Configuring secure frewalls on systems that use Kerberos

[Andrew Hecox]

If this question just displays a basic lack of knowledge about Kerberos, please feel
free to flame me write out of the ng.  That said-

In configuring a firewall to work with a system that authenticates with  several kerberized
services, specifically, email, ftp, & telnet, I'm running into what appears to be a limitation
in terms of locking down the system.  Specifically, if I want to say that I trust only those
applications I've configured for firewall access, I can configure my incoming firewall rules
to accept only incoming traffic from TCP connections initiated by those trusted applications.
Furthermore, if needed, I can allow outgoing UDP packets, for trusted applications, although
this rarely is needed.

Because Kerberos uses UDP traffic for (not sure what part of the authentication process,
it seems at least to be for when authenticating with the KDC), I have to configure my firewall
to accept incoming UDP traffic from the KDC.  The hole that concerns is if either, the KDC
is compromised (less likely) or if a nice individuals decides to spoof the IP of the KDC and
send out malicious packets to the open UDP port over the normal port.

For something as secure as Kerberos, this seems like a significant opening, which makes
me think that either I'm going screwy somewhere in my reasoning that this is actually a
threat; or, that someone who thought this through and has found a work around.

Any thoughts, directions, angles to pursue would be greatly appreciated ...

Cheers!

AH