| View previous topic :: View next topic |
| Author |
Message |
forum.mbox@gmail.com
Guest
|
 Posted: Sat Oct 04, 2008 6:46 am Post subject: "network wrapping" approach to user authentication, with sin |
 |
|
hi everyone,
unfortunately i don't know a thing about security, I'm asking
primarily for directions and keywords,
the problem: machines that have fixed general username and passwords.
and a *lot* of horribly-written code that depends on them. yes, that
ugly.
the machines are accessed only by the intranet, thus the idea could
be: how can i enable access to a single port at tcp level, on a single
machine using an external (ldap?) authentication mechanism, and
enforce them - naturally - on the machine?
what do you suggest? what i'm looking for? :)
thank you |
|
| |
|
 Back to top |
saucily
Guest
|
| Posted: Mon Oct 06, 2008 5:37 pm Post subject: Re: "network wrapping" approach to user authentication, with |
|
|
On Oct 4, 1:46 am, "forum.m...@gmail.com" <forum.m...@gmail.com>
wrote:
| Quote: | hi everyone,
unfortunately i don't know a thing about security, I'm asking
primarily for directions and keywords,
the problem: machines that have fixed general username and passwords.
and a *lot* of horribly-written code that depends on them. yes, that
ugly.
the machines are accessed only by the intranet, thus the idea could
be: how can i enable access to a single port at tcp level, on a single
machine using an external (ldap?) authentication mechanism, and
enforce them - naturally - on the machine?
|
What are you trying to do??? What services need to be accessible?
Are all needed services already available and you would like now to
secure them?? Need some more information...
| Quote: | what do you suggest? what i'm looking for? :)
|
In a very general sense, you should firewall all ports and services
that aren't needed (block everything) and then open the ports that are
required one-by-one. Search the web for instructions for the firewall
service you choose. |
|
| |
|
| Back to top |
fmb
Guest
|
| Posted: Wed Oct 08, 2008 2:53 pm Post subject: Re: "network wrapping" approach to user authentication, with |
|
|
On Oct 6, 7:37 pm, saucily <MisterESa...@gmail.com> wrote:
| Quote: | On Oct 4, 1:46 am, "forum.m...@gmail.com" <forum.m...@gmail.com
What are you trying to do??? What services need to be accessible?
Are all needed services already available and you would like now to
secure them?? Need some more information...
|
yep, positive. lots of different kind of services (db access, ftp,
ssh, telnet, custom stuff) now basically with one-account-per-service
policy and - we thing - rather weak passwords ; I have to tighten
things, move to personal username/passwords, etc.
the problem is, disabling the current setup would require a lot of
customization and effort - it may not even being possible. thus, i was
thinking about putting personal username+strong passwords at network
level, on every port, blocking everything except for people already
authorized (i suspect on a per-ip basis, since it would have to work
at tcp/ip level, without "sophisticated" commodities like cookies
etc)
| Quote: | what do you suggest? what i'm looking for? 
In a very general sense, you should firewall all ports and services
that aren't needed (block everything) and then open the ports that are
required one-by-one. Search the web for instructions for the firewall
service you choose.
|
good suggestion, plus a mechanism that enable permit rules on login.
thanks for your suggestions
fmb |
|
| |
|
| Back to top |
saucily
Guest
|
| Posted: Thu Oct 09, 2008 12:24 am Post subject: Re: "network wrapping" approach to user authentication, with |
|
|
On Oct 8, 4:53 pm, fmb <forum.m...@gmail.com> wrote:
| Quote: | On Oct 6, 7:37 pm, saucily <MisterESa...@gmail.com> wrote:
On Oct 4, 1:46 am, "forum.m...@gmail.com" <forum.m...@gmail.com
What are you trying to do??? What services need to be accessible?
Are all needed services already available and you would like now to
secure them?? Need some more information...
yep, positive. lots of different kind of services (db access, ftp,
ssh, telnet, custom stuff) now basically with one-account-per-service
policy and - we thing - rather weak passwords ; I have to tighten
things, move to personal username/passwords, etc.
the problem is, disabling the current setup would require a lot of
customization and effort - it may not even being possible. thus, i was
thinking about putting personal username+strong passwords at network
level, on every port, blocking everything except for people already
authorized (i suspect on a per-ip basis, since it would have to work
at tcp/ip level, without "sophisticated" commodities like cookies
etc)
|
Well if the ports are open and accepting their own authentication then
there's nothing you can do aside from firewalling. You could look
into wrapping the entire user session in IPSec and only allowing
network-level access to clients that are authenticated in that way.
Or possibly block all access except from localhost and use SSH tunnels
or something similar? Just some ideas, but I would really look into
fixing the "real problem" (i.e. weak usernames and passwords)
Cheers |
|
| |
|
| Back to top |
|
