Re: Firewalling at the domain users level instead of network level

["Paul D. Robertson" <paul () compuwar net>]

On Sun, 18 Jul 2004, Santos wrote:

> Hi all.
>
>
> I'm implementing a "Windows clients, Linux servers" kind of network.
> Some users may login at different machines, therefore, ip level is not
> enough. I wonder if it's possible to control the access at the "domain
> users" level instead of network or ip level.  I could implement some
> proxies, but each client machine had to be configured  and that would
> mean extra work. IPtables can filter at the user level, but only with

You could use transparent proxies with user authentication.

> local users. Is there a way to configure iptables and kerberos working
> together or something like that?  Is this doable with PAM? I have read
> that SAMBA authenticated gateway HOWTO, but it doesn't look very
> reliable. Well, so basically what i want, is a firewall similar to a ISA
> Server firewall

Um, then you should probably buy ISA- personally, I'd keep it behind
something else, but that's probably my historical paranoia of products
from that vector.

> Any ideas about this would be apreciated, thanks in advance.

If ISA does what you want, then get it- you could do authenticated SOCKS,
or authentication to any other firewall which supports authentication
(heck, even Apache's mod_proxy does authentication)- but if there's a tool
that does what you wish then barring any major issues, you should use that
tool.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards