RE: [fw-wiz] IPv6 comes in the game

From: Victor Williams (vbwilliams_at_essvote.net)
Date: 05/04/04

Next message: salgak_at_speakeasy.net: "Re: [fw-wiz] NAT Pseudo Security"

Previous message: Dave Piscitello: "RE: [fw-wiz] Obtaining a US Govt Security Clearance"
In reply to: Paul D. Robertson: "Re: [fw-wiz] IPv6 comes in the game"
Next in thread: Michael Brown: "Re: [fw-wiz] IPv6 comes in the game"
Reply: Michael Brown: "Re: [fw-wiz] IPv6 comes in the game"
Reply: Andras Kis-Szabo: "802.1x was: [fw-wiz] IPv6 comes in the game"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Paul D. Robertson'" <paul@compuwar.net>, "'Lorand Jakab'" <jlori@go.ro>
Date: Tue, 4 May 2004 09:51:01 -0500

Microsoft Windows 2000/2003 server does 802.1x auth fine. We use to handle
wireless access as well as port access on certain switches in the network.

Victor Williams

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Paul D.
Robertson
Sent: Tuesday, May 04, 2004 9:23 AM
To: Lorand Jakab
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] IPv6 comes in the game

On Tue, 4 May 2004, Lorand Jakab wrote:

> Now the box has an IPv6 address as well, and a prefix for the internal
> network, and I would like to forward IPv6 traffic too. But the above
> approach is not feasable anymore (not a good idea to have a 2^64 entry
> static neighbor cache). Is it possible to prevent using unassigned IP
> addresses to be used for Internet access without entering each
> assigned address in the firewall, while still having static MAC
> entries for registered addresses?

Surely you're not going to have 2^64 active neighbors? I don't see how a v6
address changes things really?

In any case, you might want to look at your layer 2 networking gear and see
if authenticating the device via 802.1x is reasonable (it's built into the
green switches, not sure about the others.) You may be able to do some
"hand out an address by authentication group" sort of thing. I'm not sure
what RADIUS servers support 802.1x though- and it's probably not a
well-trodden path.

> What would you recommend for this scenario, so it would only be
> possible to spoof an address, if a user changed the MAC addres of his
> NIC to another legitimate user's MAC, the IP to the other user's IP
> (if no autoconfiguration will be used, I haven't decided that yet) and
> the legitimate station would not be turned on?

If you force the user to authenticate prior to forwarding packets, as 802.1x
does on switches, then you're able to log the authentication at the RADIUS
server, and equate network activity to a port. If the port's locked to an
IP address, then you have the ability to track and basically eliminate abuse
by authenticator.

I'd probably look at RADIUS servers to see if there's any group addressing
support, so that you could enable a user's addressing request by userid to
be v4 or v6.

I really wish I had the time to fool around with 802.1x, it really looks
like the best place to do authentication, especially if you can translate
the results into VLANs or address blocks.

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: salgak_at_speakeasy.net: "Re: [fw-wiz] NAT Pseudo Security"

Previous message: Dave Piscitello: "RE: [fw-wiz] Obtaining a US Govt Security Clearance"
In reply to: Paul D. Robertson: "Re: [fw-wiz] IPv6 comes in the game"
Next in thread: Michael Brown: "Re: [fw-wiz] IPv6 comes in the game"
Reply: Michael Brown: "Re: [fw-wiz] IPv6 comes in the game"
Reply: Andras Kis-Szabo: "802.1x was: [fw-wiz] IPv6 comes in the game"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Kerberos machine authentication - apparent authentication fail
... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
(microsoft.public.windows.server.security)
Re: ipfw plus authentication (authpf is cool but....)
... authentication happening in the process of dhcp. ... router first before being allowed to access any server. ... script will happily change the router's firewall ruleset to allow the ... user does not want to access any network server anymore. ...
(freebsd-questions)
Re: SQLCEReplication over GPRS
... Internet side, just not over GPRS: ... network that was causing the issue. ... as that's the server sync DLL version that you're using. ... connecting via GPRS via vodafone the authentication part is missing. ...
(microsoft.public.dotnet.framework.compactframework)
Re: Access Denied to share with anonymous access disabled
... > Integrated Windows authentication, then you are looking at the classic ... > server, why should the server automatically be able to use your ... > to access some other network resource? ... > ASPNet local user account full access to the share. ...
(microsoft.public.inetserver.iis.security)
Re: Large network question
... I will have to use gigabit swtiches between main floor switches, ... Feasibility - It is very important that any kind of network is built, ... What kind of computers, what network interfaces do they have, what operating ... WWW server and DNS server at least. ...
(comp.dcom.lans.ethernet)