[Beowulf] One time password generators...

Robert G. Brown rgb at phy.duke.edu
Fri Mar 27 06:11:17 PDT 2009 

On Thu, 26 Mar 2009, Nifty Tom Mitchell wrote:

> On Thu, Mar 26, 2009 at 10:28:12AM -0400, Robert G. Brown wrote:
>> Subject: Re: [Beowulf] One time password generators...
>
>
> Scanning back I did not see VPN as a component
> of a solution.  Perhaps I missed it.
>
> Layered security should be part of most projects... IMO
> It makes sense to me that the keyboard box
> find itself well inside a DMZ zone with the only
> "live" network being the secured net.
>
> It may be that a VPN solution with integrated OTP
> support will prove easier to evaluate, justify, install, support
> and REPLACE.
>
> Once inside the VPN, ssh and friends might be used
> to manage resources (in contrast to access).
>
> One value of this is that once inside the VPN, cluster tools and applications
> can use different access methods as apropriate to the task at hand.
> I.e. I cannot see a per host OTP solution for an MPI cluster or
> multiple NFS server mounts.

Well, of course I and many others use VPNs, but:

   a) VPNs often provide one with the illusion of security more than the
reality.  In far too many cases, they encourage people to build
intranets that basically have a hard and crunchy exterior and a soft and
chewy center.  After all, why protect those interior systems?  They're
inside our VPN!

Which means that if someone ever does succeed in snooping the VPN
credentials -- something that is generally appallingly easy from a
compromised Windows box, where the VPN shared secrets are stored
readable by at least the user and where one can assume that they
keyboard is being snooped by trolls -- they can get into your protected
network.  Welcome to my personal nightmare on at least one of the
networks I consult for.  Sure, I'm not stupid and I harden the INTERIOR
servers but a troll loose on the inside disguised as a rug can do plenty
of damage from underneath his bridge.

   b) An ssh-only solution is hard through and through.  A firewall with
only ssh ports open to pass through, ssh-based tunnel/vpn connections
for specific services or general access you want to open to specific
people on the outside.  You're no better off in terms of risk of
exterior Windows boxes being compromised, but you will generally not
directly compromise the servers and traffic is NEVER unencrypted.  In
the case of a VPN, as soon as you're inside all those encapsulated
packets are deencapsulated and everything is plaintext again by default.

   c) SSL solutions are more or less equivalent to ssh, except that they
"can" have one way positive host identification that prevents one kind
of MitM attack.

Ultimately, while no security model that I know of is foolproof (and
there are plenty of fools in the world, alas) the best compromises seem
to be things like:

   Access from clients that are themselves "hardened" in terms of
security.  No Explorer!  No Outlook!  No Windows (unless it was
installed and is maintained by a real professional, and not used for
anything except business purposes, no permitting your teenager to use it
to play games and download game buffs from random sites or to cruise
porn).
   Hard exterior, permitting only authorized participants in through
authenticated holes from those hardened outside clients.
   Bidirectional encryption of all traffic between client and all
resources inside.  NO plaintext, anywhere on the network.
   Layered/castle keep model inside.  Everything hard, but server
resources cased in diamond with very specific holes drilled for service
connections and with only competent, strong-authenticated staff
permitted access from their own personally secured diamond hard systems.
   Strong encryption (goes without saying) and passwords or crypt
credentials, not wussy ones.  This goes for users, and must be checked
regularly.

Multifactor auth seems to add little to this, although perhaps it helps
a bit to protect against lously user passwords and easily accessible
crypt credentials on exterior clients.  Helps hold off script kiddies,
but not the Ubercracker.

    rgb

>
> Later,
> mitch
>
>
>

-- 
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977

More information about the Beowulf mailing list