R: Reflexive firewalls?

["Vega - Brunello Ivan" <I.Brunello () vegaspa it>]

Cisco call them "dynamic access-lists"
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scflock.html

they works just as you described:
- you telnet to a device
- certain acls are triggered to allow some operations from the IP address of the authenticated user.

Port knocking (e.g. sending a certain sequence of ping, with custom payloads, to allow ssh access) is far better 
technique, 
since it does not need having telnet exposed fulltime.

My two cents.

Ivan Brunello
System & Network Management

-----Messaggio originale-----
Da: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Per conto di Gustavo Castro
Inviato: martedì 27 gennaio 2009 19.15
A: security-basics () securityfocus com
Oggetto: Re: Reflexive firewalls?

Guys:

  Looks a lot like a really primitive "port-knocking" authentication method...
  http://www.portknocking.org/

2009/1/27 mgk.mailing <mgk.mailing () googlemail com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> hi
>
> That sound like the user-auth feature on juniper firewalls, you telnet /
> http to the target and once authenticated it allows you to ssh etc as
> per rules setup.  Its not great but a useful tool, as it opens up the
> policy to all at the source address of the successfully authenticated user.
>
> /Mgk
>
> Ong Chin Kiat wrote:
> > Hi list,
> >
> > I've recently used an SSH server that had an interesting authentication
> > mechanism. You first had to telnet to the machine on a certain port.
> > After doing this (it will just time out - no prompt), you then SSH to
> > the server in question. The telnet step has to be carried out, if not
> > SSH will just time out.
> >
> > My question is, is this called reflexive firewalling, and can I
> > duplicate this with iptables?
> >
> > Thanks.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkl/CA4ACgkQPxFiS6Ou+MyiogCeMiVXnG4GyhlAXPkr7kwHu7Wy
> uB0AmgMJiUTMXZBRB5TF23Ds8rA1UGWo
> =eKXO
> -----END PGP SIGNATURE-----



-- 
Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastrop () gmail com

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342