Authentication
|
Features |
User |
Client |
Session |
|
Transparent |
Yes |
No Telnet Port 259 or HTTP Port 900 |
Yes |
|
Connection Services |
FTP, HTTP, HTTPS, Telnet, RLOGIN |
All Services |
All Services |
|
Software |
Password through Clients GUI |
None |
Authentication Agent Software required by Client |
User
Authentication
-
Client initiates connection to destination
server
-
Firewall–1 uses same connection as Client
and asks for authorisation
-
Client responds with Username and Password
-
Firewall–1 allows the connection
Transparent user
authentication –
Firewall–1’s default and the
user must provide:
-
Username and password on the gateway
-
Username and password on target host
Client
Authentication
-
Client initiates a TELNET (Port 259) or
HTTP (Port 900) connection to the Firewall and Firewall–1 requests client’s
username and password and verifies it is authentic
-
Firewall–1 recognises client’s IP address
and allows access to the destination server. Time-out, Logout, or number of
sessions closes connections.
Session
Authentication
-
Client attempts contact with server
-
Firewall–1 blocks the packet and contacts
the session authentication agent
-
Agent opens on Client screen
-
User enters username and password
-
Username and password are sent to
Firewall–1
-
Firewall–1 accepts and allows connection to
server
Implicit
Client Authentication
Extends access privileges to
specific clients without requiring the user to initiate additional sessions on
the gateway.
If the client authenticates
under a user or session authentication rule, Firewall–1 knows which user is on
the client and additional client authentication sessions are not necessary.
If implicit Client
authentication is enabled and automatic sign-on rule is opened, all the standard
sign-on rules are opened. Define the rules in the following order:
-
User authentication rules for HTTP
-
Client authentication rules
-
User and session authentication rules for
non-HTTP services
1st time user and
session rules are applied
2nd time client
authentication rules are applied
User authentication rules are
always applied for HTTP preventing the browser from sending authentication
password to the HTTP server as client authentication rules DO NOT use Firewall–1
security servers.
Internal
Authentication Schemes
-
S/Key –
most secure form of internal authentication
-
Firewall–1 Password –
the user enters an assigned Firewall–1 password (User does NOT require an OS
account on the firewall)
-
OS
Password –
user enters an OS password and must have OS account on firewall
External
Authentication Schemes
-
SecureID –
user enters Security
Dynamics PASSCODE
-
RADIUS –
(Remote Access Dial In User Service) user prompted for response to RADIUS
server
-
AXENT Pathways
Defender -
user
prompted for response to AXENT server
-
TACACS
–
(Terminal Access Controller
Access Control System) user prompted for response to TACACS server
Use generic user’s account for
external authentication schemes to avoid overhead of maintaining duplicate user
accounts.
Back
Home