Firewall Wizards mailing list archives

Re: Looking for "lease based popper access"

From: sedwards () sedwards com
Date: Sun, 12 Dec 1999 18:55:56 -0800 (PST)

The purpose of limiting access based on IP address is NOT authentication.

Imagine that a new "sploit" for POP (or SSH) is unleashed at 5:15pm, after
most of my competitors have gone home for the weekend. While they are
being decimated all weekend long, I'll be resting peacefully because most
of the hackers can't even connect to my server.

In physical terms, the "border router" is the moat, "dynamic" tcp wrappers
is the drawbridge, and the "secret pass phrase" is the key.

On Mon, 13 Dec 1999, Crispin Cowan wrote:

sedwards () sedwards com wrote:

This works pretty good for most services except POP. Traveling employees
need to get to their email from where ever they are.


Agreed.

What I'm looking for is something where an employee can get a temporary
"lease" to access POP from their current IP address.


This is exactly what you *don't* want to do.  If you enable this, then the
attacker with an ability to spoof IP addresses can break into arbitrary mail
boxes.

What you want is real authentication for road warrior e-mail access.  Use
either SSH or SSL.  I personally use SSH.  Put an SSH daemon on the mail
server, and clients use SSH clients to tunnel the POP and SMTP ports from
their mobile laptop to the mail server.  For Windows clients, the SSH
commerical product from Data Fellows does the trick.  For Linux clients, a
script like this with the free SSH client works:

#!/bin/sh
ssh -C -l crispin -f \
        -L 6666:your.mail.server:110 \
        -L 6667:your.mail.server:25 \
        your.mail.server xbiff -geom +17+690

Then just tell the mail client that e-mail access goes through localhost:6666
and localhost:6667 (or pick your favorite port numbers).

The "xbiff" keeps the ssh tunnel open, and as an added bonus gives you a ring
when new e-mail arrives.

SSL crypto & authentication gives you essentially similar security
properties, but I am unfamiliar with the details of setting it up.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org


Thanks in advance,
------------------------------------------------------------------------
Steve Edwards      sedwards () sedwards com      Voice: +1-760-723-2727 PST
Newline            Pager: +1-888-478-5085           Fax: +1-760-731-3000

Current thread:

VPN solution needed (linux<->win32) or (nt<->win32) Mailing Lists (Dec 08)
- RE: VPN solution needed (linux<->win32) or (nt<->win32) Shaun Moran (Dec 10)
  - Looking for "lease based popper access" sedwards (Dec 12)
    - Re: Looking for "lease based popper access" Crispin Cowan (Dec 13)
    - Re: Looking for "lease based popper access" sedwards (Dec 13)
    - Re: Looking for "lease based popper access" Crispin Cowan (Dec 13)
    - Re: Looking for "lease based popper access" kwooding (Dec 14)
- Re: VPN solution needed (linux<->win32) or (nt<->win32) Saravana Ram (Dec 10)
- Re: VPN solution needed (linux<->win32) or (nt<->win32) Stephen P. Berry (Dec 10)
- Re: VPN solution needed (linux<->win32) or (nt<->win32) Vincent Illaire (Dec 10)
- <Possible follow-ups>
- RE: VPN solution needed (linux<->win32) or (nt<->win32) sean . kelly (Dec 10)
- Re: VPN solution needed (linux<->win32) or (nt<->win32) Steven M. Bellovin (Dec 12)
- RE: VPN solution needed (linux<->win32) or (nt<->win32) Predrag Zivic (Dec 13)
  - RE: VPN solution needed (linux<->win32) or (nt<->win32) Tina Bird (Dec 14)