Firewall Wizards mailing list archives
Re: kerberos,ipsec and application proxies
From: Rudolf Schreiner <ras () muc de>
Date: Fri, 21 May 1999 22:34:32 +0200 (MET DST)
On Fri, 21 May 1999, Marcus J. Ranum wrote:
In fact, ip_filt with a little redirection to proxies is about all you'd need, if it had a pretty GUI.
That's exactly what I'm doing for quite a while, just without GUI. Filters/NAT can be configured by the proxies (callback) or by a CORBA interface, too. Works great!
None of the products (including the proxy firewalls) do anything noteworthy to look for attacks in the data streams: that's all marketing more than anything else.
I normally need strong authentication and message protection between client and server. This means encryption between the endpoints. So the firewall can't check the data stream anyway.
SSH makes Kerberos a moot point. You could use SSLapps if for some reason you don't like the flexibility of SSH.
IMHO Kerberos is still very important for closely coupled distributed systems. Kerberos 5 with GSS-API is still _the_ standard security mechanism. I'm heavily using heimdal, the swedish Kerberos implementation because the latency is lower. The keys (3DES) are shorter and it's less CPU expensive. Rudi
Current thread:
- kerberos,ipsec and application proxies ark (May 21)
- Re: kerberos,ipsec and application proxies carson (May 21)
- Re: kerberos,ipsec and application proxies Marcus J. Ranum (May 21)
- Re: kerberos,ipsec and application proxies Rudolf Schreiner (May 22)
- Re: kerberos,ipsec and application proxies Marcus J. Ranum (May 21)
- Re: kerberos,ipsec and application proxies carson (May 21)