Firewall Wizards mailing list archives
Re: kerberos,ipsec and application proxies
From: "Marcus J. Ranum" <mjr () clark net>
Date: Fri, 21 May 1999 12:45:16 -0400
Well, Kerberos is most certainly still useful. I don't think fwtk is, though. The I/O loops are still broken, and there are so many bugs in the code (still there in Gauntlet, BTW) that I gave up long ago :(
Fwtk is definitely long in the tooth and should be put to bed. I _hope_ NAI has fixed some of the holes in Gauntlet but I suspect that they are still there. The main good news is that most of the vulnerable I/O loops are in code that is almost always only callable from the inside to the outside. It's the externally accessible code that's the scary stuff. :( Firewalls are now a well-enough understood thing that I suspect someone could whip up something as good (or better) than a Checkpoint in a couple of weeks of coding. In fact, ip_filt with a little redirection to proxies is about all you'd need, if it had a pretty GUI. None of the products (including the proxy firewalls) do anything noteworthy to look for attacks in the data streams: that's all marketing more than anything else. A router and SSH and some decent filtering rules, plus a proxy for, say, DNS (latest BIND) and SMTP (use Vietse's latest) and HTTP (ugh! squid?) and you're there. SSH makes Kerberos a moot point. You could use SSLapps if for some reason you don't like the flexibility of SSH. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- kerberos,ipsec and application proxies ark (May 21)
- Re: kerberos,ipsec and application proxies carson (May 21)
- Re: kerberos,ipsec and application proxies Marcus J. Ranum (May 21)
- Re: kerberos,ipsec and application proxies Rudolf Schreiner (May 22)
- Re: kerberos,ipsec and application proxies Marcus J. Ranum (May 21)
- Re: kerberos,ipsec and application proxies carson (May 21)