Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!

nufw-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!

From:	Eric Leblond
Subject:	Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!
Date:	Thu, 06 Apr 2006 08:49:03 +0200
User-agent:	Debian Thunderbird 1.0.7 (X11/20051017)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Jayson R. Alvarez wrote:
> Hi,
> 
> 
>>Mark Jayson R. Alvarez wrote:
>>
>>>Hello!!
>>>
>>
>>Greetings, Jayson,
>>
>>Yes, I think NuFW can help you solve your authentication problems quite
>>simply.
>>Most admins have this same problem : "how to make sure this user keeps
>>on this IP?"
>>
>>We at NuFW believe this is a bad question. Keep in mind that IP/DHCP/Mac
>>address were never designed to provide any kind of authentication. They
>>are just technical addresses, used by computers so that "it works".
> 
> 
> But in our company, each user uses only his workstation and no one else. We 
> are planning to have each workstation be registered in LDAP. Although 
> IP/Mac/DHCP were'nt designed to provide any kind of authentication, in our 
> case, most of the monitoring tools that we are planning to deploy such as 
> flowtools, mrtg, arpwatch, nagios, snort etc. do their monitoring by looking 
> at ip address. If only I could just do it by looking at userid(like what nufw 
> does), then that would be no problem to us..

Your IP=PC=User is enough for monitoring but not for security. In fact,
you just have one step to add : NuFW's SQL user authenticated logging
gives you a link between IP and user if you need to study the reason of
a strange behaviour that is show by monitoring.
You can even do better than that with some product. If snort detects an
attack, you will have all IPV4 information and thus by going to the
nulog interface you are able to strictly identify the user that has
launch the attack.


> Also, we have a very poor lan infrastructure with unmanaged switches 
> cascading 
> everywhere.. Everyone can change to whatever ip|[block] or mac he wants... We 
> have at most 120 users here. almost 30-40 percent are technical. If somewhere 
> out there, a bad user spoofs our pcrouter's mac and ip address, he can easily 
> put the rest of the staffs out of service or their session be hijacked.. 
> Changing every cascading switch to manage switches and doing some mac/port 
> filtering or even 802.1x authentication is not an option. Those are very 
> expensive proposal to do.
> 
> That is why we have decided to put all the staffs in one block and the 
> internal servers in another block so that we can do authentication whenever a 
> user accesses a server(exactly how nufw does its thing).

Clearly a good choice !

 Right now each user
> only needs access to: proxy server, file/printer server, email server, jabber 
> server.
> 
> 
> 
> 
>>So, NuFW lets you require the user to provide credentials for each
>>connection they try to open.
> 
> The problem with my proposed solution is that authentication happens only 
> once.. If a smart user tries to steal other user's ip after that user has 
> been authenticated to the router then there goes back our problem again. If 
> only I could tie up this authentication to some form of single-sign-on like 
> kerberos then that would be no problem..  But I know very little 
> programming.. I can only do some simple scripts. 
> Some suggested tools like arpwatch doesn't even help at all.. If the user 
> replaces both of his ip and mac to that of unknowing victim, then arpwatch 
> has no way of telling if something illegal has just happened.. The least it 
> could do is to see that the bad guys ip/mac address has just become 
> unreacheable in the process and held him possible suspect if the victim 
> complains. 
> 
> I know that NuFW has already solved this problem. Or has it?

Yes NuFW is not subject to IP level attack

>>And we keep log of those. As time goes by, 
>>if you get to use NuFW, you will tend to not look at clients' IP
>>addresses so much anymore.
> 
> 
> As I have said, in our workplace, 1 user per 1 machine per 1 ip..

Forget this as said vincent, now you HAVE the users forget old dummy
association.

> All we need is to quickly identify who is flooding the network, who is doing 
> p2p etc..
> 
> 
>>Why bother, when you can get layer3 logs with 
>>userID included? :) (Demo at http://nulog-demo.inl.fr/ , click "user
>>stats" and see IP filter logs containing userIDs, etc.).
> 
> 
> Looks like NuFW has already solved the arp-poisoning related attacks in a 
> poor 
> LAN infrastructure like in our workplace.. :-)

:-)

Best regards,
- --
Regit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFENLnfnxA7CdMWjzIRAn3uAJ0WCChG/QiUp+Y5239XaCTVw+/gsACfWhQR
tNAq2RtNtLXBWLMAI54Darc=
=FFh8
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

[Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!, Mark Jayson R. Alvarez, 2006/04/05
- Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!, Vincent Deffontaines, 2006/04/05
  - Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!, Mark Jayson R. Alvarez, 2006/04/05
    - Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!, Eric Leblond <=

Prev by Date: Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!
Next by Date: [Nufw-users] urgent, I am about to present nufw (last question)
Previous by thread: Re: [Nufw-users] Holly cow!! Why didn't anyone tell me nufw exists!!!
Next by thread: [Nufw-users] urgent, I am about to present nufw (last question)
Index(es):
- Date
- Thread