User-level firewalling with Portsmith
Check Point and Cisco administrators are familiar with firewalls that enable ports after a user logs in. Unfortunately, this technique, sometimes referred to as Client Authentication or Cut-Through Proxy, is often subject to restrictions. Because of the problems associated with authenticating firewalls, iptables does not include this functionality out of the box. Of course, you could add your own custom authentication feature with some scripting, but few admins go to so much effort.
Portsmith [1] offers a free and easy option for authentication at the firewall, and this innovative tool even lets authenticated users enable ports in their own web browsers. To avoid potential security threats, the administrator still keeps control of the permissions. Each user is assigned a set of required communication links and can only access the resources assigned to those links. This approach stops users from simply punching holes in the firewall ruleset anytime they feel the urge.
One potential application for a Portsmith firewall is as a replacement for a virtual private network (VPN). The traffic is stopped at the firewall until a user authenticates, and once the user logs in, only traffic from the user's IP address is admitted. By ensuring that a specific service is only available to the authenticated user, the admin can avoid the need for a dedicated VPN server. On the other end, the client also does not need special software to initiate the connection. According to the Portsmith website, "… you can take control of your office computer from home, from a friend's house, from a WiFi hotspot, or from any other location with Internet access. Since there is no software requirement, after you leave the location, there will be no trace that you were ever there, and nothing is installed on the computer you were using." Another of Portsmith's goodies is an integrated, browser-based backup solution. Just point and click to write the ruleset, critical files, and database to a CD.
[...]
Tag Cloud
News
-
Google and NASA Partner in Quantum Computing Project
Vendor D-Wave scores big with a sale to NASA's Quantum Intelligence Lab.
-
Mageia Project Announces Mageia 3 Linux
Many package updates and Steam integration highlight the latest from the Mandriva-based community Linux.
-
FSF Outs the World Wide Web Consortium over DRM Proposal
Richard Stallman calls for the W3C to remain independent of vendor interests.
-
Debian 7.0 Debuts
The new release supports nine architectures, 73 human languages, and zero non-Free components.
-
Alpha Version of Fedora 19 Released
Fedora developers release the first alpha version of Fedora 19, known as Schrödinger’s Cat, for general testing. The final release is expected in July 2013.
-
ack 2.0 Released
ack is a grep-like, command-line tool that has been optimized for programmers to search large trees of source code.
-
SUSE Studio 1.3 Released
New features in SUSE Studio 1.3 include enhanced cloud integration, VM platform support, and lifecycle management.
-
Xen To Become Linux Foundation Collaborative Project
The Linux Foundation recently announced that the Xen Project is becoming a Linux Foundation Collaborative Project.
-
RunRev Releases Open Source Version of LiveCode
Open source version of LiveCode is now available for developing apps, games, and utilities for all major platforms.
-
OpenDaylight Project Formed
OpenDaylight is an open source software-defined networking project committed to furthering adoption of SDN and accelerating innovation in a vendor-neutral and open environment.
OpenBSD's PF still beats IPTables...
AuthPF takes care of the authentication and it's freer than Linux's. This is not to shoot down IPTables as some people still use it because they haven't bothered to see the better alternatives yet.