Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NT User Access/ Checkpoint FW1

From: "TC Wolsey" <twolsey () realtech com>
Date: Wed, 20 Jan 1999 09:30:34 -0500
Jeromie Jackson <jeromie () garrison com> 01/19 2:57 AM >>>


At 11:15 PM 11/7/98 +0100, Rodney van den Oever wrote:

Is there any way to limit a user's internet rights through an NT login?
Based on what I know so far, if I've got a group of 100 users...  The only
way to exclude or include a user would be by using IP address?  If the
group of 100 is on the same hub using DHCP to assign addresses, or frequent
desk changes are a fact of life, the delegation of internet rights using IP
addresses is no longer valid.

My question is, is there any way to assign rights through Checkpoint FW1
using an NT Login?



If you are using LDAP, I do believe you can configure FW-1 to query the
LDAP server.  You could then do grouping based on the groups within the
LDAP server.

Jeromie Jackson -CISSP
Garrison Technologies
760-633-1843
jeromie () garrison com 
Web: http://www.garrison.com 


It may depend upon what level you need to limit rights at. For instance, you can require that a given service 
(typically defined by transport level parameters) be authenticated outbound via RADIUS. The RADIUS server in turn can 
authenticate against external accounts (NT Domains, NDS, NIS, etc.). Several commercial vendors have RADIUS servers 
that will handle this. The real problem is that the account authentication is then tied to the source IP address, which 
can be spoofed or reused by another machine that gets that address via DHCP before the authentication on the FW-1 box 
times out. Authentication via source IP address is probably not more secure inside the FW than outside for most 
environments. If anybody knows of a way with FW-1 to enforce per-packet origin authentication (eg. IPSec), I would be 
interested. Actually, I would be interested in any implementations that are using per-packet authentication in 
conjunction with account authentication for outbound policy enforcement. 

TC Wolsey
REALTECH Systems Corporation
Previous By Date Next
Previous By Thread Next

Current thread: