[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Michael Monaghan <mmonaghan at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] External Authentication
 Date:  Sat, 11 Sep 2004 16:49:01 -0400
On Fri, 10 Sep 2004 08:40:26 -0400, Michael Monaghan
<mmonaghan at gmail dot com> wrote:
> There are plenty of known vulnerabilities that Microsoft admits there
> are no fixes for.  The one used in this attack was unknown to MS PSS
> and is still under study 2 months after the fact.  A lot of people
> would have ignored the attack because the Root Kit was almost perfect.
>  I think we can all agree everything has it's problems and in the
> wrong or untrained hands things can be much worse.  I do appreciate
> your ideas on IIS.  We've implemented them previously and it didn't
> slow the attacker down.

There could very well be unpublished exploits out there, but it's just
as likely that there are unpublished/unknown exploits in Apache,
FreeBSD, Linux, etc.

If you got hit by someone so good that they have unpublished exploits,
it doesn't matter what platform you're running, they're going to get
in somehow.

I find it a little hard to believe that a remote exploit sufficient to
install a root kit exists and hasn't been at least acknowledged. 
(though it would likely be someone outside of MS first)  But it would
certainly be possible, given MS's track record, especially over the
last 6 months with almost constant unpatched holes in IE.  If PSS told
you that, I'd imagine it's probably true.

My first guess is still an application vulnerability, so I really
encourage you to test the application's security.  (the book Hacking
Exposed Web Applications is a good starting point for info if you're
not up on web app security testing)

> Why do you feel authentication at the firewall would be a support
> nightmare?  That's the kind of information I'm looking for.  If I'm
> not going to be able to support this configuration I'd like to know
> before I commit to it.

Because you'd either have to determine the public IP subnet(s) of all
your customers, and maintain that list, or use a second logon and

For the former, maintaining that list if you have more than a handful
of clients is going to be a pain, especially if they want access from
home, from a dial up account on the road, etc.  For the latter, it
isn't possible with m0n0wall at this point that I'm aware of, and if
you're dealing with the typical user, maintaining another username and
password would almost certainly at least double your incidents of
password resets and general support questions.

My 2 cents at least.  :)