Re: The Outgoing Traffic Problem

[ArkanoiD <ark () eltex net>]

nuqneH,

Yep, the http problem it is basically stateless and consists of a zillion
of short-living connections. You may, however, invent some referer/cookie
black magic, but it is, actually, security through obscurity - if that
thing could be widespread to some extent, i am sure trojans could happily
piggyback that method.

I have an http authentication system that works like "the user is 
authenticated while telnet (don't worry, there are SSL and IPSEC) session
to authntication agent is active", but its shortcomings are obvious.

On Tue, Jul 18, 2006 at 05:12:45PM -0400, Paul D. Robertson wrote:
> On Tue, 18 Jul 2006, Marcus J. Ranum wrote:
>
> > > Sigh. ANY authentication would be better than none at all.
> >
> > So now we're back to a conversation that I recall having several
> > times in 1992/3: that outgoing connections should be authenticated
> > as "belonging" to a real human behind a keyboard before they are
> > allowed. I remember Fred and I floated that idea to a few customers
> > (including folks who were considered to be very sophisticated, in
> > terms of security) and getting blank stares in response.
>
> Been there, done that, broke the Gauntlet.  Authentication for HTTP didn't 
> scale.
> >
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards