Re: Firewall with one-time passwords?

From: Ram Samudrala (ram@public.compbio.washington.edu)
Date: 01/11/03


From: Ram Samudrala <ram@public.compbio.washington.edu>
Date: 11 Jan 2003 21:12:10 GMT

In comp.security.firewalls Pierre Asselin <pa@panix.com> wrote:

> In <avom42$20t6$1@nntp6.u.washington.edu> Ram Samudrala <ram@public.compbio.washington.edu> writes:

>>[ ... a firewall that passes only ssh and ... ]

>>2. Each user who wishes to ssh to the entry point machine must first
>> authenticate themselves with a one-time password, with the
>> firewall. All the authentication does is to tell the firewall allow
>> (within the period of one minute) an ssh connection to be initiated
>> between the user's machine and the single entry point. This
>> authentication is permitted only for connections initiating from a
>> trusted host/domain (as determined by a fixed list).

> This is probably *less* secure than letting ssh through in the first
> place. Your one-time password has to be machine-generated, so you
> need to distribute a shared secret to all your clients, each one a
> potential leak. Is the authentication and authorization code
> absolutely bullet-proof? Bugs could be exploited to 0wn your
> firewall.

I agree entirely, and that's what I'm looking for. It should be
bullet-proof enough that the firewall rules can't be compromised
(since the machine with the firewall is different from the login
machine). But still the firewall rules have to be modified when the
one-time password is authenticated.

> I realize you're looking for an existing solution as opposed to
> rolling your own, but the questions don't go away. Do you
> understand the vendor's design? Do you trust the implementation?

So we used a Checkpoint system before, and I was quite satisfied with
it.

> The restriction on incoming IP's is a good idea, because it reduces your
> exposure when a new ssh weakness is discovered and gives you time to
> patch the end machines. Do you trust the reverse DNS or do you maintain
> a list of allowed IP ranges?

Maintain a list of allowed IP ranges.

> It's probably safer to disallow passwords and force public-key
> authentication. You'll have to install the public keys yourself, or
> give your users a mechanism to do so. Also, laptop owners would
> have to protect their private keys with strong passphrases. A
> stolen laptop with an unencrypted private key is a free ticket.

This is one concern but I can instruct my students to not do this (and
I trust them to listen to me -- there can be about 20 or so max). I'm
more worried about keyboard sniffing of the passphrases (or passwords)
-- laptops being broken into and a sniffer installed (this happened
with us before, which is why we went for the Checkpoint solution,
which I'd still go for but it's 100Mbit -- the firewall box I have is
all gigabit and it cost me < $1000).

One-time passwords kind of get around this problem (so one would have
to know both the set of one-time passwords and the regular password to
get in).

Thanks for raising the concerns.

--Ram



Relevant Pages

  • Re: Firewall with one-time passwords?
    ... All the authentication does is to tell the firewall allow ... Your one-time password has to be machine-generated, ... > stolen laptop with an unencrypted private key is a free ticket. ...
    (comp.security.firewalls)
  • Re: Firewall with one-time passwords?
    ... Each user who wishes to ssh to the entry point machine must first ... All the authentication does is to tell the firewall allow ... Your one-time password has to be machine-generated, ...
    (comp.os.linux.security)
  • Re: Firewall with one-time passwords?
    ... Each user who wishes to ssh to the entry point machine must first ... All the authentication does is to tell the firewall allow ... Your one-time password has to be machine-generated, ...
    (comp.security.firewalls)
  • Re: Firewall with one-time passwords?
    ... Each user who wishes to ssh to the entry point machine must first ... All the authentication does is to tell the firewall allow ... that the one-time password authentication program will enable ...
    (comp.os.linux.security)
  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... Used Outlook in Safe Mode, ... For testing, client and server are on the same network, so no proxy server. ... Please first select "Integrated Windows Authentication" on the PRC virtual ... Disable firewall or antivirus on PC, ...
    (microsoft.public.exchange.admin)