Re: [fw-wiz] Firewalls acting as access controllers

From: Magosányi Árpád (mag_at_bunuel.tii.matav.hu)
Date: 05/26/05

  • Next message: Paul Melson: "RE: [fw-wiz] Firewalls acting as access controllers"
    To: Green Horn <teachgreenhorn@yahoo.com>
    Date: Thu, 26 May 2005 06:30:33 +0000
    
    

    Hi!

    Firts about the conceptual part of your question.
    Yes, firewalls act as access controllers. I believe the
    most important role of firewalls in the corporate infrastructure
    is to provide tools to enforce the corporate access control
    policies. But primarily I think here about information
    flow control policy, a.k.a. mandatory access control policy.
    Your question actually mostly concerned with authentication, which
    is one way to fulfill an important prerequisite of access
    control: identification of objects and subjects.

    With http, the solution is easier than the one you have
    described, because http can be authenticated in-band,
    using headers designed for proxy authentication.
    I believe most firewalls can do it.

    There are other protocols, where end-to-end authentication
    can be "abused" to also authenticate by the firewall
    in-band. FTP is an example of it.

    The problem lies with protocols, where in-band authentication
    is impossible. One needs out-band authentication there.

    There are also out-band authentication methods for all
    serious firewalls. The problem with out-band authentication
    is that they make the life of users cumbersome, and sometimes
    they do not give most confidence over who does what.

    If you ask me, I most like the authentication infrastructure
    of Zorp. It can give you both in-band (where the protocol
    enables it) and out-band authentication. The authentication
    can be done against all widely deployed AAA solutions,
    with all widely used authentication methods, from password
    to chipcard.
    But the best is its conception. When a connection arrives,
    the firewall is the one which asks the client for authentication,
    thus the client is able to permit or deny each connections
    individually. The drawback choosen for this system is that one
    needs to put a small program (the satyr) on the client.

    A levelezőm azt hiszi, hogy Green Horn a következőeket írta:
    > Hi,
    > I am new to firewalls.
    > Do firewalls provide dynamically defined access
    > control i.e., can they act as access controllers.
    > e.g., it should be able to do the following, a user
    > tries to access a resource, the packets would come to
    > the firewall, if they are HTTP packets and the user is
    > new (from IP address not being in the authenticated
    > list), the packets would be redirected to a webproxy,
    > the webproxy tries to get the user authenticated by a
    > AAA server (say RADIUS), the firewall would get an
    > authorization message from the AAA server (or
    > webproxy), saying the time the user must be allowed
    > access, the resources he can access etc.
    > The firewall would provide that access.
    >
    > Can this be done by the firewalls in the market such
    > as Checkpoint firewall-1
    >
    > greenhorn.
    >
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Tired of spam? Yahoo! Mail has the best spam protection around
    > http://mail.yahoo.com
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    -- 
    GNU GPL: csak tiszta forrásból
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Paul Melson: "RE: [fw-wiz] Firewalls acting as access controllers"

    Relevant Pages

    • Re: integrated vs basic
      ... I create an IIS site http://mysite and only set it up to use integrated ... > Integrated Windows Authentication actually involves two separate ... > The first currently means Kerberos, ... and generally firewalls block access ...
      (microsoft.public.inetserver.iis.security)
    • Re: integrated vs basic
      ... IIS Blog: www.adopenstatic.com/cs/blogs/ken/ ... :> Integrated Windows Authentication actually involves two separate ... :> The first currently means Kerberos, ... :> Kerberos doesn't work through most firewalls because in order to use ...
      (microsoft.public.inetserver.iis.security)
    • Re: [fw-wiz] Proxies, opensource and the general market: whats wrong with us?
      ... implemented and satisfy a lot of needs (technical needs that is, ... management makes a decision that "all firewalls are going to be Cisco" ... Multiple groups per user are allowed, authentication ... does it use the same over-the-wire protocol as the fwtk authsrv ...
      (Firewall-Wizards)
    • Re: NTLM through firewall?
      ... I've tried this from Win2k server & WinXP ... However - I even get AuthenticationType "NTLM" when I change my ... authentication to "Basic Authentication" only - and disable Chall/Resp. ... My conclusion is that NTLM will work through firewalls w/ Win2k+ ...
      (microsoft.public.inetserver.iis.security)
    • [fw-wiz] Firewalls acting as access controllers
      ... Do firewalls provide dynamically defined access ... can they act as access controllers. ... if they are HTTP packets and the user is ... list), the packets would be redirected to a webproxy, ...
      (Firewall-Wizards)