From owner-freebsd-security Sun Sep 23 11:44: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id 074AB37B421 for ; Sun, 23 Sep 2001 11:44:02 -0700 (PDT) Received: from long.near.this (long.near.this [10.0.172.9]) by ogyo.pointer-software.com (8.11.1/8.10.1) with ESMTP id f8NIhsj09754; Mon, 24 Sep 2001 03:43:54 +0900 (JST) Received: from pointer-software.com (char.near.this [10.0.172.11]) by long.near.this (8.11.1/8.9.3) with ESMTP id f8NIhr483067; Mon, 24 Sep 2001 03:43:53 +0900 (JST) Message-ID: <3BAE2D69.F8A82FE4@pointer-software.com> Date: Mon, 24 Sep 2001 03:43:53 +0900 From: horio shoichi Organization: pointer software X-Mailer: Mozilla 4.76 [ja] (X11; U; Linux 2.2.18pre21 i686) X-Accept-Language: en, ja MIME-Version: 1.0 To: Stanley Hopcroft Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: Policy based routing/restricting access __inside__ ones net.. References: <20010921105320.A6282@IPAustralia.Gov.AU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stanley Hopcroft wrote: > > Dear Ladies and Gentlemen, > > I am writing to ask for advice about providing profile dependent access > to subsets of ones internal network. > > The context is having third parties access the network for maintenance. > > Once they get logged in on the host they are hired to maintain, how can > I prevent them accessing other hosts while allowing __some__ access to > others they may need for problem resolution ? (given that both sets of > hosts can be specified) > > Can a Kerberos realm enforce access profiles such as these (and then if > they were forced to use only kerberised applications, grant them tickets > for access to some hosts only) ? > If you mean by realm to split servers into possibly overlapping set of realms each of which has separate set of principals (users and services) and users access servers through cross-realm authentication, I see no reason it doesn't work. > Can ipfilter/ipfw provide ACLs depending on user ? > Ipfilter is so low level that it has no notion of user. It only recognizes protocol, ip and port. If a user (or users) could be bound to a specific set of protocol, ip and port corresponding to an instance of service, then access control might be possible. But I doubt doing this would worth efforts. > The access could include Solaris/FreeBSD/AIX servers as well as MS Win > NT ... > > Thank you, > > Yours sincerely. > > -- > ------------------------------------------------------------------------ > Stanley Hopcroft IP Australia > Network Specialist > +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU > ------------------------------------------------------------------------ > The study of non-linear physics is like the study of non-elephant > biology. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message