> // > Are there any firewall or proxy server products available that will allow
> // > outgoing user authentication based upon a user id, rather than an IP
> // > address?
> As for the safety, there are usually a variety of means available for user
> authentication. Those I have seen in the market range from insecure
> username & reusable passwords (a la Unix passwords) to software based
> challenge-response systems (LOCKout or S/Key) to hardware based token
> cards of some form or another (SecurID, SNK). A common tradeoff in
> authentication systems is price vs. unspoofability.
The one thing to remember is that when using One-Time Password products
is that only the inital login converstation is authenticated. If a user
authenticates himself to a machine, and then starts a session he is still
vulerable to hijacks, sniffing & spoofing. If you were to use an encryption
device such as the Persona card, or the Smartcat product, or Cryptocard, you
will have continual authentication & confidentiality. This continual encryption
will patch up the above mentioned weaknesses that OTP products do not address.