[cap-talk] Authenticated port control (beyond port Knocking)

Jed Donnelley capability at webstart.com
Thu Feb 8 18:41:04 CST 2007


cap-talk,

This subject is a bit off topic for capabilities, though I believe it's
on topic for POLA.  I'll mention it this one time and then take it off
the list if there doesn't seem to be interest - or even if there is interest
and it ends up being a distraction (skip to <meat> if you think
you can bypass the intro).

Many (most?) organizations today have:

1.  Some sort of centralized authentication mechanism (e.g.
centralized LDAP or the like).  While this doesn't provide
complete "single sign-on", it does allow the same authentication
mechanism (password, certificates, one time password, etc.)
to be used with the same credentials on many systems within
the organization.  This mechanism provides a binding from
authentication information to "users" across the 'enterprise'.

2.  Some sets of firewalls - global and local.  In my experience
the firewall rule sets are rather ad hoc.  For example, there is often
a private LAN with firewall rules set up to open services (ports on
systems) to access from within the LAN (e.g. for VLAN connections)
and not open to access outside the private LAN.  This gives rise
to the concept of the "soft chewy middle" that's visible to attacks
from within the private LAN.

I personally support many, many systems that are open at
a port connectivity level (server listening for connections) either
just to our LAN or for a much smaller set the whole Internet, and
the first thing these services do (e.g.ssh or an authenticated wiki
or authenticated IM/char, or an authenticated IMAP, or ...) is to
authenticate to insure that they are being accessed by one of
our authenticated users.

While in many cases we can use common code (e.g. PAM)
and protocols (e.g. LDAP, Radius) to allow services to perform
such authentication, I ask myself, "Why do I need these services
to even respond at the network level, that is to be "listening" for
connections from all these IP addresses?"  Can't I be more
POLA about the listening to protect software that might
have a bug from time to time that can be exploited even
before authentication?

Suppose we keep our current ad hoc firewall rules in place
(do no harm), but that in addition we block all ports for
access from all IP addresses except for those we know
are needed and we open explicitly (POLA)?  How to do that?

<meat>
Suppose we use something like a single Web site that's
open to the world or the private LAN through authentication.
On that user authenticated Web site we place a little GUI
with check boxes for services that the user might want to
enable from the IP address that they are connecting from.
Connect to it for the first time from an IP address and it
shows no services open and there are no firewall rules
set to allow access from that IP address to any of our
services.

At that point an authenticated user can check a box
to, say,

X  BigIron ssh
     UserWiki
X  UserIMAP
X  UserIM/Chat
     SharedCVS ssh
...

Add a check to the box and submit and the back end
sends a control message that opens up the port on the
appropriate system to access from that IP address
(the one the users browser is connecting from).

Pictorially:
             Workstation             Port Control
         __________________         (e.g. Web GUI)
         | Browser Window  |
         |X  BigIron ssh   |         ____________
         |   UserWiki      |  https  |           |
         |X  UserIMAP      | ------> |  e.g. CGI,|
         |X  UserIM/Chat   |  Auth   |   php     |
         |   SharedCVS ssh |         | Open Port |
         |...              |         |___________|
         |_________________|           /
User:                          F     /
             Net Application    I    /   Service
          ___________________   R  |_ _____________
          |  e.g. ssh, imap, |  E     |            |
          |   IM, http, etc. |  W     | Listening  |
          |_______________   |  A     |____________|
                                L
                                L

If the above text picture gets garbled, here's a pixel copy:
http://www.webstart.com/projects/capabilities/port-control.gif

Sounds/looks pretty POLA to me.  I imagine using local software firewalls
because that's what's worked well for me in the past, but in principle one
could also use network firewalls if the control and performance is adequate.
</meat>

Why don't we work this way?  Certainly there are issues like
garbage collection (e.g. time out port openings), how to open
up ports if no Web browser is available, how to blend policies
with not to exceed network policies (e.g. some port openings
might not be available for access outside a private LAN
regardless of authentication or perhaps only to some users),
etc.  However, the basic POLA value seems to work through
those issues to me.  The back end mechanism isn't all that
difficult, particularly if based on software local firewalls
like iptables, ipfilter, ipchains, ipf, etc.

I'd be interested to hear if others are aware of mechanisms
around like the above.  We have one ad hoc mechanism that
is used for flexlm service (open a port to allow a licensed application
to run) and I know of something similar being used to control
email forwarding.  If there's something out there that's being used
generally to allow authenticated users to open firewall ports (e.g.
those that are currently default open) then I'd like to hear about it.

Thanks for your indulgence.  Any sort of blue sky thoughts,
pointers, criticism, suggestions about where to take my
thoughts elsewhere, etc. are of course welcome.

--Jed http://www.webstart.com/jed/  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070208/7f2dc1f8/attachment.html 


More information about the cap-talk mailing list