Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U)

[Ng Pheng Siong <ngps () netmemetic com>]

On Thu, Apr 04, 2002 at 09:04:01AM -0500, Marcus J. Ranum wrote:
> It's still not a Very Good Thing - what we _really_ need is security
> procotol unification. Why do we have sftp, ssh, ssl, etc, etc - what
> the Internet really needs is a decent set of tools built atop a common
> security protocol including common authorization, common encryption,
> common authentication, etc. That way there's one place to upgrade and
> one place to maintain code. Right now we're doing the right thing but
> we're going about it the wrong way.

I think we're still some ways from a unified security protocol that is
suitable in the majority of IP networking contexts.

In the old days there was Kerberos, which worked well within an admin
domain. 

Then came SSH and SSL, which work better than Kerberos across admin
domains. 

Where I sit, IPsec hasn't really caught on.

There also exist "strong password protocols" which bring the benefit of not
having to worry about secure local storage of private keys. (Or files
containing hardcoded passwords. ;-)

(See http://srp.stanford.edu for yet another suite of telnet and ftp
clients and servers that operate over the Secure Remote Password protocol.)

And surely ubiquitous mobile ad hoc networking among mutually distrusting,
light-weight nodes (you at your dark corner, I at mine, you zap me suitcase
nuke schematics, I pay-pal you) will demand new protocols for each
significant variety of threat model. We're currently only at the stage of
dealing with 802.11 war-driving.


-- 
Ng Pheng Siong <ngps () netmemetic com> * http://www.netmemetic.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards