[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] User authentification

To: 'Dameon Welch' <dwelch@hotmail.com>, "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: RE: [FW1] User authentification
From: Bourque Daniel <Daniel.Bourque@loto-quebec.com>
Date: Mon, 26 Apr 1999 10:17:39 -0400

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


This is for internal user accessing the Internet.  We are now using static
password store on the FW.  I would like to use NT password using a Radius
Server to authenticate but with that setup, NT password would travel in
clear (from the user to the fw, Fw to Radius is encrypted, I know...).

The question is: is it possible to use HTTPS as an interface for
authentication instead of HTTP and if yes, How...  This is really for HTTP
users.

-----Message d'origine-----
De: Dameon Welch [mailto:dwelch@hotmail.com]
Date: 25 avril, 1999 18:08
À: Bourque Daniel; fw-1-mailinglist@lists.us.checkpoint.com
Objet: Re: [FW1] User authentification



Telnet, ftp and http all use plaintext passwords. There is no way 
to change this without breaking something. This is why one-time 
password schemes were invented. This way, even if someone *does* sniff 
the password, the password they obtain will not be useful to them. I 
have an FAQ entry about this on my web page.

If you insist upon static passwords, you should require some sort of 
session-based encryption like SSL for HTTP sessions, ssh for 
telnet-type sessions. If your clients use PCs, you can also have 
them use SecuRemote (assuming you have an encryption license on 
your firewall). You should insist upon this anyway if the data the 
user is accessing is confidential in nature. 

An ideal situation would be to have both strong encryption and 
one-time password authentication. 

-- PhoneBoy

>If I use User Authentification, the logon-ID and Password will be 

send in
>clear between the client and FW1.
>
>Is it possible to have this session encrypted so there would be no 

way
>somebody can intercept it?

-- 
PhoneBoy (a.k.a Dameon D. Welch)       dwelch@phoneboy.com 
PhoneBoy's FireWall-1 FAQs -- http://www.phoneboy.com/fw1/ 
The views expressed may not be those of my employer. Fnord 


_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Resource temporarily unavailable
Next by Date: Re: [FW1] Backup Procedures
Prev by thread: Re: [FW1] User authentification
Next by thread: [FW1] VPN Unhappy after upgrade
Index(es):
- Date
- Thread