From owner-freebsd-security Mon Sep 24 6:12: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3DB5137B41A for ; Mon, 24 Sep 2001 06:12:02 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA31108; Mon, 24 Sep 2001 06:11:44 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31106; Mon Sep 24 06:11:42 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f8ODBf527148; Mon, 24 Sep 2001 06:11:41 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdd27146; Mon Sep 24 06:11:38 2001 Received: (from smtpd@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f8ODBMd08884; Mon, 24 Sep 2001 06:11:22 -0700 (PDT) Message-Id: <200109241311.f8ODBMd08884@cwsys.cwsent.com> X-Authentication-Warning: cwsys.cwsent.com: smtpd set sender to using -f Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdpT8850; Mon Sep 24 06:10:46 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: horio shoichi Cc: Stanley Hopcroft , FreeBSD-Security@FreeBSD.ORG Subject: Re: Policy based routing/restricting access __inside__ ones net.. In-reply-to: Your message of "Mon, 24 Sep 2001 03:43:53 +0900." <3BAE2D69.F8A82FE4@pointer-software.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Sep 2001 06:10:46 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <3BAE2D69.F8A82FE4@pointer-software.com>, horio shoichi writes: > Stanley Hopcroft wrote: > > > > Dear Ladies and Gentlemen, > > > > I am writing to ask for advice about providing profile dependent access > > to subsets of ones internal network. > > > > The context is having third parties access the network for maintenance. > > > > Once they get logged in on the host they are hired to maintain, how can > > I prevent them accessing other hosts while allowing __some__ access to > > others they may need for problem resolution ? (given that both sets of > > hosts can be specified) > > > > Can a Kerberos realm enforce access profiles such as these (and then if > > they were forced to use only kerberised applications, grant them tickets > > for access to some hosts only) ? > > > If you mean by realm to split servers into possibly overlapping set of > realms each of which has separate set of principals (users and services) > and > users access servers through cross-realm authentication, I see no reason > it > doesn't work. > > > Can ipfilter/ipfw provide ACLs depending on user ? > > > Ipfilter is so low level that it has no notion of user. It only > recognizes > protocol, ip and port. If a user (or users) could be bound to a specific > set of protocol, ip and port corresponding to an instance of service, > then access control might be possible. But I doubt doing this would > worth efforts. Don't forget the IPFW will only be able to filter depending on user only if the user is on the system doing the filtering. If you have a separate firewall system, access control based on user is close to impossible. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message