Firewall Wizards mailing list archives

Re: Firewalls acting as access controllers

From: Kevin <kkadow () gmail com>
Date: Wed, 25 May 2005 19:11:19 -0500

On 5/25/05, Green Horn <teachgreenhorn () yahoo com> wrote:

Hi,
 I am new to firewalls.
Do firewalls provide dynamically defined access
control  i.e., can they act as access controllers.


In general, firewalls can be configured to enforce
authentication to the firewall before users are
permitted to access select services.  Often the
policy can be defined so that once the user has
authenticated to any one service, the firewall
will permit that source IP address to access to
multiple services/ports (similar to "authpf"), for
a limited duration.  This feature is often labeled
as "Single Sign On".

There is exposure by in just opening up TCP/IP
access to multiple ports/protocols for all requests
from a given source IP address based on a remote
user authenticating once for just one service.

The common alternative to mitigate this risk is to
instead use a VPN or "SSL VPN".

e.g., it should be able to do the following, a user
tries to access a resource, the packets would come to
the firewall, if they are HTTP packets and the user is
new (from IP address not being in the authenticated
list), the packets would be redirected to a webproxy,
the webproxy tries to get the user authenticated by a
AAA server (say RADIUS), the firewall would get an
authorization message from the AAA server (or
webproxy), saying the time the user must be allowed
access, the resources he can access etc.
The firewall would provide that access.


Yes, except usually the firewall does MITM on the
protocol for the authentication prompt and processing,
assuming a protocol like HTTP, FTP, Telnet where a
password prompt can be presented to the user for a
response.  Pretty slick.

The firewall then checks the username and password
against an internal account table, against RADIUS,
LDAP, or another authentication service, checking only
for a basic Pass/Fail response.

While it's possible that a firewall might actually pass
details about the resource being requested to a AAA
server and ask for not only Authentication of the user
credentials but also Authorization for that specific
resource, this is rare.  Usually controls (what resources
authenticated IPs can access for how long) are just set
internally in the firewall's own user/group database.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewalls acting as access controllers Green Horn (May 25)
- Re: Firewalls acting as access controllers Ramesh Krishnan (May 30)
- Re: Firewalls acting as access controllers Kevin (May 30)
- Re: Firewalls acting as access controllers Chris Buechler (May 30)
- Re: Firewalls acting as access controllers Magosányi Árpád (May 30)
- RE: Firewalls acting as access controllers Paul Melson (May 30)