Date: Mon, 24 Sep 2001 06:10:46 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: horio shoichi <horio@pointer-software.com> Cc: Stanley Hopcroft <Stanley.Hopcroft@IPAustralia.gov.au>, FreeBSD-Security@FreeBSD.ORG Subject: Re: Policy based routing/restricting access __inside__ ones net.. Message-ID: <200109241311.f8ODBMd08884@cwsys.cwsent.com> In-Reply-To: Your message of "Mon, 24 Sep 2001 03:43:53 %2B0900." <3BAE2D69.F8A82FE4@pointer-software.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <3BAE2D69.F8A82FE4@pointer-software.com>, horio shoichi writes: > Stanley Hopcroft wrote: > > > > Dear Ladies and Gentlemen, > > > > I am writing to ask for advice about providing profile dependent access > > to subsets of ones internal network. > > > > The context is having third parties access the network for maintenance. > > > > Once they get logged in on the host they are hired to maintain, how can > > I prevent them accessing other hosts while allowing __some__ access to > > others they may need for problem resolution ? (given that both sets of > > hosts can be specified) > > > > Can a Kerberos realm enforce access profiles such as these (and then if > > they were forced to use only kerberised applications, grant them tickets > > for access to some hosts only) ? > > > If you mean by realm to split servers into possibly overlapping set of > realms each of which has separate set of principals (users and services) > and > users access servers through cross-realm authentication, I see no reason > it > doesn't work. > > > Can ipfilter/ipfw provide ACLs depending on user ? > > > Ipfilter is so low level that it has no notion of user. It only > recognizes > protocol, ip and port. If a user (or users) could be bound to a specific > set of protocol, ip and port corresponding to an instance of service, > then access control might be possible. But I doubt doing this would > worth efforts. Don't forget the IPFW will only be able to filter depending on user only if the user is on the system doing the filtering. If you have a separate firewall system, access control based on user is close to impossible. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109241311.f8ODBMd08884>