Details

    • Type: Wish Wish
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: Trunk
    • Component/s: None
    • Labels:
      None

      Description

      JAMES has core support for authentication and authorization, used by the protocols. Central support for additional security could be improved.

        Issue Links

          Activity

          Hide
          Robert Burrell Donkin added a comment -

          Use Case One - Static IP Whitelisting and Blocklisting ala TCPWrappers

          Example: allow connections from 192.168.17.xxx but deny from 192.168.17.99

          Show
          Robert Burrell Donkin added a comment - Use Case One - Static IP Whitelisting and Blocklisting ala TCPWrappers Example: allow connections from 192.168.17.xxx but deny from 192.168.17.99
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Two - Dynamic User Blacklisting

          Example: When a user fails to authenticate 5 times, blacklist the user

          • until an adminstrator clears the block
          • for five minutes
          Show
          Robert Burrell Donkin added a comment - Use Case Two - Dynamic User Blacklisting Example: When a user fails to authenticate 5 times, blacklist the user until an adminstrator clears the block for five minutes
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Three - Dynamic IP Blacklisting

          Example: When an IP tries to authenticate as an unknown user, block the address for 1 hour

          Example: When an IP fails to authenticate as a user 5 times, block the address for 1 hour

          Show
          Robert Burrell Donkin added a comment - Use Case Three - Dynamic IP Blacklisting Example: When an IP tries to authenticate as an unknown user, block the address for 1 hour Example: When an IP fails to authenticate as a user 5 times, block the address for 1 hour
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Four - Load Blacklisting

          Example: When the number of concurrent connection from one IP exceeds 50, block new connections from that IP for 10 minutes

          Example: When the number of unauthenticated concurrent connection from one IP exceeds 10, close all connections and block for 5 minutes

          Show
          Robert Burrell Donkin added a comment - Use Case Four - Load Blacklisting Example: When the number of concurrent connection from one IP exceeds 50, block new connections from that IP for 10 minutes Example: When the number of unauthenticated concurrent connection from one IP exceeds 10, close all connections and block for 5 minutes
          Hide
          Robert Burrell Donkin added a comment -

          As pointed out by Stefano, these services are more useful for small scale instances (personal or small business servers) than for large scale industrial installations.

          A key advantage of a central service would be the possibility of creating a central administration console which could be shared by multiple protocols.

          Show
          Robert Burrell Donkin added a comment - As pointed out by Stefano, these services are more useful for small scale instances (personal or small business servers) than for large scale industrial installations. A key advantage of a central service would be the possibility of creating a central administration console which could be shared by multiple protocols.
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Five: Grace Periods

          Example: After 5 minutes, any connection which has not authenticated will be closed

          Show
          Robert Burrell Donkin added a comment - Use Case Five: Grace Periods Example: After 5 minutes, any connection which has not authenticated will be closed
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Six: Connection Limiting

          Example: Setting "start:rate:full" to "10:30:60" will refuse 30% of connections once 10 are connected, until 60 are connected when all
          connections will be refused

          Show
          Robert Burrell Donkin added a comment - Use Case Six: Connection Limiting Example: Setting "start:rate:full" to "10:30:60" will refuse 30% of connections once 10 are connected, until 60 are connected when all connections will be refused
          Hide
          Guillermo Grandes added a comment -

          Use Case Seven: IP rewrite

          Example: Client in Internet (198.246.1.1) -> LoadBalancer in Frontend (80.38.9.18 / 10.1.1.1) -> James in Backend (10.1.1.2 / 10.1.1.3), the LB send command: "CLIENTIP: 198.246.1.1", in the logs the IP will show: 198.246.1.1 instead of 10.1.1.1, and AccessList will be good filtered by Security/Relay Filters.

          Show
          Guillermo Grandes added a comment - Use Case Seven: IP rewrite Example: Client in Internet (198.246.1.1) -> LoadBalancer in Frontend (80.38.9.18 / 10.1.1.1) -> James in Backend (10.1.1.2 / 10.1.1.3), the LB send command: "CLIENTIP: 198.246.1.1", in the logs the IP will show: 198.246.1.1 instead of 10.1.1.1, and AccessList will be good filtered by Security/Relay Filters.
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Eight: TLS

          Example: Drop any connections which do not use a valid clientside certificate

          Example: Drop any connections which do not use a trusted clientside certificate

          Example: Drop any connection where the user authenticated does not match the user inferred from the clientside certificate

          Show
          Robert Burrell Donkin added a comment - Use Case Eight: TLS Example: Drop any connections which do not use a valid clientside certificate Example: Drop any connections which do not use a trusted clientside certificate Example: Drop any connection where the user authenticated does not match the user inferred from the clientside certificate
          Hide
          Robert Burrell Donkin added a comment - - edited

          Use Case Nine: TLS Connection Limiting

          Example: Setting "start:rate:full" to "10:30:60" will refuse 30% of un-certificated connections once 10 are connected, until 60 are connected when all connections will be refused

          Show
          Robert Burrell Donkin added a comment - - edited Use Case Nine: TLS Connection Limiting Example: Setting "start:rate:full" to "10:30:60" will refuse 30% of un-certificated connections once 10 are connected, until 60 are connected when all connections will be refused
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Ten: Start TLS

          Example: Drop any connection which authenticates before StartTLS

          Show
          Robert Burrell Donkin added a comment - Use Case Ten: Start TLS Example: Drop any connection which authenticates before StartTLS
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Eleven: Authentication Options

          Example: Offer plain text authentication only when TLS is used

          Show
          Robert Burrell Donkin added a comment - Use Case Eleven: Authentication Options Example: Offer plain text authentication only when TLS is used
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Twelve: TLS White And Blacklisting

          Example: Drop any connection whose subject matches C=US

          Example: Drop any connection whose subject does not match C=US

          Example: Drop any connection whose issuer matches C=US

          Example: Drop any connection whose issuer does not match C=US

          Show
          Robert Burrell Donkin added a comment - Use Case Twelve: TLS White And Blacklisting Example: Drop any connection whose subject matches C=US Example: Drop any connection whose subject does not match C=US Example: Drop any connection whose issuer matches C=US Example: Drop any connection whose issuer does not match C=US
          Hide
          Robert Burrell Donkin added a comment -

          On StartTLS:

          Generally, the right way to do StartTLS is to offer a separate set of commands before and after TLS negotiation. Take IMAP, for example (setting aside the issues associated with support of RFC2060 clients). before TLS is established, CAPABILITY should advertise only a limited number of commands including CAPABILITY and STARTTLS. Once TLS has been established, CAPABILITY should advertise a full set. So, correct StartTLS support requires work at the protocol level in conjunction with the handler and socket frameworks.

          This issue is more about hardening an installation. It covers configuring and controlling the appropriate general behaviour when potential security issues occur. Protocols are going to need to be changed to add correct StartTLS support and then hook into appropriate points in the general security framework. But I think it would be better to attempt to use a common set of security services than to duplicate code.

          Show
          Robert Burrell Donkin added a comment - On StartTLS: Generally, the right way to do StartTLS is to offer a separate set of commands before and after TLS negotiation. Take IMAP, for example (setting aside the issues associated with support of RFC2060 clients). before TLS is established, CAPABILITY should advertise only a limited number of commands including CAPABILITY and STARTTLS. Once TLS has been established, CAPABILITY should advertise a full set. So, correct StartTLS support requires work at the protocol level in conjunction with the handler and socket frameworks. This issue is more about hardening an installation. It covers configuring and controlling the appropriate general behaviour when potential security issues occur. Protocols are going to need to be changed to add correct StartTLS support and then hook into appropriate points in the general security framework. But I think it would be better to attempt to use a common set of security services than to duplicate code.
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Thirteen: Password Guessing

          Example: Drop any connetion that fails to authenticate three times

          Show
          Robert Burrell Donkin added a comment - Use Case Thirteen: Password Guessing Example: Drop any connetion that fails to authenticate three times
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Fourteen: StartTLS Negotiation

          Example: Drop any connection which attempts to send plain text commands during StartTLS negotiation

          Show
          Robert Burrell Donkin added a comment - Use Case Fourteen: StartTLS Negotiation Example: Drop any connection which attempts to send plain text commands during StartTLS negotiation
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Fifteen: Monitoring Violations

          Example: When any connection fails to authenticate 20 times, post a mail to the spool

          Show
          Robert Burrell Donkin added a comment - Use Case Fifteen: Monitoring Violations Example: When any connection fails to authenticate 20 times, post a mail to the spool
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Seventeen: Command Availability Before Authentication

          Example: When an unauthenticated connection sends a command which is not supported in this state, drop the connection

          Example: When an unauthenticated connection sends a command which is not supported in this state, drop the connection and blacklist the IP for 5 minutes

          Show
          Robert Burrell Donkin added a comment - Use Case Seventeen: Command Availability Before Authentication Example: When an unauthenticated connection sends a command which is not supported in this state, drop the connection Example: When an unauthenticated connection sends a command which is not supported in this state, drop the connection and blacklist the IP for 5 minutes
          Hide
          Robert Burrell Donkin added a comment -

          From Stefano (http://markmail.org/message/ijvl4qpreyvhfbnn)

          In SMTP, AUTH and STARTTLS are 2 ESMTP extensions.
          If you don't want AUTH to be used without TLS then the SMTP server
          should not reply AUTH to the first EHLO command, but only STARTTLS and
          then, when the STARTTLS is issued and a new EHLO is sent from the client
          then the server will reply that it supports AUTH.

          This is how it works if I remember correctly. I don't know if this is
          similar or share anything with IMAP.

          Show
          Robert Burrell Donkin added a comment - From Stefano ( http://markmail.org/message/ijvl4qpreyvhfbnn ) In SMTP, AUTH and STARTTLS are 2 ESMTP extensions. If you don't want AUTH to be used without TLS then the SMTP server should not reply AUTH to the first EHLO command, but only STARTTLS and then, when the STARTTLS is issued and a new EHLO is sent from the client then the server will reply that it supports AUTH. This is how it works if I remember correctly. I don't know if this is similar or share anything with IMAP.
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Eighteen: Statistical Monitoring

          Example: When a connection tries to authenticate as an unknown user, increment counter

          Show
          Robert Burrell Donkin added a comment - Use Case Eighteen: Statistical Monitoring Example: When a connection tries to authenticate as an unknown user, increment counter
          Hide
          Robert Burrell Donkin added a comment -

          Use Case Nineteen:

          Central control of TLS cyphers

          Show
          Robert Burrell Donkin added a comment - Use Case Nineteen: Central control of TLS cyphers

            People

            • Assignee:
              Robert Burrell Donkin
              Reporter:
              Robert Burrell Donkin
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:

                Development