From owner-freebsd-security  Thu Mar 25 13:33:29 1999
Delivered-To: freebsd-security@freebsd.org
Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34])
	by hub.freebsd.org (Postfix) with ESMTP id 8378514D21
	for <freebsd-security@FreeBSD.ORG>; Thu, 25 Mar 1999 13:33:18 -0800 (PST)
	(envelope-from dgilbert@trooper.velocet.ca)
Received: (from dgilbert@localhost)
	by trooper.velocet.ca (8.8.7/8.8.7) id QAA06381;
	Thu, 25 Mar 1999 16:32:52 -0500 (EST)
From: David Gilbert <dgilbert@velocet.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14074.43908.398273.970148@trooper.velocet.ca>
Date: Thu, 25 Mar 1999 16:32:52 -0500 (EST)
To: Mike Thompson <miket@dnai.com>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Kerberos vs SSH
In-Reply-To: <4.1.19990325120933.00ad08d0@mail.dnai.com>
References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au>
	<4.1.19990325021717.0097e980@mail.dnai.com>
	<4.1.19990325120933.00ad08d0@mail.dnai.com>
X-Mailer: VM 6.62 under Emacs 19.34.2
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>>>> "Mike" == Mike Thompson <miket@dnai.com> writes:


Mike> The only way that I can see to make this even more secure would
Mike> be to run two NICs on each server so secured IP packets are
Mike> never co-mingled with Internet IP packets, even behind a router.
Mike> However, this is something that we would not like to do because
Mike> it doubles the cost of our network hardware and increases
Mike> complexity.  The cost per server (both hardware and software) is
Mike> a critical factor in whether our business succeeds.

I don't believe that this is "more secure".  It is simply "less
dependant" on the "correctness" of ipfw (in essence creating a
hardware separation in lieu of a software one).

The big hole in your design is that access to one machine implies
access to all machines.  Once someone gains access (though whatever
means) to one machine, they can roam around freely amongst many
machines.

To prevent this, you would want to pass authenticated (not
necessarily encrypted) commands back and forth between the servers
such that any one server could only invoke a certain narrow number of
commands on another.  You could do this with ssl web servers, for
instance.

I suppose, from a security standpoint, I'm saying that you're breaking
the "least privildge" principle.  Obviously, one server
doesn't/shouldn't need to be a complete bonna-fide user on another
server.

Dave.

-- 
============================================================================
|David Gilbert, Velocet Communications.       | Two things can only be     |
|Mail:       dgilbert@velocet.net             |  equal if and only if they |
|http://www.velocet.net/~dgilbert             |   are precisely opposite.  |
=========================================================GLO================


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message