David Lang wrote:
>Marcus, is this the case for all of the FWTK proxies or just some of them?
Well, <cough> if it means anything, we use a firewall-1 and a bunch of
proxies as I described earlier. There are no fwtk components running
at NFR...
>the only problems I have with openssh replacing telnet, rlogin and ftp are
>that:
>1. the clients are not on all machines
My logic on this one is that if you didn't want to get into the
machine
badly enough to download putty/scp then you didn't want to get in badly
enough that we'll let you in. :)
>2. you can't (easily) use strong authentication other then certificates.
True. We've been looking at rolling some of the tokens out
here since we're worried about ever-smarter trojans and keystealers.
There was a tool with the fwtk that was basically a login wrapper; it
sat in front of /bin/sh as the user's login shell, did a challenge/response
and then exec'd their real shell. That's a viable place to add c/r
behind something like ssh if you're really really paranoid.
>http-gw, is this what you are suggesting useing squid for?
Yes. I was never particularly comfortable with http-gw; the initial
implementation was sloppy (don't blame me, I didn't write it... I didn't
want to support web at all!) and there were several places that
looked like possible pits of buffer overrun. Squid cache is
too large to audit but we run it on a standalone machine
that is on its own subnet and runs squid chrooted. <shrug>
It seemed easier and faster than fixing up an http-gw.
>plug-gw, for things that don't fit the other proxies is there something
>else you suggest?
Plug-gw is still OK. :) Remember: it doesn't _do_ anything
though! It's just a hole...
>x-gw, when used in conjunction with tn-gw it can let you run X through an
>internal non-transparent firewall, is there anything to replace this?
Yes; we don't permit X. Though I guess you could tunnel X over ssh
if you were stubborn enough.
>I agree that the FWTK has some (fairly severe) limits on what it should be
>used for, but within those limits I still see it as useful.
Hey, I'm not bashing fwtk. :) It certainly had its place and at one point
in time a significant percentage (something like 20%) of the Internet
firewalls were based on it. Not bad! :) But it's definitely dated and I
get a bit nervous when I see someone looking at deploying it today.
Especially when 'good' firewalls are so cheap and more up to date
components are easy to find.
mjr.
---
Marcus J. Ranum Chief Technology Officer, NFR Security Inc.
Work: http://www.nfr.com
Play: http://www.ranum.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
