Firewall Wizards mailing list archives
Re: Leader in firewall product
From: Magosányi Árpád <mag () bunuel tii matav hu>
Date: Tue, 19 Sep 2000 13:41:23 +0200
A levelezőm azt hiszi, hogy ark () eltex ru a következőeket írta:
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, =?iso-8859-2?Q?Magos=E1nyi_=C1rp=E1d?= <mag () bunuel tii matav hu> said :-ZorpZorp is a real application-level firewall. Example: While other firewalls can control some 5-6 aspects of a ftp session, it can control every little detail.Could you please explain what "every little detail is" for, say, zorp vs fwtk ftp-gw? I want to understand the difference.
It is in doc/modules/ftp/ftp.statement.txt in the source tree. Generally half of the point is that Zorp have more than 20 configurable parameters in its ftp proxy class. The second half is that Zorp uses a highly modular architecture, so you can count on several other configuration parameters in its listener and chainer classes. The third half is that Zorp uses python as its configuration language, so you can use anything you like in the access control decision, like time of day, the result of outband authentication, and class attributes like command (Last Command), parameter (Last Parameter), answare_code (Last Answare Code).
And its authentication system is just a major hit.
Zorp uses a so-called satyrd authentication method. It is an out-band authentication method (the proxies can do traditional inband authentication where it is applicable). Basically on the client there is a satyrd, on the firewall there is a satyr client, and there is a Zorp Authentication Server (zas) somewhere which lives on an LDAP tree. When there comes an authentication request or some operation which should be authenticated, the firewall asks satyrd about the identity of the user it is working for. The satyrd checks the identity of the firewall by an X.509 certificate, and tells the truth (hopefully) to the firewall. Above the authentication functionality, the protocol can transfer the claimed security labels and other security attributes to the firewall. The firewall checks the authentication and the security attributes with zas. The unix version of satyrd (and zas) can do password, cryptocard, S/key, and X.509 based authentication, and also there are 2 or three not really useful methods for test (challenge: zas tells a number X , response: Y - X where Y is your secret number). The unix version can multiplex for more local users. The Windows version can do password, something I forgot, and S/key right now. -- GNU GPL: csak tiszta forrásból _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Leader in firewall product, (continued)
- Re: Leader in firewall product Marcus J. Ranum (Sep 20)
- Re: Leader in firewall product Magosányi Árpád (Sep 19)
- Re: Leader in firewall product Rick Murphy (Sep 19)
- Re: Leader in firewall product Marcus J. Ranum (Sep 18)
- Re: Leader in firewall product mcmahoncpa (Sep 16)
- Re: Leader in firewall product miko (Sep 14)
- Re: Leader in firewall product Jeffery . Gieser (Sep 14)
- RE: Leader in firewall product Laura Taylor (Sep 18)
- RE: Leader in firewall product LeGrow, Matt (Sep 19)
- Re: Leader in firewall product ark (Sep 19)
- Re: Leader in firewall product Magosányi Árpád (Sep 19)
- RE: Leader in firewall product Laura Taylor (Sep 19)
- Re: Leader in firewall product Steven Ackerman (Sep 20)
- RE: Leader in firewall product Frank Pawlak (Sep 20)
- RE: Leader in firewall product Ben Nagy (Sep 20)