Re: What does a firewall do?

From: Nick Roberts (nick.roberts_at_acm.org)
Date: 01/20/05 

Date: Thu, 20 Jan 2005 14:13:25 +0000

Justins local account <justin-nntp@pipemedia.net> wrote:

> > All the documentation I have read says that the 'ident' service should
> > never be used for authentication, and generally shouldn't be implemented
> > at all. What am I missing?
>
> It shouldn't be used for authentification, but it is used in logging.

Right. I recall reading that, now. (My memory! Sorry.)

> the downside is that it allows thingsthe outside to recieve identifiers
> from your system, and these are often usernames. Some people consider this
> to be a dangerous information leak.

Right. Definitely a poor (default) policy.

> If you don't implement it, your server will reply with a port closed
> message, and my server will carry on straight away.

That seems more sensible, to my mind.

> If on the other hand, you do implement the service, and I have a query
> about activity on my server, when I ask you for your input I can advise
> you that your system advised me it was the httpd user that was trying to
> send mail at 3:15 am, and you have a better clue where to start looking.

Right. Of course, what I do is advise the outside world that is was user
'5KJ8GN397LA0RHF2' - I keep a (secured) table that translates it to 'httpd
at 3:15 am on 15th Jan 2005' - and if you quote it back to me at some later
time, I can be sure you're not lying ;-) and you don't know that it was user
'httpd'.

I think the latest RFC on ident that says all this, in fact.

Thanks. 

-- 
Nick Roberts

Relevant Pages

  • Re: What does a firewall do?
    ... Nick Roberts writes: ... > be used for authentication, and generally shouldn't be implemented at all. ... > What am I missing? ... your server will reply with a port closed ...
    (comp.security.firewalls)
  • Re: BASIC Auth mit Javascript
    ... If this parameter is Null or missing and the site requires authentication, the component displays a logon window. ... Although this method accepts credentials passed via parameter, those credentials are not automatically sent to the server on the first request. ... The bstrUser and bstrPassword parameters are not sent to the server unless the server challenges the client for credentials with a 401 - Access Denied response. ...
    (de.comp.lang.javascript)
  • Re: More Authorization Questions
    ... >authentication, and yet still be able to receive emails ... >server open for anonymous relay and have spammers use my ... It's as if the SMTP service ... What am I missing here? ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... SYSTEM account. ... In IIS I took the virtual server that I was testing, ... Authentication premise. ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
Quantcast