From owner-freebsd-security Thu Sep 20 17:53:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id DE33237B403 for ; Thu, 20 Sep 2001 17:53:46 -0700 (PDT) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.3/8.11.1) id f8L0rgb88093 for ; Fri, 21 Sep 2001 10:53:42 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from pc09011.aipo.gov.au(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.1) id xma088078; Fri, 21 Sep 01 10:53:22 +1000 Received: (from anwsmh@localhost) by localhost.aipo.gov.au (8.11.3/8.11.1) id f8L0rLv06324 for FreeBSD-Security@FreeBSD.ORG; Fri, 21 Sep 2001 10:53:21 +1000 (EST) (envelope-from anwsmh) Date: Fri, 21 Sep 2001 10:53:21 +1000 From: Stanley Hopcroft To: FreeBSD-Security@FreeBSD.ORG Subject: Policy based routing/restricting access __inside__ ones net.. Message-ID: <20010921105320.A6282@IPAustralia.Gov.AU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to ask for advice about providing profile dependent access to subsets of ones internal network. The context is having third parties access the network for maintenance. Once they get logged in on the host they are hired to maintain, how can I prevent them accessing other hosts while allowing __some__ access to others they may need for problem resolution ? (given that both sets of hosts can be specified) Can a Kerberos realm enforce access profiles such as these (and then if they were forced to use only kerberised applications, grant them tickets for access to some hosts only) ? Can ipfilter/ipfw provide ACLs depending on user ? The access could include Solaris/FreeBSD/AIX servers as well as MS Win NT ... Thank you, Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ The study of non-linear physics is like the study of non-elephant biology. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message