Integrating firewall into crypto infrastructure?

[ark () eltex ru]

nuqneH,

(SSL this time. dealing with IPSEC is obvious, doing kerberos is damn
tricky and i have no time for it)

I am going to SSLify proxies on my firewall. Well, i have to admit i don't
really like that because OpenSSL library is huge and thus potentially
dangerous code and supplementary protocols like LDAP are sometimes no
better, but IPsec unfortunately does not provide application-level
control API to fit our needs. I will make separate compile targets so
customers who do not need SSL may avoid any consequences ;-)

And ssl is supported by may clients and servers out of the box.

As far as i see SSL awareness of most firewalls on the market is limited
to handling CONNECT style requests ;-)

So the question is: are there any good practices, whitepapers or
just products with ideas to steal related to integrating firewall into
PKI? What is the proper way to link certificates to peers in firewall
configuration, what should "ideal" product look like? Is using internal
LDAP server for certificate storage a good idea? If i am going to
store peer certificates on firewall itself how should i manage it to
keep thing usable? What are other certificate chain related issues to
keep in mind?

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards