[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
At 01:55 PM 5/3/01, Michael Thomas wrote:
>Ie, that I can authenticate myself for IPsec, but
>forge my credentials at L7.
Let's take this a step further. Assume that John uses his certificate to
authenticate to IPSEC on a server and then masquerades as Cathy at Level 7,
and performs some action that damages Cathy. If the server is keeping audit
logs within both IKE and the application, then the server's owner should be
able to tell which people had been authenticated to the server during the
time that Cathy performed this self-destructive act, even if he can't
necessarily tell which one was masquerading as Cathy.
Does this provide enough granularity for your particular application? Well,
it depends on what you're doing. Also, it's probably expensive to have
someone extract the logs and do the forensics. In some cases, this level of
security might be enough, but in other cases the application server needs
to do its own authentication. This is where things like Kerberos start to
pay off.
Rick.
smith@securecomputing.com
References: