File: [local] / www / papers / authgw-slides.ps (download)
Revision 1.1, Tue Nov 16 09:33:12 1999 UTC (24 years, 6 months ago) by beck
Branch: MAIN
CVS Tags: HEAD
slides from my lisa 99 paper presentation - minus the Ip Spoofing
For Dummies gag, which was a jpg - sorry.
|
%!PS-Adobe-3.0
%%Creator: groff version 1.11
%%CreationDate: Fri Nov 5 07:47:20 1999
%%DocumentNeededResources: font Palatino-Bold
%%+ font Times-Roman
%%+ font Courier
%%DocumentSuppliedResources: procset grops 1.11 0
%%Pages: 15
%%PageOrder: Ascend
%%Orientation: Landscape
%%EndComments
%%BeginProlog
%%BeginResource: procset grops 1.11 0
/setpacking where{
pop
currentpacking
true setpacking
}if
/grops 120 dict dup begin
/SC 32 def
/A/show load def
/B{0 SC 3 -1 roll widthshow}bind def
/C{0 exch ashow}bind def
/D{0 exch 0 SC 5 2 roll awidthshow}bind def
/E{0 rmoveto show}bind def
/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
/G{0 rmoveto 0 exch ashow}bind def
/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/I{0 exch rmoveto show}bind def
/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
/K{0 exch rmoveto 0 exch ashow}bind def
/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/M{rmoveto show}bind def
/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
/O{rmoveto 0 exch ashow}bind def
/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/Q{moveto show}bind def
/R{moveto 0 SC 3 -1 roll widthshow}bind def
/S{moveto 0 exch ashow}bind def
/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/SF{
findfont exch
[exch dup 0 exch 0 exch neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/MF{
findfont
[5 2 roll
0 3 1 roll
neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/level0 0 def
/RES 0 def
/PL 0 def
/LS 0 def
/MANUAL{
statusdict begin/manualfeed true store end
}bind def
/PLG{
gsave newpath clippath pathbbox grestore
exch pop add exch pop
}bind def
/BP{
/level0 save def
1 setlinecap
1 setlinejoin
72 RES div dup scale
LS{
90 rotate
}{
0 PL translate
}ifelse
1 -1 scale
}bind def
/EP{
level0 restore
showpage
}bind def
/DA{
newpath arcn stroke
}bind def
/SN{
transform
.25 sub exch .25 sub exch
round .25 add exch round .25 add exch
itransform
}bind def
/DL{
SN
moveto
SN
lineto stroke
}bind def
/DC{
newpath 0 360 arc closepath
}bind def
/TM matrix def
/DE{
TM currentmatrix pop
translate scale newpath 0 0 .5 0 360 arc closepath
TM setmatrix
}bind def
/RC/rcurveto load def
/RL/rlineto load def
/ST/stroke load def
/MT/moveto load def
/CL/closepath load def
/FL{
currentgray exch setgray fill setgray
}bind def
/BL/fill load def
/LW/setlinewidth load def
/RE{
findfont
dup maxlength 1 index/FontName known not{1 add}if dict begin
{
1 index/FID ne{def}{pop pop}ifelse
}forall
/Encoding exch def
dup/FontName exch def
currentdict end definefont pop
}bind def
/DEFS 0 def
/EBEGIN{
moveto
DEFS begin
}bind def
/EEND/end load def
/CNT 0 def
/level1 0 def
/PBEGIN{
/level1 save def
translate
div 3 1 roll div exch scale
neg exch neg exch translate
0 setgray
0 setlinecap
1 setlinewidth
0 setlinejoin
10 setmiterlimit
[]0 setdash
/setstrokeadjust where{
pop
false setstrokeadjust
}if
/setoverprint where{
pop
false setoverprint
}if
newpath
/CNT countdictstack def
userdict begin
/showpage{}def
}bind def
/PEND{
clear
countdictstack CNT sub{end}repeat
level1 restore
}bind def
end def
/setpacking where{
pop
setpacking
}if
%%EndResource
%%IncludeResource: font Palatino-Bold
%%IncludeResource: font Times-Roman
%%IncludeResource: font Courier
grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
def/PL 792 def/LS true def/ENC0[/asciicircum/asciitilde/Scaron/Zcaron
/scaron/zcaron/Ydieresis/trademark/quotesingle/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
/Palatino-Bold@0 ENC0/Palatino-Bold RE
%%EndProlog
%%Page: 1 1
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(Dealing with Public Ethernet Jacks:)209.182
118 Q(Switches, Gateways, and Authentication)183.629 141 Q(Bob Beck)
346.481 279 Q(beck@bofh.ucs.ualberta.ca)257.425 302 Q
(University of Alberta)284.197 325 Q .012 LW 72.012 504.001 72.012
108.001 DL 108.012 504.001 36 -180.0000 90.0000 DA 273.612 540.001
108.012 540.001 DL 233.899 540.001 273.612 540.001 DL 634.898 540.001
558.124 540.001 DL 684.011 504.001 36 90.0000 0.0000 DA 720.011 108.001
720.011 504.001 DL 684.011 108.001 36 0.0000 -90.0000 DA 108.011 72.001
684.011 72.001 DL 108.011 108.001 36 -90.0000 180.0000 DA/F1 9
/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 1)712.8
588 Q EP
%%Page: 2 2
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(The Problem: Public Ethernet Jacks.)207.561
118 Q 10.8<8350>119.262 164 S
(ublic access points to our campus network,)-10.8 E(Insecure PC \(W)144
187 Q(indows and Macintosh\) labs as well)-.851 E
(as public Ethernet jacks for laptops)144 210 Q 162.3 227.25 5.75 DC
.012 LW ST(People of)180 233 Q 5.75(ft)-.414 G
(he street walk in, then use/abuse.)-5.75 E 162.3 250.25 5.75 DC ST
(Students may use the labs to cause mischief on)180 256 Q(or of)180 279
Q 5.75(fc)-.414 G(ampus.)-5.75 E 10.8<8349>119.262 325 S 5.75(nt)-10.8 G
(he past, to prevent abuse labs weren')-5.75 E 5.75(tr)-.414 G(outed)
-5.75 E(of)144 348 Q 5.75(fo)-.414 G
(ur campus. \(Internet use by proxy only\). Still a)-5.75 E
(source of attacks on campus.)144 371 Q 10.8<834d>119.262 417 S
(ore and more demand for mobile plug-in type)-10.8 E
(access, and other protocols we didn')144 440 Q 5.75(tw)-.414 G
(ant to proxy)-5.75 E(.)-2.116 E 3.404 -1.702(We n)144 463 T
(eeded a better solution.)1.702 E 72.012 504.001 72.012 108.001 DL
108.012 504.001 36 -180.0000 90.0000 DA 273.612 540.001 108.012 540.001
DL 233.899 540.001 273.612 540.001 DL 634.898 540.001 558.124 540.001 DL
684.011 504.001 36 90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL
684.011 108.001 36 0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL
108.011 108.001 36 -90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 2)712.8
588 Q EP
%%Page: 3 3
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(What Did W)290.073 118 Q 5.75(eW)-1.702 G
(ant?)-7.452 E(The same level of control we have with our student)108
164 Q(access UNIX systems.)108 187 Q 10.8<8357>119.262 233 S 5.75(ea)
-12.502 G(lready make use of Kerberos \(we have about)-5.75 E
(50,000 User IDs\).)144 256 Q 10.8<834e>119.262 279 S
(eeded a solution to work both with public plug-)-10.8 E
(in access and labs of insecure PC')144 302 Q 5.75(s\()-1.265 G
(win95, win98,)-5.75 E(Mac\).)144 325 Q 10.8<8357>119.262 348 S
(anted something to integrate with the Kerberos)-12.502 E
(IDs we already give out to all students and staf)144 371 Q(f.)-.414 E
10.8<834d>119.262 394 S(ust prevent unauthorized net usage)-10.8 E 10.8
<834d>119.262 417 S(ust ensure authorized usage can be easily)-10.8 E
(tracked.)144 440 Q 10.8<834d>119.262 463 S
(ust be relatively secure and attack resistant.)-10.8 E .012 LW 72.012
504.001 72.012 108.001 DL 108.012 504.001 36 -180.0000 90.0000 DA
273.612 540.001 108.012 540.001 DL 233.899 540.001 273.612 540.001 DL
634.898 540.001 558.124 540.001 DL 684.011 504.001 36 90.0000 0.0000 DA
720.011 108.001 720.011 504.001 DL 684.011 108.001 36 0.0000 -90.0000 DA
108.011 72.001 684.011 72.001 DL 108.011 108.001 36 -90.0000 180.0000 DA
/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 3)712.8
588 Q EP
%%Page: 4 4
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(What W)287.601 118 Q 5.75(eL)-1.702 G
(ooked At.)-5.75 E 10.8<8357>119.262 164 S(indows NT)-11.651 E 10.8
<834e>119.262 210 S(ontransparent Proxies \(FWTK etc.\))-10.8 E 10.8
<8343>119.262 256 S(ommercial \214rewall products)-10.8 E 10.8<8344>
119.262 302 S(HCP registration systems)-10.8 E 3.404 -1.702(We f)155.5
371 T(ound nothing that did what we wanted at a)1.702 E
(price we could af)144 394 Q(ford.)-.414 E .012 LW 72.012 504.001 72.012
108.001 DL 108.012 504.001 36 -180.0000 90.0000 DA 273.612 540.001
108.012 540.001 DL 233.899 540.001 273.612 540.001 DL 634.898 540.001
558.124 540.001 DL 684.011 504.001 36 90.0000 0.0000 DA 720.011 108.001
720.011 504.001 DL 684.011 108.001 36 0.0000 -90.0000 DA 108.011 72.001
684.011 72.001 DL 108.011 108.001 36 -90.0000 180.0000 DA/F1 9
/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 4)712.8
588 Q EP
%%Page: 5 5
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(What W)322.434 95 Q 5.75(eD)-1.702 G(id.)-5.75
E 10.8<8341>119.262 141 S 5.75(na)-10.8 G(uthenticating gateway)-5.75 E
5.75(,w)-2.116 G(hich when placed in)-5.75 E
(front of a lab forces the user to authenticate before)144 164 Q
(allowing access from their IP address.)144 187 Q 10.8<834f>119.262 233
S(nce authenticated, everything is allowed,)-10.8 E
(\(although much is logged\).)144 256 Q 5.106 -2.553(To d)11.5 H 5.75
(ot)2.553 G(his we wrote)-5.75 E(some custom software for our gateways.)
144 279 Q 10.8<8357>119.262 325 S 5.75(ee)-12.502 G
(nsure our gateways are con\214gured to avoid)-5.75 E
(problems with IP spoo\214ng.)144 348 Q 10.8<8357>119.262 394 S 5.75(eu)
-12.502 G(se only switched networks with the switches)-5.75 E
(con\214gured appropriately to prevent snif)144 417 Q(\214ng and)-.414 E
(hijacking.)144 440 Q .012 LW 72.012 504.001 72.012 108.001 DL 108.012
504.001 36 -180.0000 90.0000 DA 273.612 540.001 108.012 540.001 DL
233.899 540.001 273.612 540.001 DL 634.898 540.001 558.124 540.001 DL
684.011 504.001 36 90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL
684.011 108.001 36 0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL
108.011 108.001 36 -90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 5)712.8
588 Q EP
%%Page: 6 6
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(The Switches.)322.549 118 Q 10.8<834f>119.262
164 S(ur system authenticates a used based on their)-10.8 E
(source IP address.)144 187 Q 10.8<8354>119.262 233 S 5.75(od)-13.353 G
5.75(ot)-5.75 G(his in a reasonable manner)-5.75 E 5.75(,w)-1.265 G 5.75
(en)-5.75 G(eeded a)-5.75 E
(network which was not vulnerable to spoo\214ng or)144 256 Q
(hijacking attempts.)144 279 Q 162.3 296.25 5.75 DC .012 LW ST
(MAC-lock switches where possible.)180 302 Q 162.3 319.25 5.75 DC ST
(Where not possible, ensure they do not)180 325 Q
(broadcast unknown traf)180 348 Q<8c63>-.414 E 10.8<8345>119.262 394 S
(nsure nothing in the lab can talk to the switch.)-10.8 E 10.8<8347>
119.262 440 S(oal: ensure nobody can see anyone else')-10.8 E 5.75(ss)
-1.265 G(ession)-5.75 E 72.012 504.001 72.012 108.001 DL 108.012 504.001
36 -180.0000 90.0000 DA 273.612 540.001 108.012 540.001 DL 233.899
540.001 273.612 540.001 DL 634.898 540.001 558.124 540.001 DL 684.011
504.001 36 90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL 684.011
108.001 36 0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL 108.011
108.001 36 -90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 6)712.8
588 Q EP
%%Page: 7 7
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(The Gateways)320.939 95 Q 10.8<834f>119.262
141 S(ur gateways are built using OpenBSD \(version)-10.8 E(2.5\).)144
164 Q 10.8<8354>119.262 210 S
(he gateways by default blocks all outgoing traf)-10.8 E<8c63>-.414 E
(from the labs using packet \214lters \(ipf\).)144 233 Q 10.8<834f>
119.262 279 S(ur gateways allow a user to connect and)-10.8 E
(authenticate using their Kerberos ID and)144 302 Q(password.)144 325 Q
10.8<834f>119.262 371 S 5.75(ns)-10.8 G
(uccessful authentication the gateway adds)-5.75 E
(rules to allow out all traf)144 394 Q(\214c \(and log some of it\).)
-.414 E 10.8<8341>119.262 440 S 5.75(ss)-10.8 G
(oon as the authenticating session disconnects,)-5.75 E
(the \214lter rules added above are removed.)144 463 Q .012 LW 72.012
504.001 72.012 108.001 DL 108.012 504.001 36 -180.0000 90.0000 DA
273.612 540.001 108.012 540.001 DL 233.899 540.001 273.612 540.001 DL
634.898 540.001 558.124 540.001 DL 684.011 504.001 36 90.0000 0.0000 DA
720.011 108.001 720.011 504.001 DL 684.011 108.001 36 0.0000 -90.0000 DA
108.011 72.001 684.011 72.001 DL 108.011 108.001 36 -90.0000 180.0000 DA
/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 7)712.8
588 Q EP
%%Page: 8 8
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(authipf - Our Program For Filter Rules)194.761
95 Q 10.8<8355>119.262 141 S
(sers connect to gateway with telnet \(Why telnet?)-10.8 E
(because they all have it and can use it!\))144 164 Q 10.8<8355>119.262
210 S(ser authenticates with login, login runs authipf, a)-10.8 E
(program which adds \214lter rules when started,)144 233 Q
(removes when done.)144 256 Q 10.8<8354>119.262 302 S(CP KEEP)-10.8 E
(ALIVE values tuned to ensure that)-1.702 E
(unresponsive sessions go away in under a minute.)144 325 Q 10.8<8361>
119.262 371 S(uthipf logs to syslog when users authenticate, and)-10.8 E
(when they disconnect.)144 394 Q(It also puts in rules to log)11.5 E
(tcp sessions.)144 417 Q .012 LW 72.012 504.001 72.012 108.001 DL
108.012 504.001 36 -180.0000 90.0000 DA 273.612 540.001 108.012 540.001
DL 233.899 540.001 273.612 540.001 DL 634.898 540.001 558.124 540.001 DL
684.011 504.001 36 90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL
684.011 108.001 36 0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL
108.011 108.001 36 -90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 8)712.8
588 Q EP
%%Page: 9 9
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(Security and Con\214guration Issues)218.095 95
Q 10.8<8354>119.262 141 S 5.75(or)-13.353 G
(eiterate, switches must be con\214gured properly)-5.75 E(to avoid traf)
144 164 Q(\214c snooping and hijacking)-.414 E 162.3 181.25 5.75 DC .012
LW ST(MAC lock each port or)180 187 Q(..)-1.265 E 162.3 204.25 5.75 DC
ST -2.967(Tu)180 210 S(rn of)2.967 E 5.75(fu)-.414 G
(nknown unicast \215ooding.)-5.75 E 10.8<8357>119.262 256 S 5.75(ep)
-12.502 G(eriodically review switch con\214gs to ensure we)-5.75 E
(haven')144 279 Q 5.75(tm)-.414 G(ade mistakes)-5.75 E 10.8<834f>119.262
325 S(ur switches deal with traf)-10.8 E(\214c at the MAC level, yet)
-.414 E(we authenticate based on IP address - this means)144 348 Q
(that there is a potential problem..)144 371 Q 72.012 504.001 72.012
108.001 DL 108.012 504.001 36 -180.0000 90.0000 DA 273.612 540.001
108.012 540.001 DL 233.899 540.001 273.612 540.001 DL 634.898 540.001
558.124 540.001 DL 684.011 504.001 36 90.0000 0.0000 DA 720.011 108.001
720.011 504.001 DL 684.011 108.001 36 0.0000 -90.0000 DA 108.011 72.001
684.011 72.001 DL 108.011 108.001 36 -90.0000 180.0000 DA/F1 9
/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 9)712.8
588 Q EP
%%Page: 10 10
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(IP spoo\214ng)336.257 95 Q 10.8<8341>119.262
141 S 5.75(na)-10.8 G(ttacker can fake a ARP reply)-5.75 E 5.75(,o)
-2.116 G 5.75(rj)-5.75 G(ust try to use)-5.75 E
(an IP address from the lab to get an IP address that)144 164 Q
(is in use in the lab and already authenticated.)144 187 Q 10.8<8357>
119.262 233 S 5.75(er)-12.502 G
(eact to this possibility by having the gateway)-5.75 E
(watch for the occurence of such events. ARP)144 256 Q
(changes are logged by OpenBSD.)144 279 Q 10.8<8357>119.262 325 S
(hen we see an ARP table change, we use swatch)-10.8 E
(to ensure that if there is a running authipf process)144 348 Q
(for that address, it gets killed.)144 371 Q 10.8<8354>119.262 417 S
(his ensures that if an IP address is taken over)-10.8 E 5.75(,i)-1.265
G 5.75(ti)-5.75 G(s)-5.75 E
(no longer authenticated, and must reauthenticate)144 440 Q 10.8<8357>
119.262 486 S 5.75(ea)-12.502 G(lso get noti\214ed when this happens.)
-5.75 E .012 LW 72.012 504.001 72.012 108.001 DL 108.012 504.001 36
-180.0000 90.0000 DA 273.612 540.001 108.012 540.001 DL 233.899 540.001
273.612 540.001 DL 634.898 540.001 558.124 540.001 DL 684.011 504.001 36
90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL 684.011 108.001 36
0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL 108.011 108.001 36
-90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 10)704.4
588 Q EP
%%Page: 11 11
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(Other Issues)329.898 95 Q 10.8<8353>119.262
141 S(tudents can walk away)-10.8 E(.)-2.116 E 162.3 158.25 5.75 DC .012
LW ST 3.404 -1.702(We d)180 164 T
(eal with this in our traditional way of)1.702 E
(dealing with the "Oh gee, you left yourself)180 187 Q
(logged on" cases.)180 210 Q 10.8<8355>119.262 256 S
(sers must know how to telnet to the gateway and)-10.8 E 5.75
(authenticate. W)144 279 R 5.75(ep)-1.702 G
(ut big posters everywhere, and)-5.75 E
(icons on the desktops in the labs of machines.)144 302 Q 10.8<8354>
119.262 348 S(his does not address the \(in\)security of the client)
-10.8 E(machines due to what is running on them.)144 371 Q 162.3 388.25
5.75 DC ST(The laptop is the users problem.)180 394 Q 162.3 411.25 5.75
DC ST(Labs of machines reload an image regularly on)180 417 Q
(boot to minimize trojan/virus exposure \(and)180 440 Q
(warn users in big letters\))180 463 Q 72.012 504.001 72.012 108.001 DL
108.012 504.001 36 -180.0000 90.0000 DA 273.612 540.001 108.012 540.001
DL 233.899 540.001 273.612 540.001 DL 634.898 540.001 558.124 540.001 DL
684.011 504.001 36 90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL
684.011 108.001 36 0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL
108.011 108.001 36 -90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 11)704.4
588 Q EP
%%Page: 12 12
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(Other Nice Stuf)308.703 95 Q(f)-.414 E 10.8
<8347>119.262 141 S(ateway intercepts IDENT \(rfc 1413\) requests)-10.8
E(aimed at inside hosts.)144 164 Q(answers them with the)11.5 E
(authenticated user)144 187 Q(.)-1.265 E 10.8<8357>119.262 233 S 5.75
(ei)-12.502 G(ntercept and proxy IMAP and SMTP outbound)-5.75 E
(to our main central servers which use the same id)144 256 Q
(and passwords. These proxies then substitute in)144 279 Q
(the username/password for those connections with)144 302 Q
(the one used to authenticate.)144 325 Q 10.8<8357>119.262 371 S 5.75
(ed)-12.502 G(on')-5.75 E 5.75(tr)-.414 G
(egularly proxy http on the gateways, but)-5.75 E
(have the capability to do it when tracking)144 394 Q
(problems \(at our site we watch http requests)144 417 Q(elsewhere\))144
440 Q .012 LW 72.012 504.001 72.012 108.001 DL 108.012 504.001 36
-180.0000 90.0000 DA 273.612 540.001 108.012 540.001 DL 233.899 540.001
273.612 540.001 DL 634.898 540.001 558.124 540.001 DL 684.011 504.001 36
90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL 684.011 108.001 36
0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL 108.011 108.001 36
-90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 12)704.4
588 Q EP
%%Page: 13 13
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF -1.702(We)293.374 95 S(ll, Does it work?)1.702
E 10.8<8344>119.262 141 S
(eployed in front of student residences and over)-10.8 E
(30 labs and laptop areas at University of Alberta.)144 164 Q
(More all the time.)144 187 Q 10.8<8353>119.262 210 S
(tudents rapidly became used to how it works.)-10.8 E
(very little user training necessary)144 233 Q(.)-2.116 E 10.8<834f>
119.262 256 S(ther on campus departments now less fearful of)-10.8 E
(connections from public labs \(some used to block)144 279 Q
(them entirely!\))144 302 Q 10.8<834e>119.262 325 S 5.75(om)-10.8 G
(ore of)-5.75 E(f-street people showing up to abuse)-.414 E(labs \(It')
144 348 Q 5.75(sn)-1.265 G(ot interesting if they have no Internet)-5.75
E(connection\). Places without this installed are now)144 371 Q
(requesting it.)144 394 Q 10.8<8354>119.262 417 S
(ime to identify the user responsible for harrasing)-12.065 E
(e-mail from these locations via hotmail is down to)144 440 Q
(about 60 seconds. \(other stuf)144 463 Q 5.75(fq)-.414 G
(uick to \214nd too\))-5.75 E(This saves *lots* of work.)144 486 Q .012
LW 72.012 504.001 72.012 108.001 DL 108.012 504.001 36 -180.0000 90.0000
DA 273.612 540.001 108.012 540.001 DL 233.899 540.001 273.612 540.001 DL
634.898 540.001 558.124 540.001 DL 684.011 504.001 36 90.0000 0.0000 DA
720.011 108.001 720.011 504.001 DL 684.011 108.001 36 0.0000 -90.0000 DA
108.011 72.001 684.011 72.001 DL 108.011 108.001 36 -90.0000 180.0000 DA
/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 13)704.4
588 Q EP
%%Page: 14 14
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(Possible Future Enhancements)235.034 95 Q 10.8
<8373>119.262 141 S(sh)-10.8 E 10.8<836e>119.262 187 S(etbios)-10.8 E
10.8<834d>119.262 233 S(ore proxies)-10.8 E 10.8<8353>119.262 279 S
(upport for more/dif)-10.8 E(ferent authentication)-.414 E
(mechanisms \(YP)144 302 Q 5.75(,L)-2.967 G(DAP)-5.75 E 5.75(,e)-2.967 G
(tc.\))-5.75 E .012 LW 72.012 504.001 72.012 108.001 DL 108.012 504.001
36 -180.0000 90.0000 DA 273.612 540.001 108.012 540.001 DL 233.899
540.001 273.612 540.001 DL 634.898 540.001 558.124 540.001 DL 684.011
504.001 36 90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL 684.011
108.001 36 0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL 108.011
108.001 36 -90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 14)704.4
588 Q EP
%%Page: 15 15
%%BeginPageSetup
BP
%%EndPageSetup
/F0 23/Palatino-Bold@0 SF(Dealing with Public Ethernet Jacks:)209.182
118 Q(Switches, Gateways, and Authentication)183.629 141 Q 10.8<8366>
119.262 233 S(tp://sunsite.ualberta.ca/pub/Local/People/beck/authipf)
-10.8 E 10.8<8368>119.262 279 S(ttp://www)-10.8 E
(.ualberta.ca/~beck/lisa99.ps)-2.116 E(Bob Beck)346.481 348 Q
(beck@bofh.ucs.ualberta.ca)257.425 371 Q(University of Alberta)284.197
394 Q .012 LW 72.012 504.001 72.012 108.001 DL 108.012 504.001 36
-180.0000 90.0000 DA 273.612 540.001 108.012 540.001 DL 233.899 540.001
273.612 540.001 DL 634.898 540.001 558.124 540.001 DL 684.011 504.001 36
90.0000 0.0000 DA 720.011 108.001 720.011 504.001 DL 684.011 108.001 36
0.0000 -90.0000 DA 108.011 72.001 684.011 72.001 DL 108.011 108.001 36
-90.0000 180.0000 DA/F1 9/Times-Roman@0 SF
(Bob Beck\255 Dealing with Public Ethernet Jacks: Switches, Gate)236.138
543.001 Q -.09(wa)-.225 G(ys, and Authentication).09 E(No)81.274 E 2.25
(v5)-.135 G 2.25(,1)-2.25 G(999)-2.25 E/F2 14/Courier@0 SF(Page 15)704.4
588 Q EP
%%Trailer
end
%%EOF
![[BACK]](/icons/back.gif){kind=icon}
Return to authgw-slides.ps CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www / papers