Subject: Re: OT: authenticating users, was Re: SE Linux vs SE NetBSD !!
To: Travis H. <solinym@gmail.com>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-security
Date: 09/04/2006 22:38:24
On Jan 23, 12:02pm, "Travis H." wrote:
} On 9/2/06, John Nemeth <jnemeth@victoria.tc.ca> wrote:
} > This is where things like Cisco's NAC (Network Admission Control)
} > comes into play. Basically, it prevents machines from connecting to
} > the network if they aren't running the latest patches, anti-virus, etc.
} > (whatever you put into your policy). It can either block the machine
} > completely or quarantine it in a subnet where it can only get updates.
} > There may be other products that do similar things, but I'm not aware
} > of any.
}
} I think you could write this up in a script using nmap and authpf.
How would nmap query a system to find out the date of the
anti-virus signature file?
} > Of
} > course, there is the issue of authenticating users and making sure they
} > don't try to fake the credentials of a different user. I think some of
} > the other options are better for that.
}
} Yeah, well nowadays there's so many PCs relative to the number of
} users, and it's reasonable to assume one user per workstation.
Even so how do you find out who that user is?
} I think Kerberos is designed with this assumption. Certainly
I don't think so. However, NFS is designed to talk to multi-user
systems. Basic NFS assumes that the system is secure and will
authenticate its users. This is a bad assumption in a client/server
environment.
} network security devices like firewalls are. A person with
} physical access can probably get any other user's privileges
} anyway.
Perhaps.
}-- End of excerpt from "Travis H."