From owner-freebsd-net@FreeBSD.ORG Tue Sep 25 07:10:52 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFEDD16A419 for ; Tue, 25 Sep 2007 07:10:52 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from bavaria.utcluj.ro (unknown [IPv6:2001:b30:5000:2:20e:cff:fe4b:ca01]) by mx1.freebsd.org (Postfix) with ESMTP id 3287B13C447 for ; Tue, 25 Sep 2007 07:10:52 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from localhost (localhost [127.0.0.1]) by bavaria.utcluj.ro (Postfix) with ESMTP id F06FE5088A for ; Tue, 25 Sep 2007 10:10:50 +0300 (EEST) X-Virus-Scanned: by the daemon playing with your mail on local.mail.utcluj.ro Received: from bavaria.utcluj.ro ([127.0.0.1]) by localhost (bavaria.utcluj.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrXNhVKOsjwY for ; Tue, 25 Sep 2007 10:10:44 +0300 (EEST) Received: from [172.27.2.200] (c7.campus.utcluj.ro [193.226.6.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bavaria.utcluj.ro (Postfix) with ESMTP id 72D8950894 for ; Tue, 25 Sep 2007 10:10:44 +0300 (EEST) Message-ID: <46F8B474.5050609@net.utcluj.ro> Date: Tue, 25 Sep 2007 10:10:44 +0300 From: Cristian KLEIN User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20070924072517.GL19429@hal.rescomp.berkeley.edu> <46F77C27.9050400@net.utcluj.ro> <20070924203516.GQ19429@hal.rescomp.berkeley.edu> <46F82FCF.2090203@net.utcluj.ro> <20070925000602.GT19429@hal.rescomp.berkeley.edu> In-Reply-To: <20070925000602.GT19429@hal.rescomp.berkeley.edu> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Large-scale 1-1 NAT X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 07:10:52 -0000 >> There is another thing I wanted to point out. I remember you used the >> words "authentication web page". This made me think you are >> establishing a captive portal, which is not secure at all. If I >> understand well the authpf solution would be secure, except perhaps >> a small delay. You might proxy your clients to a "click here and >> download this preconfigured PuTTY" page. > > We are planning on using a captive portal. The only authentication > mechanism we have for clients is a web-based SSO solution using CAS that > isn't maintained by our staff. The people trying to authenticate are not > intended to be local users on the system. What are the security problems > you see with a captive portal interface? I haven't used CAS, but if I understand well from their wiki, CAS by itself isn't meant to keep the session alive. This means that the following scenario could occur: 1) User associates with your AP. 2) User logs in. 3) EvilUser associates with your AP. 4) EvilUser run tcpdump, records IP and MAC of User. 5) EvilUser sends DDoS against User. 6) Having a Windows :P, User is forced to restart his computer. 7) EvilUser sets his MAC and IP to the recorded ones. Some captive portals do keep the session alive, by regularly refreshing the page, using JavaScript or a Java applet. However, this means that the user will have to keep his browser window open. IMHO, this is worse than keeping PuTTY open while connecting to the Internet.