index_158
Router Security Configuration Guide
UNCLASSIFIED
158
UNCLASSIFIED
Version 1.0g
Kerberos
Kerberos was developed by the Massachusetts Institute of Technology (MIT) and is
an IETF standard (RFC1510) as a network authentication system. Kerberos provides
strong authentication for client/server applications by using secret-key cryptography.
This mechanism can verify the identities of two users (i.e. person or network
component) on unprotected networks. This authentication is performed using a
trusted third-party service using conventional (shared secret key) cryptography. In
this system a client would request the credentials of the party they wish to contact
from the trusted authentication service. The communications between all parties are
encrypted using known secret keys or session keys issued from the authentication
service. Kerberos can also be used to perform EXEC shell authorization using
Kerberos Instance Mapping. After two users have been authenticated, Kerberos can
be used to provide confidentiality and data integrity services.
Kerberos infrastructures are already in wide use. If you already have a Kerberos
infrastructure in place this may be the way to go. But note that Kerberos only allows
for limited authorization capabilities and no accounting. There are freeware versions
of Kerberos available as well as commercially supported products. Some more
recent OS's come with Kerberos built-in. Examples using Kerberos are not covered
in this guide but more details can be found in the Security Configuration Guide [1]
section entitled Configuring Kerberos, and in RFC 1510.
4.6.5.
References
[1] Cisco Systems, Cisco IOS 12.0 Network Security, Cisco Press, 1999.
[2] Cisco System, Cisco IOS 12.0 Dial Solu tions, Cisco Press, 1999.
[3] C. Rigney et. al. Remote Authentication Dial In User Service (RADIUS)
RFC 2865, June 2000.
[4] J. Kohl, The Kerberos Network Authentication Service (V5), RFC 1510,
September 1993.