Firewall Wizards mailing list archives
Re: NT User Access/ Checkpoint FW1
From: "TC Wolsey" <twolsey () realtech com>
Date: Wed, 20 Jan 1999 09:30:34 -0500
Jeromie Jackson <jeromie () garrison com> 01/19 2:57 AM >>>
At 11:15 PM 11/7/98 +0100, Rodney van den Oever wrote:
Is there any way to limit a user's internet rights through an NT login? Based on what I know so far, if I've got a group of 100 users... The only way to exclude or include a user would be by using IP address? If the group of 100 is on the same hub using DHCP to assign addresses, or frequent desk changes are a fact of life, the delegation of internet rights using IP addresses is no longer valid. My question is, is there any way to assign rights through Checkpoint FW1 using an NT Login?
If you are using LDAP, I do believe you can configure FW-1 to query the LDAP server. You could then do grouping based on the groups within the LDAP server. Jeromie Jackson -CISSP Garrison Technologies 760-633-1843 jeromie () garrison com Web: http://www.garrison.com
It may depend upon what level you need to limit rights at. For instance, you can require that a given service (typically defined by transport level parameters) be authenticated outbound via RADIUS. The RADIUS server in turn can authenticate against external accounts (NT Domains, NDS, NIS, etc.). Several commercial vendors have RADIUS servers that will handle this. The real problem is that the account authentication is then tied to the source IP address, which can be spoofed or reused by another machine that gets that address via DHCP before the authentication on the FW-1 box times out. Authentication via source IP address is probably not more secure inside the FW than outside for most environments. If anybody knows of a way with FW-1 to enforce per-packet origin authentication (eg. IPSec), I would be interested. Actually, I would be interested in any implementations that are using per-packet authentication in conjunction with account authentication for outbound policy enforcement. TC Wolsey REALTECH Systems Corporation
Current thread:
- Re: NT User Access/ Checkpoint FW1 Jeromie Jackson (Jan 19)
- <Possible follow-ups>
- Re: NT User Access/ Checkpoint FW1 TC Wolsey (Jan 20)