Question (fwd)


Fri Jan 4 00:30:02 EST 2008 



>
>Sometimes even user-level authentication isn't granular enough; it may also be
>desirable to authenticate specific applications or processes.
>
>Example 1: An online banking app should authenticate the user *and* the
>application the user runs (so that the user runs only the banking app and not
an
>nmap scan to find vulnerabilities on the bank's site).
>
>Example 2: Automated ordering systems where some transactions are secure and
>others aren't--think of an assembly-line machine at a factory that tells
>suppliers when it needs to be refilled (a customer order, authentication
>required) and also monitors output, operating speed, temperature, etc.
>(monitoring functions, no authentication required).
>
>dn
>
I agree that user-level authentication granularity may not be enough in all
instances, but authentication may not be the solution to the problem either. In
the examples above, I would think that authentication (presentation of valid
credentials) is not as important as content validity (each discrete unit of
information that the client sends is valid in context). This is no doubt a
component of a secure infrastructure, but do you want this to be part of the VPN
component? I believe that most current VPN offerings are geared towards
providing some mix of confidentiality and integrity for information, but only
for the during the time that information is exposed on the "public" transit
medium. I think that this separation of confidentiality and integrity from
content validity is a good idea as it allows trusted and non-trusted data
streams to be muxed over the same communications channel.
>
>
>
>
>Tina Bird <tbird at secnetgroup.com> on 06/08/99 03:01:13 PM
>
>To:   vpn at listserv.secnetgroup.com
>cc:
>bcc:  David Newman/NYC/CMPNotes
>Subject:  Re: Question (fwd)
>
>
>
>
>>Also, RedCreek has been using the term "Secure VPN" to distinguish between
>>the misuses of "VPN" and what constitutes IPSec VPNs.
>>
>>Eric Henriksen
>
>I've listened to the "what's a VPN" fray for as long as I can handle...
>
>my only quibble with Eric, here, is that IPSec based VPNs do not typically
>perform strong >>user<< authentication, which is slightly different from
>certificate-based >host< authentication.
>
>Most of my corporate customers are using VPN for remote access, and
>want the reassurance of a token-based user authentication system
>IN ADDITION TO the protection offered by certs or PKI.  So when >I<
>say "secure VPN," I mean:
>
>     encryption
>     user >and< host authentication
>     packet integrity protection
>     NAT or other mechanisms to hide my internal network
>

In an environment where VPN peers are single user hosts, is there a significant
difference b/w host and user authentication, other than where the credentials
are stored? Would your customers feel better if the private keys that match the
cert used for authentication could fit in their pocket? I know that my customers
probably would, the most likely justification being that the exposure to theft
is reduced. I am more concerned with the useful lifetime of the credentials used
for authentication. Many token based authentication schemes limit the effective
lifetime of an authentication credential to a single use. OTOH certs may be
issued with an effective lifetime measured in months or years.

In the environment where the VPN peer is a multi-user host or network gateway
system, how do you handle authentication which requires human interaction? There
are likely many workarounds for this, but it seems that it would be difficult to
manage. Would it be better to say that a secure VPN offers host authentication
and user authorization? An authenticated host can bring up an encrypted channel,
but the traffic over that channel is subject to policy. The policy may be
implemented by authorization constraints.

>When I last evaluated the subscription VPN services (which was,
>admittedly, quite some time ago -- I've got this ridiculous
>prejudice against outsourcing my perimeter security), none of them
>came anywhere close to offering this level of protection.

Just sign here, here and here. You will be all set....really.... ;-)

>
>Also please note that the FAQ addresses this issue:
>
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html#Q3:

--tcw




****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list