VPN's (fwd)
Carson Gaspar
carson at TLA.ORG
Wed Feb 23 16:55:13 EST 2000
The _correct_ way to handle authorization is to have it integrated with the
VPN, so that all the information necessary for making the authorization
decision is available. Unfortunately, I know of no free VPN implementation
that does this. Here's one of my VPN policy torture testd for folks who try
to sell me VPNs:
- Permit User "fred" AuthType "securid" Crypto "3-DES"
Dest "imap-server:TCP:143"
Dest "admin-server:TCP:22"
Dest "NT-server:TCP:139"
- Permit User "fred" AuthType "securid" Crypto "DES-40"
Dest "imap-server:TCP:143"
- Permit User "ManagingDirector" AuthType "password" Crypto "*"
Dest "imap-server:TCP:143"
If you can't implement the above policy, go back and re-write your VPN or
it's useless for anything other than a leased-line replacement.
--
Carson Gaspar -- carson at tla.org carson at cs.columbia.edu carson at cugc.org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list