Firewall Wizards mailing list archives
Re: SecurID Agent-Server through proxy firewall
From: "Randy Garbrick" <garbrir () hotmail com>
Date: Tue, 16 Feb 1999 08:57:33 PST
Hello, If you have the option of using valid addresses on the DMZ, and you don't mind having the real IP address of the webserver visible, depending on the firewall, (I know you can do it with Raptor) you may be able to publish the the webserver's address through the firewall. The firewall then appears to respond more like the actual web server, but should still protect the server fairly well. There may be other problems with this, if anyone knows them, please point them out. Randy Garbrick, Network Consultant
From owner-firewall-wizards () nfr net Wed Feb 10 12:28:10 1999 Received: (from root@localhost) by mailrelay.data-io.com (8.7.3/8.7.3)
id MAA24214 for <rgarb () data-io com>; Wed, 10 Feb 1999 12:27:45 -0800 (PST)
Received: from tower.nfr.net(208.196.145.10) by
mailrelay.data-io.com(139.138.100.89)
via smtpd (1.1) id q-19990210202738-24212-001; Wed 10 Feb 1999
12:27:39 PDT
Received: (from lists@localhost) by nfr.net (8.8.8/8.8.8) id MAA17304 for firewall-wizards-outgoing; Wed, 10 Feb 1999 12:43:54 -0600 (CST) Received: (from fwiz@localhost) by nfr.net (8.8.8/8.8.8) id MAA16410 for firewall-wizards () nfr net; Wed, 10 Feb 1999 12:11:34 -0600 (CST) Received: from send101.yahoomail.com (send101.yahoomail.com
[205.180.60.87])
by nfr.net (8.8.8/8.8.8) with SMTP id JAA12276 for <firewall-wizards () nfr net>; Wed, 10 Feb 1999 09:24:16 -0600 (CST) Message-ID: <19990210152734.7854.rocketmail () send101 yahoomail com> Received: from [194.249.6.115] by send101.yahoomail.com; Wed, 10 Feb
1999 07:27:33 PST
Date: Wed, 10 Feb 1999 07:27:33 -0800 (PST) From: Martin Bishop <martybishop () yahoo com> Subject: SecurID Agent-Server through proxy firewall To: firewall-wizards () nfr net MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-firewall-wizards () nfr net Precedence: bulk Reply-To: Martin Bishop <martybishop () yahoo com> Hi everyone! A customer of mine is planning to launch a public web server for online electronic commerce. The system is already built and already in use internally for three months now so it has been adequately tested before external users start using it. Users are all authenticated with SecurID tokens, which is implemented with a SecurID Agent running on the web server. The web server and ACE servers are at the moment in the same (internal) subnet without even a router between them and all works fine. Now, as we go public, we will move the web server from internal network to a DMZ (if you will -:). We have already decided to use an application gateway firewall and that the web server will reside on its third network interface. If you are using a fixed-width font, you might see the following (fairly simplified) picture: +-------------+ ! Application ! Internet ------------+ Gateway +----- Internal network (e-commerce users) ! Firewall ! (with ACE servers) +------+------+ ! ! ! +------+------+ ! ! ! Web server ! ! (ACE agent) ! +-------------+ While testing, we successfully managed to move the web server to the desired location (3rd interface), but we are having serious problems with SecurID authentication that we can't seem to solve. The problem is that, the _first_ SecurID authentication works fine but all subsequent authentication attempts fail. If we want it to work again, we have to remove the "securid" file from the web server (actually from the ACE agent) and uncheck "Secret Already Sent" (or something similar) on the ACE server. When we do this, the next authentication attempt will succeed, but again the subsequent ones will fail. Another interesting thing is that all these subsequent authentication attempts that the ACE Agent sees as unsuccessful (and tells that to our web application) are described as SUCCESSFUL in ACE server logs. So it would be logical to conclude that somehow the response from ACE server is either changed (probably by the firewall generic proxy) or misinterpreted by the ACE Agent for some reason. Furthermore, due to the fact that ACE Agent and Server exchange the "secret" value along with the first authentication attempt it could be that this value (that is used for encrypting subsequent auth. requestst) is somehow corrupted. Unfortunately, we don't have enough insight into the SecurID Agent-Server communication protocol to figure out how to solve this problem but I'm sure that we're not the first ones who would want to set up a system like that. So if any of you know any answers, your suggestions will be highly appreciated. If you reply to the list, _please_ reply to me personally also. Thanks for your time and best regards, Marty Bishop _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- SecurID Agent-Server through proxy firewall Martin Bishop (Feb 10)
- Re: SecurID Agent-Server through proxy firewall Joseph S D Yao (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Mark Plesser (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 18)
- Re: SecurID Agent-Server through proxy firewall carson (Feb 19)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 19)
- Re: SecurID Agent-Server through proxy firewall carson (Feb 19)
- <Possible follow-ups>
- Re: SecurID Agent-Server through proxy firewall Stefan Jon Silverman (Feb 12)
- Re: SecurID Agent-Server through proxy firewall Randy Garbrick (Feb 17)