Date: Sat, 25 Sep 1999 15:14:03 -0400 (EDT) From: Irving Popovetsky <irvingp@dead-dog.com> To: cjclark@home.com Cc: The Mad Scientist <madscientist@thegrid.net>, freebsd-security@FreeBSD.ORG Subject: Re: Secure gateway to intranet Message-ID: <Pine.LNX.4.10.9909251508120.8410-100000@puck.nether.net> In-Reply-To: <199909251858.OAA39078@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If you need another heavy-duty layer of security, and you're willing to pay, you may want to check out the RSA SecurID card stuff. ssh and many other things can be setup to auth through an ACE server. http://www.securid.com -Irving On Sat, 25 Sep 1999, Crist J. Clark wrote: > Date: Sat, 25 Sep 1999 14:58:56 -0400 (EDT) > From: Crist J. Clark <cjc@cc942873-a.ewndsr1.nj.home.com> > Reply-To: cjclark@home.com > To: The Mad Scientist <madscientist@thegrid.net> > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Secure gateway to intranet > > The Mad Scientist wrote, > > All, > > I am looking for a secure way to log into a machine on an intranet. > > Here's what I have in mind. > > A user ssh-es to a machine on the boarder network. Her shell is a > > script/program that asks for a name of an internal machine, then ssh-es to > > that machine after an authentication. This way, I could only open the > > border and internal routers up to that machine and a proxy server and I > > could have a log of who goes where. > > All seems quite reasonable. > > > I'd also like to be able to set up > > some kind of acl in the proggie/script that dictates which users can go to > > which machines. > > Hmmm... Is there a reason not to just let ssh take care of this for > you? That is, have the hosts on the other end only accept certain > users? > > > For authentication, a username/pass will do for now, but > > later I'd like to expand it to some kind of one time card. Some kind of > > transparent secure file transfer would also be great. > > Why not use the ssh-agent forwarding to do this? > > > Now, here's what I am interested in knowing. What would be a simple and > > secure way to implement this. (I was thinking of perl) What sort of > > things should I be wary of when setting this up? Is this even > > advisable? > > It would not be too difficult to implement this. Perl? Heck, I'd just > use a shell script. There really are not enough details to know what > you should be wary of: How many users? Does each have an account on > the gateway (or do you want them to use some common access acount)? > Are the users "trusted" (if they are, heck, give 'em a shell to type > in the 'ssh internal-host' on their own)? If not, just how closely do > you need to watch these people? > > Is it advisable? Well, if the internal network is NATed, this is > advisable since it is about the only way to get in there. If it is > not NATed, this may be more work (and uses some more resources) than > just poking some holes in a firewall to let these people in to certain > machines. But still, if these people do not have fixed IPs, then the > firewall might need to be opened a bit wider than you are comfortable > with to let them in. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -Irving Popovetsky IP Security Operations Dead Dog Consulting Sprint Corporate Security Centre for the advancement of Evil http://www.iad.dead-dog.com geek: /'gEk/, noun 1. a carnival performer often billed as a "wild man" whose act usually includes biting the head off a live chicken or snake 2. a person often of an intellectual bent who is disapproved of "Not convention but stupid and rigid convention is the foe" Fashion is a form of ugliness so intolerable that we have to alter it every six months. -- Oscar Wilde To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.9909251508120.8410-100000>