Proxy 2.0 secure?

ark@eltex.ru ark@eltex.ru
Tue, 30 Jun 1998 13:22:51 GMT


-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

"Brian Steele" <steele_b@spiceisle.com> said :

> >> Define "standard technologies" as regards to OS logon validation.
> Doesn't
> >> everyone has their own standards concerning security mechanisms and their
> >> implementation?
> >
> >I'd prefer to see something OS-independant.
 
> Is such a thing as an "OS-independent" logon validation mechanism?

Any non-transparent protocol-dependant technique or any mechanism that
relies on cleint's IP address.

> 
> 
> >> NT provides a mechanism that allows you to logon to a domain of servers
> and
> >> PCs, and not just one server at a time.  Why shouldn't I take advantage
> of
> >> this?
> >
> >a) just because you can't rely on security of PC you try to use for
> >network access.
> 
> You are NOT relying on the "security of a PC" in the NT domain logon
> mechanism. You're relying also on the implementation of that security
> mechanism on your LAN.

You do. The point of discussion was that NT domain logon mechanism lets
you authenticate from any PC in the network transparently - and then i
called this technique say, not as good as it seems, 
because it relies on cleint PC's security. If the machine is not trusted,
how can you do something sensitive from it?

> 
> 
>  b) because it works only if _every_ machine in
> 
> >your network can speak M$ that is not always possible.
> 
> 
> So the solution is to implement the network around that requirement - which
> will bring the additional benefits of the reduced support costs associated
> with homogenuous networking as well.

It might be good solution if you _know_ you do not need much flexibility.
This solution can be cheap - imho not as cheap as it seems - but not
flexible enough for many real-world demands. And.. trying to get not so
flexible system to do things that it is not supposed to is damn NOT
cheap.

 
> >If you _can_ rely on any PC security and _every_ machine on the net
> >speaks M$.. then security issues with M$ proxy itself start to appear ;)
> 
> 
> No security issues with MS Proxy have been identified since its launch
> (admittedly, that was only last year :-)).

It is (at least!) as insecure as underlying NT is. More than enough for
me. 

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNZjmqqH/mIJW9LeBAQE+BQP+LAOr3V60QZuQG3PHyq+PmEh21FIn/M8m
vC7DICZnPzfEah3fMlvuvTpq7acpK4a1+Pd25lQTKLk6hJLKHFmcLfpJwW2rFggq
wpzaUo1U2ts5j2gchGzS0SzHUHGTHvgaNNvHxDhGxi7IkpnujhdZeL4yHCKjO1za
1n+AWIrgJVo=
=7A8Y
-----END PGP SIGNATURE-----