"network wrapping" approach to user authentication, with single signon? - Security

This is a discussion on "network wrapping" approach to user authentication, with single signon? - Security ; hi everyone, unfortunately i don't know a thing about security, I'm asking primarily for directions and keywords, the problem: machines that have fixed general username and passwords. and a *lot* of horribly-written code that depends on them. yes, that ugly. ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: "network wrapping" approach to user authentication, with single signon?

  1. "network wrapping" approach to user authentication, with single signon?

    hi everyone,

    unfortunately i don't know a thing about security, I'm asking
    primarily for directions and keywords,



    the problem: machines that have fixed general username and passwords.
    and a *lot* of horribly-written code that depends on them. yes, that
    ugly.


    the machines are accessed only by the intranet, thus the idea could
    be: how can i enable access to a single port at tcp level, on a single
    machine using an external (ldap?) authentication mechanism, and
    enforce them - naturally - on the machine?

    what do you suggest? what i'm looking for?

    thank you



  2. Re: "network wrapping" approach to user authentication, with singlesign on?

    On Oct 4, 1:46*am, "forum.m...@gmail.com"
    wrote:
    > hi everyone,
    >
    > unfortunately i don't know a thing about security, I'm asking
    > primarily for directions and keywords,
    >
    > the problem: machines that have fixed general username and passwords.
    > and a *lot* of horribly-written code that depends on them. yes, that
    > ugly.
    >
    > the machines are accessed only by the intranet, thus the idea could
    > be: how can i enable access to a single port at tcp level, on a single
    > machine using an external (ldap?) authentication mechanism, and
    > enforce them - naturally - on the machine?
    >


    What are you trying to do??? What services need to be accessible?
    Are all needed services already available and you would like now to
    secure them?? Need some more information...

    > what do you suggest? what i'm looking for?
    >


    In a very general sense, you should firewall all ports and services
    that aren't needed (block everything) and then open the ports that are
    required one-by-one. Search the web for instructions for the firewall
    service you choose.

  3. Re: "network wrapping" approach to user authentication, with singlesign on?

    On Oct 6, 7:37*pm, saucily wrote:
    > On Oct 4, 1:46*am, "forum.m...@gmail.com"


    > What are you trying to do??? *What services need to be accessible?
    > Are all needed services already available and you would like now to
    > secure them?? *Need some more information...


    yep, positive. lots of different kind of services (db access, ftp,
    ssh, telnet, custom stuff) now basically with one-account-per-service
    policy and - we thing - rather weak passwords ; I have to tighten
    things, move to personal username/passwords, etc.

    the problem is, disabling the current setup would require a lot of
    customization and effort - it may not even being possible. thus, i was
    thinking about putting personal username+strong passwords at network
    level, on every port, blocking everything except for people already
    authorized (i suspect on a per-ip basis, since it would have to work
    at tcp/ip level, without "sophisticated" commodities like cookies
    etc)

    > > what do you suggest? what i'm looking for?

    > In a very general sense, you should firewall all ports and services
    > that aren't needed (block everything) and then open the ports that are
    > required one-by-one. *Search the web for instructions for the firewall
    > service you choose.


    good suggestion, plus a mechanism that enable permit rules on login.

    thanks for your suggestions
    fmb

  4. Re: "network wrapping" approach to user authentication, with singlesign on?

    On Oct 8, 4:53 pm, fmb wrote:
    > On Oct 6, 7:37 pm, saucily wrote:
    >
    > > On Oct 4, 1:46 am, "forum.m...@gmail.com"
    > > What are you trying to do??? What services need to be accessible?
    > > Are all needed services already available and you would like now to
    > > secure them?? Need some more information...

    >
    > yep, positive. lots of different kind of services (db access, ftp,
    > ssh, telnet, custom stuff) now basically with one-account-per-service
    > policy and - we thing - rather weak passwords ; I have to tighten
    > things, move to personal username/passwords, etc.
    >
    > the problem is, disabling the current setup would require a lot of
    > customization and effort - it may not even being possible. thus, i was
    > thinking about putting personal username+strong passwords at network
    > level, on every port, blocking everything except for people already
    > authorized (i suspect on a per-ip basis, since it would have to work
    > at tcp/ip level, without "sophisticated" commodities like cookies
    > etc)
    >


    Well if the ports are open and accepting their own authentication then
    there's nothing you can do aside from firewalling. You could look
    into wrapping the entire user session in IPSec and only allowing
    network-level access to clients that are authenticated in that way.
    Or possibly block all access except from localhost and use SSH tunnels
    or something similar? Just some ideas, but I would really look into
    fixing the "real problem" (i.e. weak usernames and passwords)

    Cheers

  5. Re: "network wrapping" approach to user authentication, with single signon?

    Well if the ports are open and accepting their own authentication then
    there's nothing you can do aside from firewalling. You could look
    into wrapping the entire user session in IPSec and only allowing
    network-level access to clients that are authenticated in that way.
    Or possibly block all access except from localhost and use SSH tunnels
    or something similar? Just some ideas, but I would really look into
    fixing the "real problem"

+ Reply to Thread