From owner-freebsd-security Thu Mar 25 0:25:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id C5D9B14DC8 for ; Thu, 25 Mar 1999 00:25:35 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-34.dialup.dnai.com [207.181.255.34]) by dnai.com (8.8.8/8.8.8) with SMTP id AAA22904; Thu, 25 Mar 1999 00:24:37 -0800 (PST) Message-Id: <4.1.19990325001254.009fb5e0@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 00:23:44 -0800 To: 0x1c From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.1.19990324113601.0097aeb0@mail.dnai.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nick, Thanks for the tip. I have downloaded KAME and looked at the documentation. Once configured and installed KAME seems to provide a modified kernel that adds a new virtual network device (de0?) that can securely communicate with other systems similarly configured. Not knowing anything about VPNs, it seems that I could configure one server to be a router and the other systems to be hosts of the router. All servers could then communicate securely with each other over the KAME VPN. A few questions I have are: 1. Can I use standard tools such as rsh, rlogin and the like securely between servers with such a configuration? Or do I want to still stick with ssh? 2. Do special versions of tools have to be compiled to work with the VPN, or are standard tools OK? 3. Are there implications with running IPFW on a system that has a KAME installed in the Kernel? 4. The documentation seems a little terse. Is there a good tutorial that explains how to get started with KAME on a FreeBSD system? Thanks, Mike Thompson At 11:10 AM 3/25/99 +0000, 0x1c wrote: >You might also be interested at implementing some sort of a VPN between >the servers. Have a look at www.kame.net for a free *BSD IPsec >implementation. > >Cheers, >Nick > >-- >Therefore those skilled at the unorthodox are as infinite as heaven and >earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War > >On Wed, 24 Mar 1999, Mike Thompson wrote: > >> We are configuring a series of web servers running FreeBSD 2.2.8 >> for a new Internet service. To implement our service we need >> to provide a mechanism for secure communication between the >> servers using an rsh-like facility. >> >> One method of doing this would be to run SSH on each server for >> encrypted/authenticated communication. However, the downsides >> of this are that there wouldn't be a central administration >> facility for managing authentication information (unless we >> create one), ssh has a relatively high CPU overhead to encrypt >> all communications and we would like to avoid paying the substantial >> license fees for SSH across a large number of servers. >> >> An alternative would be to run a rsh in combination with a >> Kerberos server to centrally administer authentication >> information between each server. Communication between the >> servers would take place behind a router to prevent >> interception of the unencoded packets. We would also use >> IPFW to restrict communication with rsh as further protection >> against hacking. >> >> Does anyone here have an opinion as to whether rsh and Kerberos >> can be used in this manner for efficient and secure communication >> between web servers running a distributed application? >> >> Ideally, we want to keep the cost per server as low as possible >> with regards to licensing fees, but we also don't want to compromise >> on security. >> >> Thanks, >> >> Mike Thompson >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message