These machines can be carefully checked in terms of security threats. But it is difficult or even impossible to create enough 'sealed' system. System security perimeter defense is complicated enough, as the gateway should pass certain types of traffic such as e-mail. Other network services such as ntp (Network Time Protocol) and ftp may also be desirable Mills92, PR85, Bishop. Moreover, the perimeter gateway system must be able to pass all the traffic of all domain, a prisoner at the perimeter.
5.3. Protection against active attacks is highly desirable for the foreseeable future will require fairly powerful system, able to withstand active attacks. Many corporate networks, based on broadcast technology such as Ethernet, probably in need of such methods. To defend against active attacks, or to ensure confidentiality, should use the encrypted session For example, Kerberos, you can use an authentication mechanism that protects against replay attacks. In the system Kerberos, users receive the access codes from the Kerberos server and use them for authentication, to implement access to other computer networks. Computing power of the local workstation can be used to decrypt the access code (using a key extracted from the password entered by the user) and store at time until it is needed. If the security protocol based on clock synchronization, then it may be useful protocol NTPv3, because it distributes the timestamps for a large number of computers and is one of the few Internet protocols, which contain the authentication mechanisms Bishop, Mills92. Another approach to access network computer is an introduction for all external machines shared secret code Kerberos kdc.