As with most things in the security arena there is no ONE right solution
for everyone. A firewall may be a perfectly fine solution for some
organizations and some type of end system security may work for others.
If you are a site with hundreds or thousands of end systems, trying to
maintain a single centralized control over all these machines would
probably be impossible and would definately be a nightmare.
Gary Flynn wrote:
> 1. Kerberos requires modification of each application that
> its to be used with. Hence limited support. Hannah allows
> the use of any application using standard winsock or
> socket library calls on supported platforms.
It is very true that Kerberos requires that each end application be
kerberized as SSL and socks requires each application to be modified.
One of Hannah failings is that it only supports TCP applications. They
say it will support UDP in a future release, but that is easy to do,
except that they're key negotiation will be a terrible overhead to pay
for small udp packets exchanges. Also what it won't support are things
like IP multicast, as will none of the above.
> 3. Hannah's "certificate diskette" for each user solves
> some problems that Kerberos has on desktop machines.
This only solves the problem for PC's or single user desktop machines.
Hannah still is only machine based authentication no matter how you wrap
it. This doesn't solve the multiuser desktop authentication problem.
(There isn't a diskette slot on a VT100.)
The "certificate diskette" is yet another potential problem. Since the
private key is decrypted off the disk and stored in the end system it is
available to be read by anything running on system (especially on PCs)
and when the diskette is removed does the private key get removed or
does the system maintain its identity/Distingushed Name. It can't check
for the presence of the diskette on every packet or it would be too slow
to be usable. In addition the private key (though encrypted) on the
certificate diskette is copyable.