we have a very poor lan infrastructure with unmanaged switches cascading 
everywhere.. Everyone can change to whatever ip|[block] or mac he wants... We 
have at most 120 users here. almost 30-40 percent are technical. If somewhere 
out there, a bad user spoofs our pcrouter's mac and ip address, he can easily 
put the rest of the staffs out of service or their session be hijacked.. 
Changing every cascading switch to manage switches and doing some mac/port 
filtering or even 802.1x authentication is not an option. Those are very 
expensive proposal to do.

That is why we have decided to put all the staffs in one block and the 
internal servers in another block so that we can do authentication whenever a 
user accesses a server(exactly how nufw does its thing). Right now each user 
only needs access to: proxy server, file/printer server, email server, jabber 
server.



> So, NuFW lets you require the user to provide credentials for each
> connection they try to open.
The problem with my proposed solution is that authentication happens only 
once.. If a smart user tries to steal other user's ip after that user has 
been authenticated to the router then there goes back our problem again. If 
only I could tie up this authentication to some form of single-sign-on like 
kerberos then that would be no problem..  But I know very little 
programming.. I can only do some simple scripts. 
Some suggested tools like arpwatch doesn't even help at all.. If the user 
replaces both of his ip and mac to that of unknowing victim, then arpwatch 
has no way of telling if something illegal has just happened.. The least it 
could do is to see that the bad guys ip/mac address has just become 
unreacheable in the process and held him possible suspect if the victim 
complains. 

I know that NuFW has already solved this problem. Or has it?

> And we keep log of those. As time goes by, 
> if you get to use NuFW, you will tend to not look at clients' IP
> addresses so much anymore.

As I have said, in our workplace, 1 user per 1 machine per 1 ip..
All we need is to quickly identify who is flooding the network, who is doing 
p2p etc..

> Why bother, when you can get layer3 logs with 
> userID included? :) (Demo at http://nulog-demo.inl.fr/ , click "user
> stats" and see IP filter logs containing userIDs, etc.).

Looks like NuFW has already solved the arp-poisoning related attacks in a poor 
LAN infrastructure like in our workplace.. :-)


> I hope this helps,
> Have fun with NuFW.
> And have no hesitation if you have any problem installing/testing NuFW.
> This channel is designed for this kind of help
>
> Regards,
>
> Vincent
>
>
>
> _______________________________________________
> Nufw-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/nufw-users

-- 
Mark Jayson R. Alvarez                        email: address@hidden
Advanced Science and Technology Institute     http://www.asti.dost.gov.ph
Voice: +63 2 4269766   Fax: +63 2 4269756