[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking



At 01:55 PM 5/3/01, Michael Thomas wrote:

>Ie, that I can authenticate myself for IPsec, but
>forge my credentials at L7.

Let's take this a step further. Assume that John uses his certificate to 
authenticate to IPSEC on a server and then masquerades as Cathy at Level 7, 
and performs some action that damages Cathy. If the server is keeping audit 
logs within both IKE and the application, then the server's owner should be 
able to tell which people had been authenticated to the server during the 
time that Cathy performed this self-destructive act, even if he can't 
necessarily tell which one was masquerading as Cathy.

Does this provide enough granularity for your particular application? Well, 
it depends on what you're doing. Also, it's probably expensive to have 
someone extract the logs and do the forensics. In some cases, this level of 
security might be enough, but in other cases the application server needs 
to do its own authentication. This is where things like Kerberos start to 
pay off.

Rick.
smith@securecomputing.com



References: