Re: SecurID and FreeS/WAN GW

From: Bennett Todd (bet@rahul.net)
Date: 03/22/02 

Date: Thu, 21 Mar 2002 18:54:41 -0500
From: Bennett Todd <bet@rahul.net>
To: Kee Hinckley <nazgul@somewhere.com>

2002-03-20-20:14:18 Kee Hinckley:
> >[ re web page to auth for IPSec ]
> >Sorry? It'd be possible with any web browser and a standard IP
> >stack, as opposed to impossible without a specific, proprietary,
> >vendor client.
>
> Quite true. But that has nothing to do with ease of use.

Sure. That's below.

> >And if you had some specific behaviour you wanted --- e.g. a
> >commandline or gui that prompted for the username and auth
> >credentials, then fired them off at the server and started up IPSEC,
> >it'd be easy to script in any reasonable language; all the
> >interactions are at least standardized.
>
> Yes, but if something goes wrong, debugging it is not fun.

Why do you believe this would be more fragile than a similar, but
undocumented, non-standard hack by a vendor?

> You have to worry about firewalls, proxy servers and many other
> things.

Always. But at least with this approach you know exactly what you
have to [try to] fix.

> At some large companies external web access isn't allowed for all
> users, those users wouldn't be able to use the VPN.

I'm missing something here. I have great difficulty picturing an
environment where you couldn't visit a web page to auth, but you
could make a VPN work. When web browsing is blocked off, so are
other internet protocols --- else the web browsing block is awfully
easy to knock through.

If you're talking about weirdness in client browser config, that's
no more problem for this hack than for a vendor's; if you can
require the user to have a vendor proprietary connect program to
pre-auth for IPSec, you could instead require the user to have your
homebrew program that does the pre-auth --- using a standard
protocol.

> All in all it sounds like a hack.

Sure it is, no question. The only point of discussion is whether a
closed vendor hack is preferable to a straightforward hack using
standard protocols.

> Far better to simply propose an extension to the standard and get
> it approved.

I've heard that that's current work in progress.

> In the meantime, from an administrative standpoint, I'd rather
> deal with an integrated, proprietary vendor solution than try and
> debug something using multiple protocols.

Multiple protocols in any case, the only question is how much info
you have to assist in debugging.

-Bennett

Relevant Pages

  • Re: Fortran 77 parser
    ... The Cray machines were built with 64-bit floating point in mind. ... routines, it was standard practice. ... I don't think COCO is supported by a single fortran vendor that I ...
    (comp.lang.fortran)
  • Re: RS485, multidrop protocol
    ... RS485 is an electrical standard. ... -The SLIP and PPP protocols are not multidrop of course. ... you couldn't route addressible packets onto a SLIP link. ... Collisions are of course the problem. ...
    (comp.arch.embedded)
  • Re: how to pass arguments to a fortran77 program from de command line?
    ... >> Because it is a vendor problem instead of a standard problem... ... It just doesn't work for the standard to require that the processor not ... that's not the error unit mentioned in the standard; ...
    (comp.lang.fortran)
  • Re: Linux in a binary world... a doomsday scenario
    ... The underlying organzation may be equally guilty but that doens't make the hardware vendor innocent - simply he plays the same game just with an excuse. ... Don't sound like a standard to me - a standard is something known, ... If the proprietary nvidia driver went open source, it still wouldn't work with competing cards - the hw is too different. ...
    (Linux-Kernel)
  • Re: Prodcuing an output file only on Friday?
    ... (even though one vendor makes it so), ... It is not me that does not list it as a 'successful completion' code, ... Standard, it *MUST* be a DIGIT. ... The aim isn't to punish non-conformity by making the program fail at ...
    (comp.lang.cobol)