Re: kerberos,ipsec and application proxies

["Marcus J. Ranum" <mjr () clark net>]

> Well, Kerberos is most certainly still useful. I don't think fwtk is,
> though. The I/O loops are still broken, and there are so many bugs in
> the code (still there in Gauntlet, BTW) that I gave up long ago :(

Fwtk is definitely long in the tooth and should be put to bed.
I _hope_ NAI has fixed some of the holes in Gauntlet but I suspect
that they are still there. The main good news is that most of
the vulnerable I/O loops are in code that is almost always only
callable from the inside to the outside. It's the externally
accessible code that's the scary stuff. :(

Firewalls are now a well-enough understood thing that I suspect
someone could whip up something as good (or better) than a
Checkpoint in a couple of weeks of coding. In fact, ip_filt
with a little redirection to proxies is about all you'd need,
if it had a pretty GUI. None of the products (including the
proxy firewalls) do anything noteworthy to look for attacks
in the data streams: that's all marketing more than anything
else. A router and SSH and some decent filtering rules, plus
a proxy for, say, DNS (latest BIND) and SMTP (use Vietse's latest)
and HTTP (ugh! squid?) and you're there.

SSH makes Kerberos a moot point. You could use SSLapps if for
some reason you don't like the flexibility of SSH.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr