From owner-freebsd-security Thu Mar 25 2:18:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from fep02-svc.tin.it (mta02-acc.tin.it [212.216.176.33]) by hub.freebsd.org (Postfix) with ESMTP id 321B714DFA for ; Thu, 25 Mar 1999 02:18:46 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.29.175]) by fep02-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19990325101820.CDPH14636.fep02-svc@nympha.ecomotor.it> for ; Thu, 25 Mar 1999 11:18:20 +0100 Received: (qmail 761 invoked by uid 1000); 25 Mar 1999 09:55:14 -0000 From: "Marco Molteni" Date: Thu, 25 Mar 1999 10:55:14 +0100 (CET) X-Sender: molter@localhost To: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990325001254.009fb5e0@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Mike Thompson wrote: Mike, let me jump in since I use KAME for research ;-) > Once configured and installed KAME seems to provide a modified kernel > that adds a new virtual network device (de0?) that can securely > communicate with other systems similarly configured. No. There is no "virtual network device". KAME provides IPsec (and IPv6). IPsec lets you selectively setup encrypted and/or authenticated network connections. You can tune the meaning of "network connections" by choosing your IPsec "policy". If you set a per host policy, IPsec is completely transparent (ie no application needs to know about IPsec, it works normally, but all the data is encrypted). IPsec works at the network layer, not at the application layer (like ssh or ssl or whatever). > Not knowing anything about VPNs, it seems that I could configure one > server to be a router and the other systems to be hosts of the router. > All servers could then communicate securely with each other over the > KAME VPN. Well, IPsec can provide both VPN (aka tunnel mode) and host-to-host (aka transport mode) security. It depends on what you want to do. A VPN authenticates only the two networks connected, not the specific hosts. > A few questions I have are: > > 1. Can I use standard tools such as rsh, rlogin and the like > securely between servers with such a configuration? Or do > I want to still stick with ssh? As I said before, IPsec can be completely transparent to applications. With IPsec (properly configured ;-) you don't need ssh. > 2. Do special versions of tools have to be compiled to work > with the VPN, or are standard tools OK? see 1. > 3. Are there implications with running IPFW on a system that > has a KAME installed in the Kernel? don't know this, sorry. > 4. The documentation seems a little terse. can you say pioneer? ;-) > Is there a good tutorial that explains how to get started with KAME on a > FreeBSD system? IMHO, if you want to use KAME (ie IPsec) and you want to know what you are doing, you should read the RFCs defining IPsec (try http://www.vpnc.org/ipsec-standards.html), at least you should understand what a SA (Security Association) and a security policy are. That said, if you search in the KAME documentation that comes in the package and in the "newsletter" on their web site, you can find some examples about VPNs and host-to-host security. Marco --- "Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" "I'm sorry, this is device driver testing: brain implants are two doors down on the right". (Bill Paul, on the freebsd-net mailing list) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message