"network wrapping" approach to user authentication, with single signon?
hi everyone,
unfortunately i don't know a thing about security, I'm asking
primarily for directions and keywords,
the problem: machines that have fixed general username and passwords.
and a *lot* of horribly-written code that depends on them. yes, that
ugly.
the machines are accessed only by the intranet, thus the idea could
be: how can i enable access to a single port at tcp level, on a single
machine using an external (ldap?) authentication mechanism, and
enforce them - naturally - on the machine?
what do you suggest? what i'm looking for? :)
thank you
Re: "network wrapping" approach to user authentication, with singlesign on?
On Oct 4, 1:46*am, "forum.m...@gmail.com" <forum.m...@gmail.com>
wrote:[color=blue]
> hi everyone,
>
> unfortunately i don't know a thing about security, I'm asking
> primarily for directions and keywords,
>
> the problem: machines that have fixed general username and passwords.
> and a *lot* of horribly-written code that depends on them. yes, that
> ugly.
>
> the machines are accessed only by the intranet, thus the idea could
> be: how can i enable access to a single port at tcp level, on a single
> machine using an external (ldap?) authentication mechanism, and
> enforce them - naturally - on the machine?
>[/color]
What are you trying to do??? What services need to be accessible?
Are all needed services already available and you would like now to
secure them?? Need some more information...
[color=blue]
> what do you suggest? what i'm looking for? :)
>[/color]
In a very general sense, you should firewall all ports and services
that aren't needed (block everything) and then open the ports that are
required one-by-one. Search the web for instructions for the firewall
service you choose.
Re: "network wrapping" approach to user authentication, with singlesign on?
On Oct 6, 7:37*pm, saucily <MisterESa...@gmail.com> wrote:[color=blue]
> On Oct 4, 1:46*am, "forum.m...@gmail.com" <forum.m...@gmail.com>[/color]
[color=blue]
> What are you trying to do??? *What services need to be accessible?
> Are all needed services already available and you would like now to
> secure them?? *Need some more information...[/color]
yep, positive. lots of different kind of services (db access, ftp,
ssh, telnet, custom stuff) now basically with one-account-per-service
policy and - we thing - rather weak passwords ; I have to tighten
things, move to personal username/passwords, etc.
the problem is, disabling the current setup would require a lot of
customization and effort - it may not even being possible. thus, i was
thinking about putting personal username+strong passwords at network
level, on every port, blocking everything except for people already
authorized (i suspect on a per-ip basis, since it would have to work
at tcp/ip level, without "sophisticated" commodities like cookies
etc)
[color=blue][color=green]
> > what do you suggest? what i'm looking for? :)[/color]
> In a very general sense, you should firewall all ports and services
> that aren't needed (block everything) and then open the ports that are
> required one-by-one. *Search the web for instructions for the firewall
> service you choose.[/color]
good suggestion, plus a mechanism that enable permit rules on login.
thanks for your suggestions
fmb
Re: "network wrapping" approach to user authentication, with singlesign on?
On Oct 8, 4:53 pm, fmb <forum.m...@gmail.com> wrote:[color=blue]
> On Oct 6, 7:37 pm, saucily <MisterESa...@gmail.com> wrote:
>[color=green]
> > On Oct 4, 1:46 am, "forum.m...@gmail.com" <forum.m...@gmail.com>
> > What are you trying to do??? What services need to be accessible?
> > Are all needed services already available and you would like now to
> > secure them?? Need some more information...[/color]
>
> yep, positive. lots of different kind of services (db access, ftp,
> ssh, telnet, custom stuff) now basically with one-account-per-service
> policy and - we thing - rather weak passwords ; I have to tighten
> things, move to personal username/passwords, etc.
>
> the problem is, disabling the current setup would require a lot of
> customization and effort - it may not even being possible. thus, i was
> thinking about putting personal username+strong passwords at network
> level, on every port, blocking everything except for people already
> authorized (i suspect on a per-ip basis, since it would have to work
> at tcp/ip level, without "sophisticated" commodities like cookies
> etc)
>[/color]
Well if the ports are open and accepting their own authentication then
there's nothing you can do aside from firewalling. You could look
into wrapping the entire user session in IPSec and only allowing
network-level access to clients that are authenticated in that way.
Or possibly block all access except from localhost and use SSH tunnels
or something similar? Just some ideas, but I would really look into
fixing the "real problem" (i.e. weak usernames and passwords)
Cheers
Re: "network wrapping" approach to user authentication, with single signon?
Well if the ports are open and accepting their own authentication then
there's nothing you can do aside from firewalling. You could look
into wrapping the entire user session in IPSec and only allowing
network-level access to clients that are authenticated in that way.
Or possibly block all access except from localhost and use SSH tunnels
or something similar? Just some ideas, but I would really look into
fixing the "real problem"
