[fw-wiz] Leader in firewall product

=?iso-8859-2?Q?Magos=E1nyi_=C1rp=E1d?= mag@bunuel.tii.matav.hu
Tue, 19 Sep 2000 13:41:23 +0200


A levelez=F5m azt hiszi, hogy ark@eltex.ru a k=F6vetkez=F5eket =EDrta:
> -----BEGIN PGP SIGNED MESSAGE-----
>=20
> nuqneH,
>=20
> =3D?iso-8859-2?Q?Magos=3DE1nyi_=3DC1rp=3DE1d?=3D <mag@bunuel.tii.matav.hu=
> said :
>=20
>=20
> > > > -Zorp
> > Zorp is a real application-level firewall. Example:
> > While other firewalls can control some 5-6 aspects of a
> > ftp session, it can control every little detail.=20
>=20
> Could you please explain what "every little detail is" for, say,
> zorp vs fwtk ftp-gw? I want to understand the difference.


It is in doc/modules/ftp/ftp.statement.txt in the source tree.
Generally half of the point is that Zorp have more than 20=20
configurable parameters in its ftp proxy class.
The second half is that Zorp uses a highly modular architecture,
so you can count on several other configuration parameters
in its listener and chainer classes.
The third half is that Zorp uses python as its configuration
language, so you can use anything you like in the access control
decision, like time of day, the result of outband authentication,
and class attributes like command (Last Command),=20
parameter (Last Parameter), answare_code (Last Answare Code).

>=20
> >  And its authentication system is just a major hit.

Zorp uses a so-called satyrd authentication method. It is=20
an out-band authentication method (the proxies can do traditional
inband authentication where it is applicable). Basically on the
client there is a satyrd, on the firewall there is a satyr=20
client, and there is a Zorp Authentication Server (zas) somewhere
which lives on an LDAP tree. When there comes an authentication request
or some operation which should be authenticated, the firewall
asks satyrd about the identity of the user it is working for.
The satyrd checks the identity of the firewall by an X.509 certificate,
and tells the truth (hopefully) to the firewall. Above the authentication
functionality, the protocol can transfer the claimed security labels and
other security attributes to the firewall.
The firewall checks the authentication and the security attributes=20
with zas.
The unix version of satyrd (and zas) can do password, cryptocard,
S/key, and X.509 based authentication, and also there are 2 or three not
really useful methods for test (challenge: zas tells a number X , response:
Y - X where Y is your secret number).
The unix version can multiplex for more local users.
The Windows version can do password, something I forgot, and S/key right
now.

--=20
GNU GPL: csak tiszta forr=E1sb=F3l