> Subject: Re: Kerberized Proxies
>
> >Received: 8/27/96 7:58 AM
> >To: Firewalls @
GreatCircle .
COM
> >
> >Does anyone know of a firewall package (preferably one with commercial
> >support) that can use kerberos V authentication for proxy based
> >audit and access? With kerberos V's capability for a "single sign
> >on" environment for internal users and cross realm authentication
> >for external users, a firewall solution that can take advantage of
> >these features of a kerberos environment would be very appealing.
> >
> > -- William McVey
> > Senior Data Protection Analyst
> > Federal Express Corporation
I think I asked the same question a while back and still havn't heard of
a positive. Never the less, we are setting up Kerberos to go through a
firewall - or at least we will as soon as Cross-Realm issues are
resolved with a vendors product and we can test against a stable
configuration. This minute we have a choice of going with a supported
vendor's product that doesn't seem to work or with MIT freeware that
works _most_ of the time. At least the vendor is putting in a good
pre-sales engineering effort.
Kerberos V5 uses UDP on port 88 to send it's Authentication and Ticket
Granting Tickets packets. Theoretically all you need to do is set up a
protected KDC and open up an inbound filter from address A to your KDC
on UDP for port 88, and from the KDC outbound to anywhere you have
clients. Internal Kerberized clients (but not servers) also have to get
out on UDP port 88 to extenal KDC's.
My personal preference is to put the KDC on a fourth firewall interface
in it's own DMZ. Another DMZ is used by WWW servers etc and I have a
internal and external nets for the ordinary stuff. My main reason for
the fourth DMZ is that the Kerberos code is still in Beta - 9/1/96 is
the scheduled release of Beta 7, 11/1/96 is supposed to be the Golden.
Lot's of patches and each Beta seems to have new features and major
changes in administration so I won't trust the code to keep the UPD
stream honest.
In theory this should work well if the KDC code is solid and doesn't
leave port 88 open when it crashes (we've seen it crash, whether it's
MIT code or the the OS's fault is someone elses worry). Since I have
the KDC in a DMZ nothing can originate from it to the internal net.
Internal Clients conntact the KDC for cross-realm tickets so on the
firewall all I need is "statefull inspection" rules for UDP packet
origin and a timed response window. I beleive Firewall-1 and NSC's
filtering firewalls can do this. I'm also checking a couple "proxy"
firewalls to see how they handle UDP (along with a bunch of other
stuff.)
By the way, NCSA is rummored to have a kerberized www server and
browser. I haven't tracked it down yet. (URL anyone? (www.ncsa.com
doesn't count:))
Actually, Kerberos authentication on the Firewall itself does not make a
lot of sense unless you have a weird set up (we do and it _almost_ makes
sense for us). If your internal nodes are _not_ kerberized then there
are a lot of other good authentication products out there and you save
yourself the headach of all the Kerberos proxies. If your internal
systems and applications are Kerberized then why go through the overhead
of decrypting and encrypting on the firewall? Set your firewall to pass
traffic only to specific server ports where the Kerberized applications
are waiting. None kerberized applications are handled "normally" by the
firewall. Of course, your home grown kerberized applications must not
crash and leave the server ports open..... so now you have to monitor a
bunch of separate machines. (Same thing with SQL through the firewall -
you have to monitor the DB access permissions and apps. At least
primitive SQL proxies are starting to show up.)
If intersted we can continue this later, or off-line. The sun is rising
so it must be my bedtime!
--
Adam Safier asafier @
csc .
com
CSC-SED-Infosec (301) 794-1349
Kerberos is a three headed bitch! It's true, just look carefully at the
MIT Kerberos logo.
The above are my own opinions,
and I'm proud to live in a country where I'm free to express them!
|
|
