Back to Windows and UNIX Integration Basics, Part 4: Security


When this newsletter series was launched, the concept of security

interoperability was almost non-existence, but a number of common

technologies now bring us closer to cross platform security management.

Despite the rapidly escalating battle for Web-based authentication

between Microsoft Passport and the Liberty Alliance, the standard kit

bag of a system administrator must include an understanding of security

technologies. In a future series, we will examine the advances in

technologies such as IPSec v6 and SSL that are now common to UNIX,

Linux, and Windows environments. In this installment, we take a snapshot

at Kerberos and the Public Key Infrastructure (PKI).

Based on RFC 1510, Kerberos version 5 is standard on all versions of

Windows 2000/.NET and many variants of UNIX. Its name stemming from the

three-headed dog of Greek mythology, Kerberos is designed to ensure the

highest level of security to network resources. Its three heads are the

Key Distribution Center (KDC), the client user, and the server with the

desired service.

The KDC is installed as part of the domain controller and performs two

services: authentication and ticket granting. When a client logs on to a

network, he or she negotiates access by providing a login name and

password that is verified by the KDC. Once successfully authenticated,

the user is granted a Ticket Granting Ticket (TGT) that is valid for the

local domain. The user presents the TGT to the Ticket Granting Service

(TGS) for access to a server. The TGS authenticates the user's TGT and

creates a ticket and session key for both the client and the remote

server. This information, known as the Service Ticket, is then normally

cached on the client machine. Once the client has the Client Server

Service Ticket, it can establish the session with the server service.

The server can decrypt the information coming indirectly from the TGS

using its own long-term key with the KDC.

The need to communicate with the Internet represents additional security

problems. This is where the Public Key Infrastructure (PKI) becomes

necessary. Maintaining passwords for the numbers of end users who

communicate via e-mail or access an enterprise's Web server is a

daunting task. In addition to authentication, users require

confidentiality and integrity in Internet traffic, which is exposed to

the world and can be read or monitored with common network sniffing

tools available to any personal computer. External users need secure

private connections to your network that ensure their identity and limit

data tampering and snooping, but they should not have to remember myriad

passwords or buy expensive Smart Card hardware. PKI can be used in UNIX

and Windows environments as well to reduce these issues utilizing common


What’s wrong? The new clean desk test
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies