Firewall Wizards mailing list archives
Re: Firewalls acting as access controllers
From: Kevin <kkadow () gmail com>
Date: Wed, 25 May 2005 19:11:19 -0500
On 5/25/05, Green Horn <teachgreenhorn () yahoo com> wrote:
Hi, I am new to firewalls. Do firewalls provide dynamically defined access control i.e., can they act as access controllers.
In general, firewalls can be configured to enforce authentication to the firewall before users are permitted to access select services. Often the policy can be defined so that once the user has authenticated to any one service, the firewall will permit that source IP address to access to multiple services/ports (similar to "authpf"), for a limited duration. This feature is often labeled as "Single Sign On". There is exposure by in just opening up TCP/IP access to multiple ports/protocols for all requests from a given source IP address based on a remote user authenticating once for just one service. The common alternative to mitigate this risk is to instead use a VPN or "SSL VPN".
e.g., it should be able to do the following, a user tries to access a resource, the packets would come to the firewall, if they are HTTP packets and the user is new (from IP address not being in the authenticated list), the packets would be redirected to a webproxy, the webproxy tries to get the user authenticated by a AAA server (say RADIUS), the firewall would get an authorization message from the AAA server (or webproxy), saying the time the user must be allowed access, the resources he can access etc. The firewall would provide that access.
Yes, except usually the firewall does MITM on the protocol for the authentication prompt and processing, assuming a protocol like HTTP, FTP, Telnet where a password prompt can be presented to the user for a response. Pretty slick. The firewall then checks the username and password against an internal account table, against RADIUS, LDAP, or another authentication service, checking only for a basic Pass/Fail response. While it's possible that a firewall might actually pass details about the resource being requested to a AAA server and ask for not only Authentication of the user credentials but also Authorization for that specific resource, this is rare. Usually controls (what resources authenticated IPs can access for how long) are just set internally in the firewall's own user/group database. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls acting as access controllers Green Horn (May 25)
- Re: Firewalls acting as access controllers Ramesh Krishnan (May 30)
- Re: Firewalls acting as access controllers Kevin (May 30)
- Re: Firewalls acting as access controllers Chris Buechler (May 30)
- Re: Firewalls acting as access controllers Magosányi Árpád (May 30)
- RE: Firewalls acting as access controllers Paul Melson (May 30)