Implement single firewall login for access to all ports on LAN?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The normal apologies for the noobie-type question...

We have IPCop nicely segregating our orange (DMZ) and green (blocked) LANs.
As time has gone on, I've realized that I'd like many more of our services
to be on the orange or red networks so they can be easily reached by
customers/consultants who may not have fixed IPs. Many of our users are not
SSH savvy and might not want us installing a tunneling client on their
systems.

Most of these services that I want to expose have some form of
authentication but some of that is not terribly robust (mediawiki, mysql,
bugzilla). Some are targets for DoS (SQL Server) or other attacks. 

My thoughts are to have a strong challenge/response login from a client to
the firewall. This could be done via https to a non-standard port on the
firewall. If this login succeeded, all (or configurable) ports would be
available from the client to services inside the firewall as long as the
'session' was active. The session would be based on the client's IP and
would have an inactivity time-out. The original https login would not need
to stay active.

Valid user logins could be either via statically configured tables on the
firewall or via LDAP, etc.

I think I remember a scheme like this when I was using the Wingate proxy
server. Is this available using iptables?




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux