git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4053 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1997-11-20 04:25:37 +00:00
parent a0d646ff36
commit 6d89dac5a9
2 changed files with 54 additions and 44 deletions

View File

@@ -10,6 +10,12 @@
.ds LH Internet Draft
.ds RH November, 1997
.ds CH Kerberos vs firewalls
.de Ip
.in 6
.ta 3
.ti -3
\\$1\t\c
..
.hy 0
.ad l
.in 0
@@ -20,14 +26,14 @@ Network Working Group Assar Westerlund
Internet-Draft Johan Danielsson
November, 1997 PDC, KTH
Expire in six months
.fi
.ce
Kerberos vs firewalls
.SH
.ti 0
Status of this Memo
.LP
.in 3
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its
@@ -38,10 +44,10 @@ Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
\*Qwork in progress.\*U
To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
the \*Q1id-abstracts.txt\*U listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
Coast), or ftp.isi.edu (US West Coast).
@@ -52,8 +58,6 @@ Distribution of this memo is unlimited. Please send comments to the
.ti 0
Abstract
.in 3
.ti 0
Introduction
@@ -62,8 +66,8 @@ insecure networks.
Firewalling is a technique for achieving an illusion of security by
putting restrictions on what kinds of packets and how these are sent
between the internal (so called ``secure'') network and the global (or
``insecure'') Internet.
between the internal (so called \*Qsecure\*U) network and the global (or
\*Qinsecure\*U) Internet.
.ti 0
Definitions
@@ -81,38 +85,37 @@ client, for example telnetd.
.ti 0
Firewalls
A firewall is usually placed between the ``inside'' and the
``outside'' and is supposed to protect the inside from the evils on
A firewall is usually placed between the \*Qinside\*U and the
\*Qoutside\*U and is supposed to protect the inside from the evils on
the outside. There are different kinds of firewalls. The main
differences are in the way they forward packets.
.IP 1
.Ip 1
The most straight forward type is the one that just imposes
restrictions on incoming packets. Such a firewall could be described
as a router that just throws away packets that match some
criteria.
as a router that just throws away packets that match some criteria.
.IP 2
They may also ``hide'' some or all addresses on the inside of the
.Ip 2
They may also \*Qhide\*U some or all addresses on the inside of the
firewall, replacing the addresses in the outgoing packets with the
address of the firewall (aka network address translation, or NAT). NAT
can also be used without any packet filtering, for instance when you
have more than one host sharing a single address (for example, with a
dialed-in PPP connection).
.LP
.in 3
There are also firewalls that does NAT both on the inside and the
outside (a server on the inside will see this as a connection from the
firewall).
.IP 3
.Ip 3
A third type is the proxy type firewall, that parses the contents of
the packets, basically acting as a server to the client, and as a
client to the server (man-in-the-middle). If Kerberos is to be used
with this kind of firewall, a protocol module that handles KDC
requests has to be written.
.LP
.in 3
This type of firewall might also add extra trouble when used with
kerberised versions of protocols that the proxy understands, in
addition to the ones mentioned below.
@@ -187,11 +190,13 @@ addition to those mentioned in [RFC1510].
.ti 0
References
.in 3
[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
Authentication Service (V5)", RFC 1510, September 1993.
[RFC959] Postel, J. and Reynolds, J., \*QFILE TRANSFER PROTOCOL
(FTP)\*U, RFC 969, October 1985
[RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions",
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
Authentication Service (V5)\*U, RFC 1510, September 1993.
[RFC2228] Horowitz, M. and Lunt, S., \*QFTP Security Extensions\*U,
RFC2228, October 1997.
.ti 0

View File

@@ -10,6 +10,12 @@
.ds LH Internet Draft
.ds RH November, 1997
.ds CH Kerberos vs firewalls
.de Ip
.in 6
.ta 3
.ti -3
\\$1\t\c
..
.hy 0
.ad l
.in 0
@@ -20,14 +26,14 @@ Network Working Group Assar Westerlund
Internet-Draft Johan Danielsson
November, 1997 PDC, KTH
Expire in six months
.fi
.ce
Kerberos vs firewalls
.SH
.ti 0
Status of this Memo
.LP
.in 3
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its
@@ -38,10 +44,10 @@ Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
\*Qwork in progress.\*U
To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
the \*Q1id-abstracts.txt\*U listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
Coast), or ftp.isi.edu (US West Coast).
@@ -52,8 +58,6 @@ Distribution of this memo is unlimited. Please send comments to the
.ti 0
Abstract
.in 3
.ti 0
Introduction
@@ -62,8 +66,8 @@ insecure networks.
Firewalling is a technique for achieving an illusion of security by
putting restrictions on what kinds of packets and how these are sent
between the internal (so called ``secure'') network and the global (or
``insecure'') Internet.
between the internal (so called \*Qsecure\*U) network and the global (or
\*Qinsecure\*U) Internet.
.ti 0
Definitions
@@ -81,38 +85,37 @@ client, for example telnetd.
.ti 0
Firewalls
A firewall is usually placed between the ``inside'' and the
``outside'' and is supposed to protect the inside from the evils on
A firewall is usually placed between the \*Qinside\*U and the
\*Qoutside\*U and is supposed to protect the inside from the evils on
the outside. There are different kinds of firewalls. The main
differences are in the way they forward packets.
.IP 1
.Ip 1
The most straight forward type is the one that just imposes
restrictions on incoming packets. Such a firewall could be described
as a router that just throws away packets that match some
criteria.
as a router that just throws away packets that match some criteria.
.IP 2
They may also ``hide'' some or all addresses on the inside of the
.Ip 2
They may also \*Qhide\*U some or all addresses on the inside of the
firewall, replacing the addresses in the outgoing packets with the
address of the firewall (aka network address translation, or NAT). NAT
can also be used without any packet filtering, for instance when you
have more than one host sharing a single address (for example, with a
dialed-in PPP connection).
.LP
.in 3
There are also firewalls that does NAT both on the inside and the
outside (a server on the inside will see this as a connection from the
firewall).
.IP 3
.Ip 3
A third type is the proxy type firewall, that parses the contents of
the packets, basically acting as a server to the client, and as a
client to the server (man-in-the-middle). If Kerberos is to be used
with this kind of firewall, a protocol module that handles KDC
requests has to be written.
.LP
.in 3
This type of firewall might also add extra trouble when used with
kerberised versions of protocols that the proxy understands, in
addition to the ones mentioned below.
@@ -187,11 +190,13 @@ addition to those mentioned in [RFC1510].
.ti 0
References
.in 3
[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
Authentication Service (V5)", RFC 1510, September 1993.
[RFC959] Postel, J. and Reynolds, J., \*QFILE TRANSFER PROTOCOL
(FTP)\*U, RFC 969, October 1985
[RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions",
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
Authentication Service (V5)\*U, RFC 1510, September 1993.
[RFC2228] Horowitz, M. and Lunt, S., \*QFTP Security Extensions\*U,
RFC2228, October 1997.
.ti 0