Re: kerberos,ipsec and application proxies

[Rudolf Schreiner <ras () muc de>]

On Fri, 21 May 1999, Marcus J. Ranum wrote:

> In fact, ip_filt
> with a little redirection to proxies is about all you'd need,
> if it had a pretty GUI.

That's exactly what I'm doing for quite a while, just without GUI.
Filters/NAT can be configured by the proxies (callback) or by a CORBA 
interface, too. 
Works great!

> None of the products (including the
> proxy firewalls) do anything noteworthy to look for attacks
> in the data streams: that's all marketing more than anything
> else.

I normally need strong authentication and message protection between 
client and server. This means encryption between the endpoints. So the 
firewall can't check the data stream anyway.

> SSH makes Kerberos a moot point. You could use SSLapps if for
> some reason you don't like the flexibility of SSH.

IMHO Kerberos is still very important for closely coupled distributed 
systems. Kerberos 5 with GSS-API is still _the_ standard security 
mechanism. I'm heavily using heimdal, the swedish Kerberos 
implementation because the latency is lower. The keys (3DES) are shorter 
and it's less CPU expensive. 

Rudi