On 9/5/06, John Nemeth <jnemeth@victoria.tc.ca> wrote:
>      How would nmap query a system to find out the date of the
> anti-virus signature file?

Well, I was thinking mostly of verifying that the client is running
a firewall and doesn't have known-vulnerable ports open
(or whatever your policy is).

As for anti-virus, and other remote attestation, it'd be trivial
to do as long as the anti-virus cooperates by
responding on a given port, for example,
with the tacit assumption that the user is not trying to deceive.

If he is, that's the remote attestation problem that TC is
designed to answer.

> Even so how do you find out who that user is?

By a key that is bound to a machine which is registered by a person.
You could distribute everyone a different credential, when distributing
VPN clients.  Those who don't do VPN have limited access to
anything on the "other side" of the firewall/VPN endpoint.

>      I don't think so.  However, NFS is designed to talk to multi-user
> systems.  Basic NFS assumes that the system is secure and will
> authenticate its users.  This is a bad assumption in a client/server
> environment.

Especially bad for a program to bind to a port >= 1024, since
any user can do so.  With some of the socket options, nfs binds
to *:2049 and you could even bind to the more-specific IPs,
and intercept all data, no root powers needed.
NetBSD has some kernel setting to prevent the "double-bind".
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484