Re: [fw-wiz] Firewalls acting as access controllers
From: Magosányi Árpád (mag_at_bunuel.tii.matav.hu)
To: Green Horn <firstname.lastname@example.org> Date: Thu, 26 May 2005 06:30:33 +0000
Firts about the conceptual part of your question.
Yes, firewalls act as access controllers. I believe the
most important role of firewalls in the corporate infrastructure
is to provide tools to enforce the corporate access control
policies. But primarily I think here about information
flow control policy, a.k.a. mandatory access control policy.
Your question actually mostly concerned with authentication, which
is one way to fulfill an important prerequisite of access
control: identification of objects and subjects.
With http, the solution is easier than the one you have
described, because http can be authenticated in-band,
using headers designed for proxy authentication.
I believe most firewalls can do it.
There are other protocols, where end-to-end authentication
can be "abused" to also authenticate by the firewall
in-band. FTP is an example of it.
The problem lies with protocols, where in-band authentication
is impossible. One needs out-band authentication there.
There are also out-band authentication methods for all
serious firewalls. The problem with out-band authentication
is that they make the life of users cumbersome, and sometimes
they do not give most confidence over who does what.
If you ask me, I most like the authentication infrastructure
of Zorp. It can give you both in-band (where the protocol
enables it) and out-band authentication. The authentication
can be done against all widely deployed AAA solutions,
with all widely used authentication methods, from password
But the best is its conception. When a connection arrives,
the firewall is the one which asks the client for authentication,
thus the client is able to permit or deny each connections
individually. The drawback choosen for this system is that one
needs to put a small program (the satyr) on the client.
A levelezőm azt hiszi, hogy Green Horn a következőeket írta:
> I am new to firewalls.
> Do firewalls provide dynamically defined access
> control i.e., can they act as access controllers.
> e.g., it should be able to do the following, a user
> tries to access a resource, the packets would come to
> the firewall, if they are HTTP packets and the user is
> new (from IP address not being in the authenticated
> list), the packets would be redirected to a webproxy,
> the webproxy tries to get the user authenticated by a
> AAA server (say RADIUS), the firewall would get an
> authorization message from the AAA server (or
> webproxy), saying the time the user must be allowed
> access, the resources he can access etc.
> The firewall would provide that access.
> Can this be done by the firewalls in the market such
> as Checkpoint firewall-1
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> firewall-wizards mailing list
-- GNU GPL: csak tiszta forrásból _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards