Actually you missed the point, with Kerberos, RADIUS or TACACS in place,
the whole mechanism is transparent to the user. That is why it works.. :)
/m
At 09:32 AM 7/17/00 +0930, Ben Nagy wrote:
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, 14 July 2000 12:51 PM
> > To: Frank Knobbe; 'David Lang'; Frank Knobbe
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Citrx Metaframe/NT4-TSE
> >
> >
> > Whoa,
> >
> > This is way overkill. The solution provided earlier was a
> > very simple and
> > elegant solution using existing and proven technology that is freely
> > available and does not require more than a couple of weeks of
> > interoperability testing.
>
>[ranting snipped]
>
>Hang on a second...if I understand your earlier solution, you were basically
>saying this:
>
>Put an external box in the DMZ, then run Kerberos to do session/host level
>auth to an internal box with hardening and logging where appropriate.
>
>Seems to me that you're solving a different problem to the two-factor auth
>proponents. Kerberos is only a fancy way of authenticating users and
>endpoints at the same time - it doesn't add any actual strength to your
>authentication mechanism.
>
>In essence, all I'm asserting is that your solution can be no stronger than
>user passwords. (Not that I don't like it). The two-factor people get better
>auth - this doesn't mean that they couldn't do everything else you suggested
>_as well_ to add DMZ host level auth as well as user auth.
>
>Cheers,
>
>
>--
>Ben Nagy
>Network Consultant, Volante IT
>PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
