x
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4053 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -10,6 +10,12 @@
|
|||||||
.ds LH Internet Draft
|
.ds LH Internet Draft
|
||||||
.ds RH November, 1997
|
.ds RH November, 1997
|
||||||
.ds CH Kerberos vs firewalls
|
.ds CH Kerberos vs firewalls
|
||||||
|
.de Ip
|
||||||
|
.in 6
|
||||||
|
.ta 3
|
||||||
|
.ti -3
|
||||||
|
\\$1\t\c
|
||||||
|
..
|
||||||
.hy 0
|
.hy 0
|
||||||
.ad l
|
.ad l
|
||||||
.in 0
|
.in 0
|
||||||
@@ -20,14 +26,14 @@ Network Working Group Assar Westerlund
|
|||||||
Internet-Draft Johan Danielsson
|
Internet-Draft Johan Danielsson
|
||||||
November, 1997 PDC, KTH
|
November, 1997 PDC, KTH
|
||||||
Expire in six months
|
Expire in six months
|
||||||
|
.fi
|
||||||
|
|
||||||
.ce
|
.ce
|
||||||
Kerberos vs firewalls
|
Kerberos vs firewalls
|
||||||
|
|
||||||
.SH
|
.ti 0
|
||||||
Status of this Memo
|
Status of this Memo
|
||||||
|
|
||||||
.LP
|
|
||||||
.in 3
|
.in 3
|
||||||
This document is an Internet-Draft. Internet-Drafts are working
|
This document is an Internet-Draft. Internet-Drafts are working
|
||||||
documents of the Internet Engineering Task Force (IETF), its
|
documents of the Internet Engineering Task Force (IETF), its
|
||||||
@@ -38,10 +44,10 @@ Internet-Drafts are draft documents valid for a maximum of six
|
|||||||
months and may be updated, replaced, or obsoleted by other
|
months and may be updated, replaced, or obsoleted by other
|
||||||
documents at any time. It is inappropriate to use Internet-
|
documents at any time. It is inappropriate to use Internet-
|
||||||
Drafts as reference material or to cite them other than as
|
Drafts as reference material or to cite them other than as
|
||||||
"work in progress."
|
\*Qwork in progress.\*U
|
||||||
|
|
||||||
To view the entire list of current Internet-Drafts, please check
|
To view the entire list of current Internet-Drafts, please check
|
||||||
the "1id-abstracts.txt" listing contained in the Internet-Drafts
|
the \*Q1id-abstracts.txt\*U listing contained in the Internet-Drafts
|
||||||
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
|
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
|
||||||
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
|
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
|
||||||
Coast), or ftp.isi.edu (US West Coast).
|
Coast), or ftp.isi.edu (US West Coast).
|
||||||
@@ -52,8 +58,6 @@ Distribution of this memo is unlimited. Please send comments to the
|
|||||||
.ti 0
|
.ti 0
|
||||||
Abstract
|
Abstract
|
||||||
|
|
||||||
.in 3
|
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
Introduction
|
Introduction
|
||||||
|
|
||||||
@@ -62,8 +66,8 @@ insecure networks.
|
|||||||
|
|
||||||
Firewalling is a technique for achieving an illusion of security by
|
Firewalling is a technique for achieving an illusion of security by
|
||||||
putting restrictions on what kinds of packets and how these are sent
|
putting restrictions on what kinds of packets and how these are sent
|
||||||
between the internal (so called ``secure'') network and the global (or
|
between the internal (so called \*Qsecure\*U) network and the global (or
|
||||||
``insecure'') Internet.
|
\*Qinsecure\*U) Internet.
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
Definitions
|
Definitions
|
||||||
@@ -81,38 +85,37 @@ client, for example telnetd.
|
|||||||
.ti 0
|
.ti 0
|
||||||
Firewalls
|
Firewalls
|
||||||
|
|
||||||
A firewall is usually placed between the ``inside'' and the
|
A firewall is usually placed between the \*Qinside\*U and the
|
||||||
``outside'' and is supposed to protect the inside from the evils on
|
\*Qoutside\*U and is supposed to protect the inside from the evils on
|
||||||
the outside. There are different kinds of firewalls. The main
|
the outside. There are different kinds of firewalls. The main
|
||||||
differences are in the way they forward packets.
|
differences are in the way they forward packets.
|
||||||
|
|
||||||
.IP 1
|
.Ip 1
|
||||||
The most straight forward type is the one that just imposes
|
The most straight forward type is the one that just imposes
|
||||||
restrictions on incoming packets. Such a firewall could be described
|
restrictions on incoming packets. Such a firewall could be described
|
||||||
as a router that just throws away packets that match some
|
as a router that just throws away packets that match some criteria.
|
||||||
criteria.
|
|
||||||
|
|
||||||
.IP 2
|
.Ip 2
|
||||||
They may also ``hide'' some or all addresses on the inside of the
|
They may also \*Qhide\*U some or all addresses on the inside of the
|
||||||
firewall, replacing the addresses in the outgoing packets with the
|
firewall, replacing the addresses in the outgoing packets with the
|
||||||
address of the firewall (aka network address translation, or NAT). NAT
|
address of the firewall (aka network address translation, or NAT). NAT
|
||||||
can also be used without any packet filtering, for instance when you
|
can also be used without any packet filtering, for instance when you
|
||||||
have more than one host sharing a single address (for example, with a
|
have more than one host sharing a single address (for example, with a
|
||||||
dialed-in PPP connection).
|
dialed-in PPP connection).
|
||||||
|
|
||||||
.LP
|
.in 3
|
||||||
There are also firewalls that does NAT both on the inside and the
|
There are also firewalls that does NAT both on the inside and the
|
||||||
outside (a server on the inside will see this as a connection from the
|
outside (a server on the inside will see this as a connection from the
|
||||||
firewall).
|
firewall).
|
||||||
|
|
||||||
.IP 3
|
.Ip 3
|
||||||
A third type is the proxy type firewall, that parses the contents of
|
A third type is the proxy type firewall, that parses the contents of
|
||||||
the packets, basically acting as a server to the client, and as a
|
the packets, basically acting as a server to the client, and as a
|
||||||
client to the server (man-in-the-middle). If Kerberos is to be used
|
client to the server (man-in-the-middle). If Kerberos is to be used
|
||||||
with this kind of firewall, a protocol module that handles KDC
|
with this kind of firewall, a protocol module that handles KDC
|
||||||
requests has to be written.
|
requests has to be written.
|
||||||
|
|
||||||
.LP
|
.in 3
|
||||||
This type of firewall might also add extra trouble when used with
|
This type of firewall might also add extra trouble when used with
|
||||||
kerberised versions of protocols that the proxy understands, in
|
kerberised versions of protocols that the proxy understands, in
|
||||||
addition to the ones mentioned below.
|
addition to the ones mentioned below.
|
||||||
@@ -187,11 +190,13 @@ addition to those mentioned in [RFC1510].
|
|||||||
.ti 0
|
.ti 0
|
||||||
References
|
References
|
||||||
|
|
||||||
.in 3
|
[RFC959] Postel, J. and Reynolds, J., \*QFILE TRANSFER PROTOCOL
|
||||||
[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
|
(FTP)\*U, RFC 969, October 1985
|
||||||
Authentication Service (V5)", RFC 1510, September 1993.
|
|
||||||
|
|
||||||
[RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions",
|
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
|
||||||
|
Authentication Service (V5)\*U, RFC 1510, September 1993.
|
||||||
|
|
||||||
|
[RFC2228] Horowitz, M. and Lunt, S., \*QFTP Security Extensions\*U,
|
||||||
RFC2228, October 1997.
|
RFC2228, October 1997.
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
|
|||||||
@@ -10,6 +10,12 @@
|
|||||||
.ds LH Internet Draft
|
.ds LH Internet Draft
|
||||||
.ds RH November, 1997
|
.ds RH November, 1997
|
||||||
.ds CH Kerberos vs firewalls
|
.ds CH Kerberos vs firewalls
|
||||||
|
.de Ip
|
||||||
|
.in 6
|
||||||
|
.ta 3
|
||||||
|
.ti -3
|
||||||
|
\\$1\t\c
|
||||||
|
..
|
||||||
.hy 0
|
.hy 0
|
||||||
.ad l
|
.ad l
|
||||||
.in 0
|
.in 0
|
||||||
@@ -20,14 +26,14 @@ Network Working Group Assar Westerlund
|
|||||||
Internet-Draft Johan Danielsson
|
Internet-Draft Johan Danielsson
|
||||||
November, 1997 PDC, KTH
|
November, 1997 PDC, KTH
|
||||||
Expire in six months
|
Expire in six months
|
||||||
|
.fi
|
||||||
|
|
||||||
.ce
|
.ce
|
||||||
Kerberos vs firewalls
|
Kerberos vs firewalls
|
||||||
|
|
||||||
.SH
|
.ti 0
|
||||||
Status of this Memo
|
Status of this Memo
|
||||||
|
|
||||||
.LP
|
|
||||||
.in 3
|
.in 3
|
||||||
This document is an Internet-Draft. Internet-Drafts are working
|
This document is an Internet-Draft. Internet-Drafts are working
|
||||||
documents of the Internet Engineering Task Force (IETF), its
|
documents of the Internet Engineering Task Force (IETF), its
|
||||||
@@ -38,10 +44,10 @@ Internet-Drafts are draft documents valid for a maximum of six
|
|||||||
months and may be updated, replaced, or obsoleted by other
|
months and may be updated, replaced, or obsoleted by other
|
||||||
documents at any time. It is inappropriate to use Internet-
|
documents at any time. It is inappropriate to use Internet-
|
||||||
Drafts as reference material or to cite them other than as
|
Drafts as reference material or to cite them other than as
|
||||||
"work in progress."
|
\*Qwork in progress.\*U
|
||||||
|
|
||||||
To view the entire list of current Internet-Drafts, please check
|
To view the entire list of current Internet-Drafts, please check
|
||||||
the "1id-abstracts.txt" listing contained in the Internet-Drafts
|
the \*Q1id-abstracts.txt\*U listing contained in the Internet-Drafts
|
||||||
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
|
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
|
||||||
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
|
(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
|
||||||
Coast), or ftp.isi.edu (US West Coast).
|
Coast), or ftp.isi.edu (US West Coast).
|
||||||
@@ -52,8 +58,6 @@ Distribution of this memo is unlimited. Please send comments to the
|
|||||||
.ti 0
|
.ti 0
|
||||||
Abstract
|
Abstract
|
||||||
|
|
||||||
.in 3
|
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
Introduction
|
Introduction
|
||||||
|
|
||||||
@@ -62,8 +66,8 @@ insecure networks.
|
|||||||
|
|
||||||
Firewalling is a technique for achieving an illusion of security by
|
Firewalling is a technique for achieving an illusion of security by
|
||||||
putting restrictions on what kinds of packets and how these are sent
|
putting restrictions on what kinds of packets and how these are sent
|
||||||
between the internal (so called ``secure'') network and the global (or
|
between the internal (so called \*Qsecure\*U) network and the global (or
|
||||||
``insecure'') Internet.
|
\*Qinsecure\*U) Internet.
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
Definitions
|
Definitions
|
||||||
@@ -81,38 +85,37 @@ client, for example telnetd.
|
|||||||
.ti 0
|
.ti 0
|
||||||
Firewalls
|
Firewalls
|
||||||
|
|
||||||
A firewall is usually placed between the ``inside'' and the
|
A firewall is usually placed between the \*Qinside\*U and the
|
||||||
``outside'' and is supposed to protect the inside from the evils on
|
\*Qoutside\*U and is supposed to protect the inside from the evils on
|
||||||
the outside. There are different kinds of firewalls. The main
|
the outside. There are different kinds of firewalls. The main
|
||||||
differences are in the way they forward packets.
|
differences are in the way they forward packets.
|
||||||
|
|
||||||
.IP 1
|
.Ip 1
|
||||||
The most straight forward type is the one that just imposes
|
The most straight forward type is the one that just imposes
|
||||||
restrictions on incoming packets. Such a firewall could be described
|
restrictions on incoming packets. Such a firewall could be described
|
||||||
as a router that just throws away packets that match some
|
as a router that just throws away packets that match some criteria.
|
||||||
criteria.
|
|
||||||
|
|
||||||
.IP 2
|
.Ip 2
|
||||||
They may also ``hide'' some or all addresses on the inside of the
|
They may also \*Qhide\*U some or all addresses on the inside of the
|
||||||
firewall, replacing the addresses in the outgoing packets with the
|
firewall, replacing the addresses in the outgoing packets with the
|
||||||
address of the firewall (aka network address translation, or NAT). NAT
|
address of the firewall (aka network address translation, or NAT). NAT
|
||||||
can also be used without any packet filtering, for instance when you
|
can also be used without any packet filtering, for instance when you
|
||||||
have more than one host sharing a single address (for example, with a
|
have more than one host sharing a single address (for example, with a
|
||||||
dialed-in PPP connection).
|
dialed-in PPP connection).
|
||||||
|
|
||||||
.LP
|
.in 3
|
||||||
There are also firewalls that does NAT both on the inside and the
|
There are also firewalls that does NAT both on the inside and the
|
||||||
outside (a server on the inside will see this as a connection from the
|
outside (a server on the inside will see this as a connection from the
|
||||||
firewall).
|
firewall).
|
||||||
|
|
||||||
.IP 3
|
.Ip 3
|
||||||
A third type is the proxy type firewall, that parses the contents of
|
A third type is the proxy type firewall, that parses the contents of
|
||||||
the packets, basically acting as a server to the client, and as a
|
the packets, basically acting as a server to the client, and as a
|
||||||
client to the server (man-in-the-middle). If Kerberos is to be used
|
client to the server (man-in-the-middle). If Kerberos is to be used
|
||||||
with this kind of firewall, a protocol module that handles KDC
|
with this kind of firewall, a protocol module that handles KDC
|
||||||
requests has to be written.
|
requests has to be written.
|
||||||
|
|
||||||
.LP
|
.in 3
|
||||||
This type of firewall might also add extra trouble when used with
|
This type of firewall might also add extra trouble when used with
|
||||||
kerberised versions of protocols that the proxy understands, in
|
kerberised versions of protocols that the proxy understands, in
|
||||||
addition to the ones mentioned below.
|
addition to the ones mentioned below.
|
||||||
@@ -187,11 +190,13 @@ addition to those mentioned in [RFC1510].
|
|||||||
.ti 0
|
.ti 0
|
||||||
References
|
References
|
||||||
|
|
||||||
.in 3
|
[RFC959] Postel, J. and Reynolds, J., \*QFILE TRANSFER PROTOCOL
|
||||||
[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
|
(FTP)\*U, RFC 969, October 1985
|
||||||
Authentication Service (V5)", RFC 1510, September 1993.
|
|
||||||
|
|
||||||
[RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions",
|
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
|
||||||
|
Authentication Service (V5)\*U, RFC 1510, September 1993.
|
||||||
|
|
||||||
|
[RFC2228] Horowitz, M. and Lunt, S., \*QFTP Security Extensions\*U,
|
||||||
RFC2228, October 1997.
|
RFC2228, October 1997.
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
|
|||||||
Reference in New Issue
Block a user