Ahem..
Gee, a major service provider implemented this in 1996 for one of their
managed internet firewall services, and I think to this day. Talk to
Genuity (formerly GTE Internetworking(formerly BBNPlanet))
Here is a hint: If I insert a vague assertion especially to you, I assume
you know more than me and therefore will argue whether it can be done or
not. The difference between good infosec engineers and bad ones, they
never say it can't be done. Good engineers take the problem, solve it
themselves and then send one liners to some mailing list and wait for a
flame war to begin.. Hmm, wait a minute,.. deja vu.. :)
Cheers and jeers
/m
At 10:57 AM 8/15/00 +0930, Ben Nagy wrote:
>*sigh*
>
>OK. Enlighten me. How do you use kerberos to authenticate syslog messages
>using a Cisco router, using IOS 11.2 or greater? Heck, pick a way that works
>using any IOS you please.
>
>(Here's a hint: You can't.)
>
>I would _really_ appreciate it if you'd stop making vague assertions with no
>supporting evidence. In this particular case you're Just Wrong, and your one
>line non-sequiteurs don't help anyone. There is a world of difference
>between krb5 support for user auth and the IOS _and_ the logging host
>supporting a kerberised syslog app.
>
>I'm not even going to _ask_ what the ACL you included is supposed to
>illustrate. Seems to be something completely different.
>
>PS: I'm going to correct myself, as well. SSH is only available in _crypto_
>images in 12.1. Sorry if I got anyone excited.
>--
>Ben Nagy
>Network Consultant, Volante Solutions
>PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, 15 August 2000 10:41 AM
> > To: Ben Nagy; [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Syslog thru Firewall
> >
> >
> > Please note that Cisco IOS version 11.2 or greater is required for
> > Kerberos V5 support.
> > http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000
> > /fam_prod/acl_mgr/user_gds/index.htm
> >
> > Kerberos will not fall to the wayside, it hasn't yet. :)
> > >Nice idea but, sadly, not an option with Cisco routers.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
