[fw-wiz] Kerberos (was: Firewall PKI integration requirements)


On Sun, Aug 20, 2006 at 09:39:02PM -0700, Carson Gaspar wrote:
--On Friday, August 18, 2006 7:48 PM +0400 ArkanoiD <ark@xxxxxxxxx> wrote:

What PKI integration/certificate management functions you people
expect to see on the firewall? Manual import, LDAP integration
(exactly how?), CRL management features (which way)? Please describe me
in details as i am going to implement those for IPSec, SSL/TLS
and maybe other crypto functons. Is Kerberos still considered alive
and widely deployed? Should i support it, which way?

I'm not sure if you're asking about krb5/PKI, or other uses of kerberos.

I was talking about PKI in general and Kerberos as yet another infrastructure

Kerberos V is certainly very alive for authentication. My expectation would
be _minimally_ to support it as an authentication back-end. Kerberized
logins to the firewall itself (via ssh GSSAPI, ktelnet, or whatever) would
also be a very good idea, especially if you support krb5 principle ACLs
(e.g. gaspac/admin@xxxxxxxxxxx may log in with admin privs). Supporting
krshd pass-through would be nice (it's annoyingly just slightly different
from rshd, as I recall from my fwtk/Gauntlet days).

Well, what is the desired deployment scenario? Where do i place kdc?

firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] Firewall PKI integration requirements
    ... I'm not sure if you're asking about krb5/PKI, or other uses of kerberos. ... be _minimally_ to support it as an authentication back-end. ... logins to the firewall itself would ...
  • Re: [fw-wiz] httport 3snf
    ... > Having worked in the Firewall support role at several companies, ... I had my CIO approve my security policy. ... time educating him about Internet risk. ... There's also a very good "at what point is the firewall now useless" ...
  • Re: Messenger Audio/Video with ISA 2004
    ... Technically speaking, if this needs to be supported through the firewall, ... Therefore, the external client can ... Microsoft CSS Online Newsgroup Support ...
  • Re: [fw-wiz] stopping bots from phoning home
    ... well it works fine on my dsl connection! ... the majority of support calls that we receive are from the very ... > with the newer IM clients that do IRC. ... that having a firewall on the box that can see which program is trying to ...
  • Re: Problem with EZ Antivirus
    ... >> internet access through your firewall. ... >> If you continue to receive the 'fatal error 3' message when trying to run ... >> Windows Firewall - Please be sure that the Windows XP firewall on your ... >> Please send the ezreport to support now. ...