Firewall Wizards mailing list archives
Re: Looking for "lease based popper access"
From: sedwards () sedwards com
Date: Sun, 12 Dec 1999 18:55:56 -0800 (PST)
The purpose of limiting access based on IP address is NOT authentication. Imagine that a new "sploit" for POP (or SSH) is unleashed at 5:15pm, after most of my competitors have gone home for the weekend. While they are being decimated all weekend long, I'll be resting peacefully because most of the hackers can't even connect to my server. In physical terms, the "border router" is the moat, "dynamic" tcp wrappers is the drawbridge, and the "secret pass phrase" is the key. On Mon, 13 Dec 1999, Crispin Cowan wrote:
sedwards () sedwards com wrote:This works pretty good for most services except POP. Traveling employees need to get to their email from where ever they are.Agreed.What I'm looking for is something where an employee can get a temporary "lease" to access POP from their current IP address.This is exactly what you *don't* want to do. If you enable this, then the attacker with an ability to spoof IP addresses can break into arbitrary mail boxes. What you want is real authentication for road warrior e-mail access. Use either SSH or SSL. I personally use SSH. Put an SSH daemon on the mail server, and clients use SSH clients to tunnel the POP and SMTP ports from their mobile laptop to the mail server. For Windows clients, the SSH commerical product from Data Fellows does the trick. For Linux clients, a script like this with the free SSH client works: #!/bin/sh ssh -C -l crispin -f \ -L 6666:your.mail.server:110 \ -L 6667:your.mail.server:25 \ your.mail.server xbiff -geom +17+690 Then just tell the mail client that e-mail access goes through localhost:6666 and localhost:6667 (or pick your favorite port numbers). The "xbiff" keeps the ssh tunnel open, and as an added bonus gives you a ring when new e-mail arrives. SSL crypto & authentication gives you essentially similar security properties, but I am unfamiliar with the details of setting it up. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Thanks in advance, ------------------------------------------------------------------------ Steve Edwards sedwards () sedwards com Voice: +1-760-723-2727 PST Newline Pager: +1-888-478-5085 Fax: +1-760-731-3000
Current thread:
- VPN solution needed (linux<->win32) or (nt<->win32) Mailing Lists (Dec 08)
- RE: VPN solution needed (linux<->win32) or (nt<->win32) Shaun Moran (Dec 10)
- Looking for "lease based popper access" sedwards (Dec 12)
- Re: Looking for "lease based popper access" Crispin Cowan (Dec 13)
- Re: Looking for "lease based popper access" sedwards (Dec 13)
- Re: Looking for "lease based popper access" Crispin Cowan (Dec 13)
- Re: Looking for "lease based popper access" kwooding (Dec 14)
- Looking for "lease based popper access" sedwards (Dec 12)
- RE: VPN solution needed (linux<->win32) or (nt<->win32) Shaun Moran (Dec 10)
- <Possible follow-ups>
- RE: VPN solution needed (linux<->win32) or (nt<->win32) sean . kelly (Dec 10)
- Re: VPN solution needed (linux<->win32) or (nt<->win32) Steven M. Bellovin (Dec 12)
- RE: VPN solution needed (linux<->win32) or (nt<->win32) Predrag Zivic (Dec 13)
- RE: VPN solution needed (linux<->win32) or (nt<->win32) Tina Bird (Dec 14)