Setting Up User AuthenticationSet up User Authentication by following these steps.
After creating your users, verify that the appropriate Security Servers are enabled in $FWDIR/conf/fwauthd.conf . By default, they should be enabled, but it never hurts to check. The lines for the servers you want to enable should be present and not commented out (i.e., the line should not begin with a # ). The FTP, HTTP, Telnet, and rlogin servers are enabled if these lines are present in fwauthd.conf and are not commented out: 21 fwssd in.aftpd wait 0 80 fwssd in.ahttpd wait 0 513 fwssd in.arlogind wait 0 23 fwssd in.atelnetd wait 0 You then need to create the appropriate rule in the rulebase. When adding the source of the rule, right-click the source field, and select Add User Access. Select the appropriate group. The Location must also be set. The No restriction option means Any in the rulebase. The Restrict option allows you to select a network object or group that represents where you want to authenticate the connections from. For example, if you want to authenticate all users in the group knights-of-the-roundtable from the network camelot to the host castle-anthrax via Telnet and HTTP, the rule would look like the one shown in Figure 8.30. Figure 8.30. The Knights of the Round Table can go to Castle Anthrax
You must then edit the User Authentication properties by right-clicking the Action field of the rule and selecting Edit Properties. Figure 8.31 shows the screen that appears. For both the source and the destination, you can select one of two options:
Figure 8.31. User Authentication Action Properties, General tab
To illustrate the way these options work, let's use the users sir-gallahad and sir-lancelot with the rule created earlier. The allowed sources and destinations for sir-gallahad are both Any. The allowed sources for sir-lancelot are Any, but his allowed destination does not include castle-anthrax (i.e., it is neither Any nor a group that includes castle-anthrax). If the User Authentication properties for the rule are defined using "intersect with user database" for the destination, when sir-lancelot tries to authenticate to access castle-anthrax, he will be denied, even if he is coming from camelot [2] and presents correct credentials. If the setting used is "ignore user database," sir-lancelot will be permitted to go to castle-anthrax, provided he supplies the correct credentials and is coming from camelot.
For the HTTP section of this screen, there are two options:
As part of setting up User Authentication, you must go to the gateway object and configure some related options. Recall that in the discussion of Figure 8.28 there were some options I did not explain. Two of these options come into play now.
Also on that frame, the Authentication Failure Track provides three options that determine what happens when a user fails to authenticate successfully. The selected alert will be generated upon failure. Finally, you must configure the global properties as appropriate for your needs. Once the rules and the rulebase properties are set to your liking, install the security policy. The Importance of Rule Order in User AuthenticationThere is one case where FireWall-1 does not process the rules in order but instead uses the rule that is most permissive. This occurs when User Authentication for HTTP, FTP, Telnet, and rlogin is used and such a rule is matched in the rulebase. If during the in-order rulebase evaluation the rule that matches the connection (based on source, destination, and service) is User Authentication, all rules in the rulebase are evaluated and the least restrictive one applies. Check Point refers to this as the Insufficient Information problem in the documentation. To give you an idea of what this means, consider the security policy shown in Figure 8.32. Figure 8.32. Sample rulebase
Based on the rules and how the rulebase rules are applied, the following list details how these rules will apply themselves .
The major problem in this rulebase is that Rules 4 and 5 do not provide authentication in cases where you would expect them to because Rule 7 is too permissive. You can fix this by making Rule 7 a bit less permissive by excluding DMZ_net and Local_Gateway from the allowed destinations, as shown in Figure 8.33. Figure 8.33. A more restrictive Rule 7
|