Re: IPsec vs SSH (Was Re: in.telnetd vulnerability??)

• Previous message: Darren Moffat: "Re: IPsec vs SSH (Was Re: in.telnetd vulnerability??)"
• In reply to: Darren Moffat: "IPsec vs SSH (Was Re: in.telnetd vulnerability??)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 3 Aug 2001 15:11:49 -0700 (PDT)
From: adam morley <adam@gmi.com>
To: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: Re: IPsec vs SSH (Was Re: in.telnetd vulnerability??)
Message-ID: <Pine.GSO.4.10.10108031509270.24983-100000@gmi.com>

On Fri, 3 Aug 2001, Darren Moffat wrote:

>>unsupported configuration. So I've been kicking around ssh vs. ipsec
>>internally. im leaning towards either ipsec or skip (total ip encryption) as
>>opposed to just ssh. (granted, the vulnerability is still there, but yeah.)
>
>Just to add more to the mix, what about kerberized telnet/rlogin/rsh/ftp/NFS.

i considered that, but didn't want to have to manage kerberos too. ive got enough stuff to manage. but i have been kicking it around.

>
>On the IPsec vs SSH: they two protocols have very different goals.
>
>IPsec is about protecting verything on the network and isn't about user
>authentication.

right, the user authentication part is not much of an issue, because the network is fairly secure, ie who is accessing it and such.

>
>The SSH protocols contains user and host authentication as well as provision
>for protecting the traffic on route, but it is really just telnet on some
>serious drugs.
>
>What exactly is the threat you want to protect against ?
>
>If it is just network snooping and you control the whole network then
>IPsec might be a very good idea, since SSH only helps the "remote login"
>traffic it won't help your SQL lookups to your Oracle DB or your http
>lookups to that important intranet site.

and that is more the deal, is securing everything w/o having to tunnel it with ssh.

>
>Both are very good solutions for what they do but you need to fully
>understand what it is you want to protect against.
>
>
>IPsec and Kerberos (via SEAM) are your options if you want a fully
>supported solution from Sun.

is kerberos pretty easy to configure and manage? straightforward? the one thing i remember about kerberos is that one has to login to ones key or get their ticket or something to that effect. or is that handled on login?

>
>--
>Darren J Moffat
>
>

-- 
bb&thanks
adam
Do you know what a kibibit, mebibyte, or gibibyte is?
go to http://physics.nist.gov/cuu/Units/binary.html to find out!

• Previous message: Darren Moffat: "Re: IPsec vs SSH (Was Re: in.telnetd vulnerability??)"
• In reply to: Darren Moffat: "IPsec vs SSH (Was Re: in.telnetd vulnerability??)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint