[zorp] zorp vs. TIS

Balazs Scheidler bazsi@balabit.hu
Tue, 13 Feb 2001 14:21:52 +0100 

On Tue, Feb 13, 2001 at 08:15:02AM -0500, Tim Sailer wrote:
> On Tue, Feb 13, 2001 at 01:44:24PM +0100, Balazs Scheidler wrote:
> > telnet is under consideration. It was not a primary objective, since there's
> > not too much you can do with the telnet protocol (except for option
> > negotiation and environment variable filtering), a simple plug would
> > suffice. Telnet is inherently insecure, it shouldn't be used in security
> > conscious environments, a proxy wouldn't change this.
> 
> We are looking for authenticated sessions, where there is no other 
> choice. We have a LOT of legacy systems (PDPs and Vaxes) that can only
> talk the legacy protocols.

Yes, that's why we are considering telnet.

> 
> > SSH is also planned. Personally I have already implemented a working SSH2
> > proxy (in the LSH project), but Zorp will probably use an independent
> > implementation.
> 
> OK. I'd be interested is seeing this.

ok.

> 
> > > ALso, what about authentication? We use T.Rex right now since it uses
> > > Radius as one of it's authentication methods, and that gives us One Time 
> > > Passwords with our Radius/CryptoCard server.
> > 
> > We have our own authentication system, currently supporting S/Key and
> > CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we
> > are redesigning some parts.
> 
> That's a problem with a lot of things that use CryptoCard. Everyone
> supports it in their own way. We have a full enterprise rolled out
> with cryptocards, and for us to have to maintain 2 separate sets of
> account info would be hard. We use Radius backended by the cryptoadmin
> server, and that gives us a common OTP for all our services, including
> logging in to hosts, since there is a pam_radius_auth module.

Our system isn't necessarily closed. It can use a radius server as a
backend.

> > > We're also looking for Telnet and FTP proxies that are Kerberos5 aware.
> > > I'm pretty sure we'll have to roll our own on that one.
> > 
> > What do you mean on that? Authenticate your users for going through
> > the firewall?
> 
> Yes. And, if they have a valid ticket already, let them pass through without
> any more authentication.

We'll think about it.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1