Firewall Wizards mailing list archives
Re: Firewalls acting as access controllers
From: Magosányi Árpád <mag () bunuel tii matav hu>
Date: Thu, 26 May 2005 06:30:33 +0000
Hi! Firts about the conceptual part of your question. Yes, firewalls act as access controllers. I believe the most important role of firewalls in the corporate infrastructure is to provide tools to enforce the corporate access control policies. But primarily I think here about information flow control policy, a.k.a. mandatory access control policy. Your question actually mostly concerned with authentication, which is one way to fulfill an important prerequisite of access control: identification of objects and subjects. With http, the solution is easier than the one you have described, because http can be authenticated in-band, using headers designed for proxy authentication. I believe most firewalls can do it. There are other protocols, where end-to-end authentication can be "abused" to also authenticate by the firewall in-band. FTP is an example of it. The problem lies with protocols, where in-band authentication is impossible. One needs out-band authentication there. There are also out-band authentication methods for all serious firewalls. The problem with out-band authentication is that they make the life of users cumbersome, and sometimes they do not give most confidence over who does what. If you ask me, I most like the authentication infrastructure of Zorp. It can give you both in-band (where the protocol enables it) and out-band authentication. The authentication can be done against all widely deployed AAA solutions, with all widely used authentication methods, from password to chipcard. But the best is its conception. When a connection arrives, the firewall is the one which asks the client for authentication, thus the client is able to permit or deny each connections individually. The drawback choosen for this system is that one needs to put a small program (the satyr) on the client. A levelezőm azt hiszi, hogy Green Horn a következőeket írta:
Hi, I am new to firewalls. Do firewalls provide dynamically defined access control i.e., can they act as access controllers. e.g., it should be able to do the following, a user tries to access a resource, the packets would come to the firewall, if they are HTTP packets and the user is new (from IP address not being in the authenticated list), the packets would be redirected to a webproxy, the webproxy tries to get the user authenticated by a AAA server (say RADIUS), the firewall would get an authorization message from the AAA server (or webproxy), saying the time the user must be allowed access, the resources he can access etc. The firewall would provide that access. Can this be done by the firewalls in the market such as Checkpoint firewall-1 greenhorn. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- GNU GPL: csak tiszta forrásból _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls acting as access controllers Green Horn (May 25)
- Re: Firewalls acting as access controllers Ramesh Krishnan (May 30)
- Re: Firewalls acting as access controllers Kevin (May 30)
- Re: Firewalls acting as access controllers Chris Buechler (May 30)
- Re: Firewalls acting as access controllers Magosányi Árpád (May 30)
- RE: Firewalls acting as access controllers Paul Melson (May 30)