Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls acting as access controllers

From: Magosányi Árpád <mag () bunuel tii matav hu>
Date: Thu, 26 May 2005 06:30:33 +0000
Hi!

Firts about the conceptual part of your question.
Yes, firewalls act as access controllers. I believe the
most important role of firewalls in the corporate infrastructure
is to provide tools to enforce the corporate access control
policies. But primarily I think here about information
flow control policy, a.k.a. mandatory access control policy.
Your question actually mostly concerned with authentication, which
is one way to fulfill an important prerequisite of access
control: identification of objects and subjects.

With http, the solution is easier than the one you have
described, because http can be authenticated in-band, 
using headers designed for proxy authentication.
I believe most firewalls can do it.

There are other protocols, where end-to-end authentication
can be "abused" to also authenticate by the firewall
in-band.  FTP is an example of it.

The problem lies with protocols, where in-band authentication
is impossible. One needs out-band authentication there.

There are also out-band authentication methods for all
serious firewalls. The problem with out-band authentication
is that they make the life of users cumbersome, and sometimes
they do not give most confidence over who does what.

If you ask me, I most like the authentication infrastructure
of Zorp. It can give you both in-band (where the protocol
enables it) and out-band authentication. The authentication
can be done against all widely deployed AAA solutions,
with all widely used authentication methods, from password
to chipcard.
But the best is its conception. When a connection arrives,
the firewall is the one which asks the client for authentication,
thus the client is able to permit or deny each connections
individually. The drawback choosen for this system is that one
needs to put a small program (the satyr) on the client.

A levelezőm azt hiszi, hogy Green Horn a következőeket írta:

Hi,
 I am new to firewalls. 
Do firewalls provide dynamically defined access
control  i.e., can they act as access controllers.
e.g., it should be able to do the following, a user
tries to access a resource, the packets would come to
the firewall, if they are HTTP packets and the user is
new (from IP address not being in the authenticated
list), the packets would be redirected to a webproxy,
the webproxy tries to get the user authenticated by a
AAA server (say RADIUS), the firewall would get an
authorization message from the AAA server (or
webproxy), saying the time the user must be allowed
access, the resources he can access etc.
The firewall would provide that access.

Can this be done by the firewalls in the market such
as Checkpoint firewall-1

        greenhorn.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



-- 
GNU GPL: csak tiszta forrásból
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: