Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
News

Authentication on an Untrusted Network? 3

Posted by Cliff from the networking-solutions dept.
PapaZit writes "I'd like to set up a wireless access point to simplify LAN parties and other social geekery. All of these people should have access to the network when I allow it, but not otherwise. The filtering and routing solutions that I've seen are all based on IP addresses (which can easily be faked, changed, or stolen) or WEP (which requires a shared secret and reconfiguration of all systems if the secret has to be changed). Would filtering on MAC addresses work? PPPOE? RADIUS? Does anyone have experience with Linux or BSD tools that do this?"
This discussion has been archived. No new comments can be posted.

Authentication on an Untrusted Network? More

Authentication on an Untrusted Network?

Comments Filter:
  • Well, MACs can also be faked, it's just easier with some hardware than with others.

    I think you have to set up encrypted tunnels, and ignore packets with the wrong data. Kerberos, SSH, SSLeay...there are tools for it, it's a matter of how large you want the shared secrets (keys/passwords) to be. And you only need to allow the Visitor passwords when you have guests.

  • the MIT one not the half assed win2k one. but kerberos should do it and its a token based authentication protocol too. just kerberise your gateway and network and no one should be able to get in without authenticating to your server.

  • PKI is what you're after... (Score:3)

    by trims ( 10010 ) on Tuesday June 20, 2000 @01:01AM (#991238) Homepage

    Fundamentally, the problem you describe is this:

    How do I trust a user is who they say they are?

    If you can count on that, then you have any number of access/content control mechanisms. This is exactly what PKI (Public Key Infrastructure) addresses.

    Fundamentally, you don't want to validate the machine, you're interested in the user. So forget network id, et al.

    As others have pointed out, the obvious solution is Kerberos [mit.edu], from MIT. It was specifically designed to solve the problem you have. However, you have to build kerberos into your application, so it's not simple, and neither is the setup.

    The second most popular solution are Personal Digital Certificates (NOT SSL Certificates). These are tied into Web Server authentication (for the most part), but can be used as a generic authentication mechanism. Depending on what you want, they can be relatively cheap and uncomplicated, or it can get pretty hairy. Look at Thawte [thawte.com] for a decent example - also, check out the iPlanet Certificate Server [iplanet.com] for some relevant info. Honestly, this is probably the easiest way to do what you want, IF you can do a web-based service. It won't be free, but if you scrape around, you can probably get it in place for a modest amount.

    You can also look at things such as TIS or SecureID: these are more hard-core, since they're hardware token-based authentication schemes, and generally require custom software (though SSH supports TIS/SecureKey).

    As a last resort, you might investigate VPN solutions, since, while they're not PKI in a true sense, they can provide network validation. S/WAN for Linux is a good, free thing here, and you might look at an IPSec implimentation, too.

    Best of Luck.

    -Erik

Slashdot Top Deals

"Life begins when you can spend your spare time programming instead of watching television." -- Cal Keegan

Close