Re: [fw-wiz] IPv6 comes in the game
From: Michael Brown (topo2_at_pacbell.net)
Date: 05/05/04
- Previous message: kgiraldin_at_richland.lib.wa.us: "[fw-wiz] Cannot send mail"
- In reply to: Victor Williams: "RE: [fw-wiz] IPv6 comes in the game"
- Next in thread: Andras Kis-Szabo: "802.1x was: [fw-wiz] IPv6 comes in the game"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Tue, 4 May 2004 23:53:09 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry if 2x posted.
802.1x is also fine with FreeRADIUS, I've used personlly on Linux/*BSD
with Linux/*BSD/Win2k.XP clients, wired or wl.
On Tue, 4 May 2004 09:51:01 -0500
"Victor Williams" <vbwilliams@essvote.net> wrote:
> Microsoft Windows 2000/2003 server does 802.1x auth fine. We use to handle
> wireless access as well as port access on certain switches in the network.
>
>
> Victor Williams
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Paul D.
> Robertson
> Sent: Tuesday, May 04, 2004 9:23 AM
> To: Lorand Jakab
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] IPv6 comes in the game
>
>
> On Tue, 4 May 2004, Lorand Jakab wrote:
>
> > Now the box has an IPv6 address as well, and a prefix for the internal
> > network, and I would like to forward IPv6 traffic too. But the above
> > approach is not feasable anymore (not a good idea to have a 2^64 entry
> > static neighbor cache). Is it possible to prevent using unassigned IP
> > addresses to be used for Internet access without entering each
> > assigned address in the firewall, while still having static MAC
> > entries for registered addresses?
>
> Surely you're not going to have 2^64 active neighbors? I don't see how a v6
> address changes things really?
>
> In any case, you might want to look at your layer 2 networking gear and see
> if authenticating the device via 802.1x is reasonable (it's built into the
> green switches, not sure about the others.) You may be able to do some
> "hand out an address by authentication group" sort of thing. I'm not sure
> what RADIUS servers support 802.1x though- and it's probably not a
> well-trodden path.
>
> > What would you recommend for this scenario, so it would only be
> > possible to spoof an address, if a user changed the MAC addres of his
> > NIC to another legitimate user's MAC, the IP to the other user's IP
> > (if no autoconfiguration will be used, I haven't decided that yet) and
> > the legitimate station would not be turned on?
>
> If you force the user to authenticate prior to forwarding packets, as 802.1x
> does on switches, then you're able to log the authentication at the RADIUS
> server, and equate network activity to a port. If the port's locked to an
> IP address, then you have the ability to track and basically eliminate abuse
> by authenticator.
>
> I'd probably look at RADIUS servers to see if there's any group addressing
> support, so that you could enable a user's addressing request by userid to
> be v4 or v6.
>
> I really wish I had the time to fool around with 802.1x, it really looks
> like the best place to do authentication, especially if you can translate
> the results into VLANs or address blocks.
>
> Paul
> ----------------------------------------------------------------------------
> -
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAmI9VyEfMczxaHdsRAljyAKCKO6GyLyfS0axeaxZAbWiCdg1lZACdFhl3
mDNDfbnTesZAwnS5Dtj99cQ=
=DDHL
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: kgiraldin_at_richland.lib.wa.us: "[fw-wiz] Cannot send mail"
- In reply to: Victor Williams: "RE: [fw-wiz] IPv6 comes in the game"
- Next in thread: Andras Kis-Szabo: "802.1x was: [fw-wiz] IPv6 comes in the game"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
