Re: Logging into FW-1 with SSL?

[Oscar Wahlberg <oscar.wahlberg () connecta se>]

Hi Scott,

FW-1 cannot authenticate SSL sessions from client to webserver since
it's unable to read the encryption tunnel. Thats just the way it is.
But there are ways around it, two that I know of.

1. Implicit client authentication for HTTPS.
Let the user connect to the IIS server via HTTP, just retreiving the
index page which in turn does a redirect to the HTTPS equiv.
During this HTTP session, FW-1 can intercept the request and 
authenticate the session through all its methods for user-
authentication. This user-auth rule should the implicitly 
authenticate the client to allow a HTTPS session against the IIS 
server.
This works, but has one major implication!
It won't work properly if the client is behind a NAT'ed firewall this
the first request would authenticate all clients behind that fw.
I would suggest going for the second alternative.

I've recently heard that FW-1 /w SP4 correctly handles all browsers
when doing SSL negotiations, earlier releases didn't handle Iexplorer.
This means that you can let the firewall authenticate the 
SSL-session. In other words, create a certificate on the firewall 
and let the client create a SSL-session to the firewall that then 
authenticates the user and if the user is allowed through, connect 
to the webserver.

Both these senarios are described in the AA-sections of the FW-1 
manuals. Albeit not very well, but better than the above ;)
I hope my ramblings made some sense, if not, ask again...

Cheers,
Oscar


-- 
Oscar Wahlberg <oscar.wahlberg () connecta se>
Connecta Infracom
Säkerhet & Kommunikation
phone: +46-(0)708-44 55 63  fax: +46-(0)708-44 55 74