x
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4054 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -61,8 +61,8 @@ Abstract
|
|||||||
.ti 0
|
.ti 0
|
||||||
Introduction
|
Introduction
|
||||||
|
|
||||||
Kerberos is a protocol for authenticating parties communicating over
|
Kerberos[RFC1510] is a protocol for authenticating parties
|
||||||
insecure networks.
|
communicating over insecure networks.
|
||||||
|
|
||||||
Firewalling is a technique for achieving an illusion of security by
|
Firewalling is a technique for achieving an illusion of security by
|
||||||
putting restrictions on what kinds of packets and how these are sent
|
putting restrictions on what kinds of packets and how these are sent
|
||||||
@@ -72,8 +72,6 @@ between the internal (so called \*Qsecure\*U) network and the global (or
|
|||||||
.ti 0
|
.ti 0
|
||||||
Definitions
|
Definitions
|
||||||
|
|
||||||
types of firewalls: ...
|
|
||||||
|
|
||||||
client: the user, process, and host acquiring tickets from the KDC and
|
client: the user, process, and host acquiring tickets from the KDC and
|
||||||
authenticating itself to the kerberised server.
|
authenticating itself to the kerberised server.
|
||||||
|
|
||||||
@@ -86,16 +84,16 @@ client, for example telnetd.
|
|||||||
Firewalls
|
Firewalls
|
||||||
|
|
||||||
A firewall is usually placed between the \*Qinside\*U and the
|
A firewall is usually placed between the \*Qinside\*U and the
|
||||||
\*Qoutside\*U and is supposed to protect the inside from the evils on
|
\*Qoutside\*U networks, and is supposed to protect the inside from the
|
||||||
the outside. There are different kinds of firewalls. The main
|
evils on the outside. There are different kinds of firewalls. The
|
||||||
differences are in the way they forward packets.
|
main differences are in the way they forward packets.
|
||||||
|
|
||||||
.Ip 1
|
.Ip \(bu
|
||||||
The most straight forward type is the one that just imposes
|
The most straight forward type is the one that just imposes
|
||||||
restrictions on incoming packets. Such a firewall could be described
|
restrictions on incoming packets. Such a firewall could be described
|
||||||
as a router that just throws away packets that match some criteria.
|
as a router that filters packets that match some criteria.
|
||||||
|
|
||||||
.Ip 2
|
.Ip \(bu
|
||||||
They may also \*Qhide\*U some or all addresses on the inside of the
|
They may also \*Qhide\*U some or all addresses on the inside of the
|
||||||
firewall, replacing the addresses in the outgoing packets with the
|
firewall, replacing the addresses in the outgoing packets with the
|
||||||
address of the firewall (aka network address translation, or NAT). NAT
|
address of the firewall (aka network address translation, or NAT). NAT
|
||||||
@@ -108,7 +106,7 @@ There are also firewalls that does NAT both on the inside and the
|
|||||||
outside (a server on the inside will see this as a connection from the
|
outside (a server on the inside will see this as a connection from the
|
||||||
firewall).
|
firewall).
|
||||||
|
|
||||||
.Ip 3
|
.Ip \(bu
|
||||||
A third type is the proxy type firewall, that parses the contents of
|
A third type is the proxy type firewall, that parses the contents of
|
||||||
the packets, basically acting as a server to the client, and as a
|
the packets, basically acting as a server to the client, and as a
|
||||||
client to the server (man-in-the-middle). If Kerberos is to be used
|
client to the server (man-in-the-middle). If Kerberos is to be used
|
||||||
@@ -116,19 +114,17 @@ with this kind of firewall, a protocol module that handles KDC
|
|||||||
requests has to be written.
|
requests has to be written.
|
||||||
|
|
||||||
.in 3
|
.in 3
|
||||||
This type of firewall might also add extra trouble when used with
|
This type of firewall might also cause extra trouble when used with
|
||||||
kerberised versions of protocols that the proxy understands, in
|
kerberised versions of protocols that the proxy understands, in
|
||||||
addition to the ones mentioned below.
|
addition to the ones mentioned below. This is the case with the FTP
|
||||||
|
Security Extensions [RFC2228], that adds a new set of commands to the
|
||||||
This is the case with the FTP Security Extensions [RFC2228], that adds
|
FTP protocol [RFC959], for integrity, confidentiality, and privacy
|
||||||
a new set of commands to the FTP protocol [RFC959], for integrity,
|
protecting commands. When transferring data, the FTP protocol uses a
|
||||||
confidentiality, and privacy protecting commands. When transferring
|
separate data channel, and an FTP proxy will have to look out for
|
||||||
data, the FTP protocol uses a separate data channel, and an FTP proxy
|
commands that start a data transfer. If all commands are encrypted,
|
||||||
will have to look out for commands that start a data transfer. If all
|
this is impossible. A protocol that doesn't suffer from this is the
|
||||||
commands are encrypted, this is impossible.
|
Telnet Authentication Option [RFC1416] that does all authentication
|
||||||
|
and encryption in-bound.
|
||||||
An example of a protocol that doesn't suffer from this is TELNET that
|
|
||||||
does all authentication and encryption in-bound.
|
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
Scenarios
|
Scenarios
|
||||||
@@ -190,9 +186,12 @@ addition to those mentioned in [RFC1510].
|
|||||||
.ti 0
|
.ti 0
|
||||||
References
|
References
|
||||||
|
|
||||||
[RFC959] Postel, J. and Reynolds, J., \*QFILE TRANSFER PROTOCOL
|
[RFC959] Postel, J. and Reynolds, J., \*QFile Transfer Protocol
|
||||||
(FTP)\*U, RFC 969, October 1985
|
(FTP)\*U, RFC 969, October 1985
|
||||||
|
|
||||||
|
[RFC1416] Borman, D., \*QTelnet Authentication Option\*U, RFC 1416,
|
||||||
|
February 1993.
|
||||||
|
|
||||||
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
|
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
|
||||||
Authentication Service (V5)\*U, RFC 1510, September 1993.
|
Authentication Service (V5)\*U, RFC 1510, September 1993.
|
||||||
|
|
||||||
|
|||||||
@@ -61,8 +61,8 @@ Abstract
|
|||||||
.ti 0
|
.ti 0
|
||||||
Introduction
|
Introduction
|
||||||
|
|
||||||
Kerberos is a protocol for authenticating parties communicating over
|
Kerberos[RFC1510] is a protocol for authenticating parties
|
||||||
insecure networks.
|
communicating over insecure networks.
|
||||||
|
|
||||||
Firewalling is a technique for achieving an illusion of security by
|
Firewalling is a technique for achieving an illusion of security by
|
||||||
putting restrictions on what kinds of packets and how these are sent
|
putting restrictions on what kinds of packets and how these are sent
|
||||||
@@ -72,8 +72,6 @@ between the internal (so called \*Qsecure\*U) network and the global (or
|
|||||||
.ti 0
|
.ti 0
|
||||||
Definitions
|
Definitions
|
||||||
|
|
||||||
types of firewalls: ...
|
|
||||||
|
|
||||||
client: the user, process, and host acquiring tickets from the KDC and
|
client: the user, process, and host acquiring tickets from the KDC and
|
||||||
authenticating itself to the kerberised server.
|
authenticating itself to the kerberised server.
|
||||||
|
|
||||||
@@ -86,16 +84,16 @@ client, for example telnetd.
|
|||||||
Firewalls
|
Firewalls
|
||||||
|
|
||||||
A firewall is usually placed between the \*Qinside\*U and the
|
A firewall is usually placed between the \*Qinside\*U and the
|
||||||
\*Qoutside\*U and is supposed to protect the inside from the evils on
|
\*Qoutside\*U networks, and is supposed to protect the inside from the
|
||||||
the outside. There are different kinds of firewalls. The main
|
evils on the outside. There are different kinds of firewalls. The
|
||||||
differences are in the way they forward packets.
|
main differences are in the way they forward packets.
|
||||||
|
|
||||||
.Ip 1
|
.Ip \(bu
|
||||||
The most straight forward type is the one that just imposes
|
The most straight forward type is the one that just imposes
|
||||||
restrictions on incoming packets. Such a firewall could be described
|
restrictions on incoming packets. Such a firewall could be described
|
||||||
as a router that just throws away packets that match some criteria.
|
as a router that filters packets that match some criteria.
|
||||||
|
|
||||||
.Ip 2
|
.Ip \(bu
|
||||||
They may also \*Qhide\*U some or all addresses on the inside of the
|
They may also \*Qhide\*U some or all addresses on the inside of the
|
||||||
firewall, replacing the addresses in the outgoing packets with the
|
firewall, replacing the addresses in the outgoing packets with the
|
||||||
address of the firewall (aka network address translation, or NAT). NAT
|
address of the firewall (aka network address translation, or NAT). NAT
|
||||||
@@ -108,7 +106,7 @@ There are also firewalls that does NAT both on the inside and the
|
|||||||
outside (a server on the inside will see this as a connection from the
|
outside (a server on the inside will see this as a connection from the
|
||||||
firewall).
|
firewall).
|
||||||
|
|
||||||
.Ip 3
|
.Ip \(bu
|
||||||
A third type is the proxy type firewall, that parses the contents of
|
A third type is the proxy type firewall, that parses the contents of
|
||||||
the packets, basically acting as a server to the client, and as a
|
the packets, basically acting as a server to the client, and as a
|
||||||
client to the server (man-in-the-middle). If Kerberos is to be used
|
client to the server (man-in-the-middle). If Kerberos is to be used
|
||||||
@@ -116,19 +114,17 @@ with this kind of firewall, a protocol module that handles KDC
|
|||||||
requests has to be written.
|
requests has to be written.
|
||||||
|
|
||||||
.in 3
|
.in 3
|
||||||
This type of firewall might also add extra trouble when used with
|
This type of firewall might also cause extra trouble when used with
|
||||||
kerberised versions of protocols that the proxy understands, in
|
kerberised versions of protocols that the proxy understands, in
|
||||||
addition to the ones mentioned below.
|
addition to the ones mentioned below. This is the case with the FTP
|
||||||
|
Security Extensions [RFC2228], that adds a new set of commands to the
|
||||||
This is the case with the FTP Security Extensions [RFC2228], that adds
|
FTP protocol [RFC959], for integrity, confidentiality, and privacy
|
||||||
a new set of commands to the FTP protocol [RFC959], for integrity,
|
protecting commands. When transferring data, the FTP protocol uses a
|
||||||
confidentiality, and privacy protecting commands. When transferring
|
separate data channel, and an FTP proxy will have to look out for
|
||||||
data, the FTP protocol uses a separate data channel, and an FTP proxy
|
commands that start a data transfer. If all commands are encrypted,
|
||||||
will have to look out for commands that start a data transfer. If all
|
this is impossible. A protocol that doesn't suffer from this is the
|
||||||
commands are encrypted, this is impossible.
|
Telnet Authentication Option [RFC1416] that does all authentication
|
||||||
|
and encryption in-bound.
|
||||||
An example of a protocol that doesn't suffer from this is TELNET that
|
|
||||||
does all authentication and encryption in-bound.
|
|
||||||
|
|
||||||
.ti 0
|
.ti 0
|
||||||
Scenarios
|
Scenarios
|
||||||
@@ -190,9 +186,12 @@ addition to those mentioned in [RFC1510].
|
|||||||
.ti 0
|
.ti 0
|
||||||
References
|
References
|
||||||
|
|
||||||
[RFC959] Postel, J. and Reynolds, J., \*QFILE TRANSFER PROTOCOL
|
[RFC959] Postel, J. and Reynolds, J., \*QFile Transfer Protocol
|
||||||
(FTP)\*U, RFC 969, October 1985
|
(FTP)\*U, RFC 969, October 1985
|
||||||
|
|
||||||
|
[RFC1416] Borman, D., \*QTelnet Authentication Option\*U, RFC 1416,
|
||||||
|
February 1993.
|
||||||
|
|
||||||
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
|
[RFC1510] Kohl, J. and Neuman, C., \*QThe Kerberos Network
|
||||||
Authentication Service (V5)\*U, RFC 1510, September 1993.
|
Authentication Service (V5)\*U, RFC 1510, September 1993.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user