Posted Mar 6, 2007 1:11 UTC (Tue) by flewellyn
In reply to: Bad Security
Parent article: Single Packet Authorization (Linux Journal)
Good point, although that can be mitigated by setting up SELinux to control the SPA server's access to system resources.
I do see your point about it being a proliferation of more potentially-vulnerable code. As for its utility...well, it would have the benefit of providing a level of access control beyond the service level, blocking access to a host until the client authenticates, and then allowing connections to provided services. It provides defense in depth of the host.
We can do host-based blocking through the tcp_wrappers suite, but there isn't a way to authenticate a host dynamically: a host in hosts.deny is blocked until the administrator manually removes it (moving it to hosts.allow, depending on setup). Plus, tcp_wrappers works at the application level, not the packet filter level. So tcp_wrappers doesn't (as far as I can tell) prevent a DoS attack.
I could be wrong, of course, but it looks like SPA might provide some useful security. I think the tech is too new to be evaluated properly, though. It definitely needs more testing.
to post comments)