Firewall Wizards mailing list archives

Re: SecurID Agent-Server through proxy firewall

From: Vin McLellan <vin () shore net>
Date: Thu, 18 Feb 1999 23:47:59 -0500

        For dealing with web servers, ACE/SecurID, and application proxies,
Carson Gaspar <carson () tla org> recommended:

The work-around everyone I've known has used is to use RADIUS through the
firewall, and have a RADIUS server inside the firewall speak to the
ACE/Server.


        And noted, in his characteristically meek and indirect manner:

One of many reasons I'd _love_ SDI to scrap their !@$#%^ on-line protocol
and create a new, more useful one. But Vin and I have had this debate before
:)


        Thanks for jumping in, Carson.  I also just got a note in which the
unidentified IT/ACE Admin I quoted earlier in this thread -- Ken Ng of KPMG
<kenng () kpmg com> -- said he didn't mind being acknowledged. (Thanks, Ken!)

        Fyi, Carson: The post-ACE protocol -- which SDTI calls CSSP:
"Cryptographic Security Service Protocol" -- is out in beta with the
current version of Keon, SDTI's PKI product.  <http://www.securid.com>

        CSSP itself is a published, standards-based, protocol for providing
authorization and authorization services over a secure channel. In Keon,
that secure channel is SSL, but CCSP is adaptable to support other secure
channel formats as well. IPSec, for example.

        CCSP, the answer to my prayers and yours, will be released with
Keon in mid-year. Finally!!!!

        I understand, btw, that one of your flames -- of which I bore the
brunt, as I recall -- led to a rewrite of SDTI's documentation on how to
set up remote ACE/Clients. Tks. Morgan Stanley rules!

        Suerte,

                _Vin


-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto  _vbm.

 *     Vin McLellan + The Privacy Guild + <vin () shore net>    *
      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548

Current thread:

SecurID Agent-Server through proxy firewall Martin Bishop (Feb 10)
- Re: SecurID Agent-Server through proxy firewall Joseph S D Yao (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Mark Plesser (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 18)
  - Re: SecurID Agent-Server through proxy firewall carson (Feb 19)
    - Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 19)
- <Possible follow-ups>
- Re: SecurID Agent-Server through proxy firewall Stefan Jon Silverman (Feb 12)
- Re: SecurID Agent-Server through proxy firewall Randy Garbrick (Feb 17)