Chapter 6: Authenticating Users

Introduction

There are many reasons that your organization may decide to implement user authentication at your firewall. Perhaps you want to allow different departments access to various resources on your de-militarized zone (DMZ), or maybe you are using Dynamic Host Control Protocol (DHCP) inside your network, and Internet Protocol (IP) addresses are changing every week when their leases expire. If you want to keep track of who is going to what Internet Web sites for whatever reason, then you could authenticate your users at the firewall, so that it can accurately log the user s login identity. Then you don t have to rely on IP addresses to determine who is going where. Authentication is also necessary when utilizing client-to-site or Remote Access Virtual Private Network (VPN) connections to ensure only authorized users are able to access resources inside your network.

VPN-1/FW-1 Next Generation provides you with several different authentication schemes and user authentication methods , and you should be able to choose one of them to suit your organization s needs. This chapter will describe the various options and provide some examples of how you might implement them into your current security policy structure.

Some of the options available for authenticating your users are SecurID, RADIUS, TACACS, OS password, and VPN-1/FW-1 authentication. You can choose to authenticate your users by one of these methods, and then you can pick from several authentication options in the policy, which we will cover in this chapter. Though not the complete Single Sign-On solution provided by User Authority, the information this chapter provides will include useful capabilities in the base firewall installation.