Security Basics mailing list archives
R: Reflexive firewalls?
From: "Vega - Brunello Ivan" <I.Brunello () vegaspa it>
Date: Wed, 28 Jan 2009 20:24:35 +0100
Cisco call them "dynamic access-lists" http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scflock.html they works just as you described: - you telnet to a device - certain acls are triggered to allow some operations from the IP address of the authenticated user. Port knocking (e.g. sending a certain sequence of ping, with custom payloads, to allow ssh access) is far better technique, since it does not need having telnet exposed fulltime. My two cents. Ivan Brunello System & Network Management -----Messaggio originale----- Da: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Per conto di Gustavo Castro Inviato: martedì 27 gennaio 2009 19.15 A: security-basics () securityfocus com Oggetto: Re: Reflexive firewalls? Guys: Looks a lot like a really primitive "port-knocking" authentication method... http://www.portknocking.org/ 2009/1/27 mgk.mailing <mgk.mailing () googlemail com>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi That sound like the user-auth feature on juniper firewalls, you telnet / http to the target and once authenticated it allows you to ssh etc as per rules setup. Its not great but a useful tool, as it opens up the policy to all at the source address of the successfully authenticated user. /Mgk Ong Chin Kiat wrote:Hi list, I've recently used an SSH server that had an interesting authentication mechanism. You first had to telnet to the machine on a certain port. After doing this (it will just time out - no prompt), you then SSH to the server in question. The telnet step has to be carried out, if not SSH will just time out. My question is, is this called reflexive firewalling, and can I duplicate this with iptables? Thanks.-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl/CA4ACgkQPxFiS6Ou+MyiogCeMiVXnG4GyhlAXPkr7kwHu7Wy uB0AmgMJiUTMXZBRB5TF23Ds8rA1UGWo =eKXO -----END PGP SIGNATURE-----
-- Saludos, Gustavo Castro Puig. E-Mail: gcastrop () gmail com LPI Level-1 Certified (https://www.lpi.org/es/verify.html LPID:LPI000042304 Verification Code: hp6re8w5qg ) -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ D++ G++ e++ h--- r y+++ ------END GEEK CODE BLOCK------ Registered Linux User #69342
Current thread:
- Re: Reflexive firewalls? mgk.mailing (Jan 27)
- Re: Reflexive firewalls? Gustavo Castro (Jan 27)
- R: Reflexive firewalls? Vega - Brunello Ivan (Jan 28)
- Re: Reflexive firewalls? Brian Ford (Jan 28)
- Re: Reflexive firewalls? Gustavo Castro (Jan 27)