Re: [fw-wiz] Firewalls acting as access controllers
From: Kevin (kkadow_at_gmail.com)
Date: 05/26/05
- Previous message: Ramesh Krishnan: "[fw-wiz] Re: Firewalls acting as access controllers"
- In reply to: Green Horn: "[fw-wiz] Firewalls acting as access controllers"
- Next in thread: Chris Buechler: "Re: [fw-wiz] Firewalls acting as access controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 25 May 2005 19:11:19 -0500
On 5/25/05, Green Horn <teachgreenhorn@yahoo.com> wrote:
> Hi,
> I am new to firewalls.
> Do firewalls provide dynamically defined access
> control i.e., can they act as access controllers.
In general, firewalls can be configured to enforce
authentication to the firewall before users are
permitted to access select services. Often the
policy can be defined so that once the user has
authenticated to any one service, the firewall
will permit that source IP address to access to
multiple services/ports (similar to "authpf"), for
a limited duration. This feature is often labeled
as "Single Sign On".
There is exposure by in just opening up TCP/IP
access to multiple ports/protocols for all requests
from a given source IP address based on a remote
user authenticating once for just one service.
The common alternative to mitigate this risk is to
instead use a VPN or "SSL VPN".
> e.g., it should be able to do the following, a user
> tries to access a resource, the packets would come to
> the firewall, if they are HTTP packets and the user is
> new (from IP address not being in the authenticated
> list), the packets would be redirected to a webproxy,
> the webproxy tries to get the user authenticated by a
> AAA server (say RADIUS), the firewall would get an
> authorization message from the AAA server (or
> webproxy), saying the time the user must be allowed
> access, the resources he can access etc.
> The firewall would provide that access.
Yes, except usually the firewall does MITM on the
protocol for the authentication prompt and processing,
assuming a protocol like HTTP, FTP, Telnet where a
password prompt can be presented to the user for a
response. Pretty slick.
The firewall then checks the username and password
against an internal account table, against RADIUS,
LDAP, or another authentication service, checking only
for a basic Pass/Fail response.
While it's possible that a firewall might actually pass
details about the resource being requested to a AAA
server and ask for not only Authentication of the user
credentials but also Authorization for that specific
resource, this is rare. Usually controls (what resources
authenticated IPs can access for how long) are just set
internally in the firewall's own user/group database.
Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Ramesh Krishnan: "[fw-wiz] Re: Firewalls acting as access controllers"
- In reply to: Green Horn: "[fw-wiz] Firewalls acting as access controllers"
- Next in thread: Chris Buechler: "Re: [fw-wiz] Firewalls acting as access controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
