Security Basics mailing list archives
Re: IP authentication vs. Certificate authentication
From: Francisco Andrades <fandrades () nextj com>
Date: Mon, 03 Nov 2003 17:06:49 -0400
Hi,The differences between the two methods are really so huge that it's even silly to compare them.
IP authentification may work if you have a private subnet with 5 PCs and no sensitive data. In a large system anyone can plug a new machine, send a spoofed ARP packet and imperson a client (even on a fragmented net). That reason alone should be enough for not implementing such a system. You can have lists mapping from MAC addresses to IP addresse but it's not scalable and can be defeated by spoofing the MAC address and DoSing the rightful owner.
On the other hand certificates/PKI are the way to go. It's scalable as it gets, you can fragment your access lists creating different certification paths (a root certificate acting as your CA and several child certificates for each sub-division in your organization), you can trust subsections of your network depending on the parent certificate, you can revoke a certificate on the chain to force a renewal of all child certificates, you can use all the certificates to create SSL/TLS tunnels between the machines ... And you only need to maintain a secured private key for the CA and a updated CRL.
netethix () iprimus com au wrote:
Hi all, Been asked to provide a 1 pager of pros and cons around IP-based authentication and certificate-based authentication. I've stated that IP authentication is subject to a number of exploits within the protocol such as IP spoofing, IP piggybacking, and that with certificate-basedauthentication it can be used to provide proof of identity.Can anyone else come up with any other compelling reasons for or against either one, in the context of IP vs. certificate authentication? Assume anything you like, so be as broad or specific as you like. Any thoughts gratefully accepted. Netethix Nigel Hedges IT Security Consultant Mobile: 0413 483 436 Email: netethix () iprimus com au --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
-- Francisco Andrades Grassi www.nextj.com Tlf: +58-414-125-7415 --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- IP authentication vs. Certificate authentication netethix (Nov 03)
- Re: IP authentication vs. Certificate authentication Francisco Andrades (Nov 03)
- Re: IP authentication vs. Certificate authentication Kevin Saenz (Nov 04)