[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] NIS (or other) authentication

John McQuilliams <mcquill1 juno com> wrote:

Is there a circuit on the computer that can be configured to identify the
sending computer that is reasonable tamper proof.

No, not really. The MAC address of the network card - if there *is* one -
in the sending computer is unique, but it is only sent in the Ethernet
frame as far as the first router, and is then lost.

What you are looking for is generically known as a "hardware token".
Generally, they are associated with people, rather than computers, and used
as part of two-factor authentication. Examples would include various forms
of smart-cards, crypto i-buttons, SecurID cards, and the like. These would
provide stronger authentication, but the cost in terms of complexity,
administration time, hardware cost, etc. would be *much* higher than for

You could issue X.509 certificates - a software token - which could be used
to authenticate users for access via an SSL web-based portal. Students
could import them into the browser on their home computer for strong
authentication. But PKI's are a nightmare to administer - many large
corporations and government departments have wasted millions of dollars on

But there are so many costs and disadvantages with almost all of these
techniques that most security professionals will look long and hard for
viable alternatives before resorting to them. In general, it's unwise to
start looking for high-tech answers to social/management problems until
you've exhausted the alternatives.

So, let's back up a bit:

A question was asked, how can we best maintain an adequate security that
would eliminate students accessing to others files given the proper

Backing up to first principles:

You get best bang for the buck (in *any* organisation) from basic security
awareness training. Why not *teach* the kids a little bit about information
security? Such as:

How to choose a good, strong password
What can happen when your password is discovered by someone else
What to do if you think your password has been compromised
How to change your password
System logging and auditing ("we know who logged in and did what")
School policy, rules and guidelines (appropriate use, etc.)

You could pepper this with some "war stories" about identity theft, etc. to
spice it up a bit. Keep it simple; it's certainly not a "how to hack"

Secondly, you should remove the incentive for kids to share passwords. At a
guess, the most common reason why kids would do this is to share access to
files, etc. So make sure that if one kid wants to make one of their files
available to another, there is a documented and supported way to do it that
does not require passwords to be compromised. (This is called Discretionary
Access Control).

A common mistake is to confuse authentication with access control. Logging
on with a user ID and password authenticates the user. Whether they are
able to access other users' files, shared directories and other objects is
a matter of access control (in the case of UNIX systems, permissions on
directories and files).

So, to the above security awareness training list, you should add:

How to show work (files, etc.) to others
How to work together on joint projects

I'd strongly advise against implementing complex technical "solutions"
until you've tried the basics first.


--- Les Bell, RHCE, CISSP (Certified Information Systems Security

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]