// > Are there any firewall or proxy server products available that will allow
// > outgoing user authentication based upon a user id, rather than an IP
// > address?
// > Our users are mobile and this makes it difficult to restrict internet
// > access on a per user basis, since their source IP address is likely to
// > change.
// This sounds pretty unsafe! How do you prevent me from spoofing one of
// your users?
Yes, there are several firewall systems that handle authentication on a
per-user basis. All that I know of will also allow permission acl's that
include host address ranges as well. This can be useful when dealing with
a range of dynamic addresses (such as allocated by DHCP or similar
protocols), requiring userid based authentication for those addresses, and
relying on host-based permissions for the static addresses on the network.
As for the safety, there are usually a variety of means available for user
authentication. Those I have seen in the market range from insecure
username & reusable passwords (a la Unix passwords) to software based
challenge-response systems (LOCKout or S/Key) to hardware based token
cards of some form or another (SecurID, SNK). A common tradeoff in
authentication systems is price vs. unspoofability.
For many sites, outbound authentication is used more for accounting
chargeback schemes than for any more stringent authorization, so a
reusable password system isn't unreasonable. But I'd never trust inbound
authentication to anything that doesn't use some form of cryptographically
david d `zoo' zuhn --- secure computing corporation