Authentication of Other Services and Authentication Issues

Previous page
Table of content
Next page

Normally, services such as HTTP, FTP, and Telnet can be authenticated using cut-through proxy. However, other services might need access through the PIX firewall. For example, if Jack's users need to access TFTP servers or Microsoft servers using NetBIOS, ports 69 and 139 would be used. Cut-through proxy does not work in these cases. You do have can use virtual telnet to allow users through. Also cut-through proxy may have some authentication issues with HTTP and Web browsers. If this is a problem the another service called Virtual HTTP can be used. This and Virtual Telnet are covered in the next section.

Virtual Telnet

Virtual Telnet enables users to preauthenticate using a virtual Telnet session before executing the application that needs to pass through the PIX. For example, when Jack needs TFTP access, he must first open a Telnet session with PIX to a virtual Telnet IP address and then enter his username and password. The PIX caches the successful user logon and allows TFTP traffic through.

To use virtual Telnet, the virtual telnet command is needed. Its syntax is as follows : 

 pixfirewall(config)# [no] virtual telnet <ip>

The ip option is the IP address of the virtual Telnet server running on the PIX firewall. This address is the IP address clients use to enter their usernames and passwords. After authentication takes place, the user is allowed to pass traffic through the PIX. To log out, the user only has to connect using Telnet again and reenter her username and password.

The example shown here requires TFTP traffic to be authenticated before TFTP traffic is allowed through the PIX firewall. The user will create a Telnet session with 192.168.1.252: 

 pixfirewall(config)# aaa-server PIXAuth protocol tacacs+ pixfirewall(config)# aaa-server PIXAuth host 192.168.1.10 dog pixfirewall(config)# aaa authentication include tcp/69                 outbound 0 0 0 0 PIXAuth pixfirewall(config)# virtual telnet 192.168.1.252
graphics/alert_icon.gif

Virtual Telnet allows support for applications that don't use the typical HTTP, Telnet, and FTP ports.


Virtual HTTP

Virtual HTTP enables browser and Web server authentication to work correctly with the PIX when authentication with cut-through proxy is problematic . Web browsers can cache authentication requests , potentially causing future authentication problems. The Virtual HTTP works by redirecting the user's initial internal Web server request to a virtual HTTP server on the PIX. The user then authenticates his username and password and is redirected back to the original URL.

This example creates a virtual HTTP server that is used to catch HTTP traffic: 

 pixfirewall(config)# aaa-server PIXAuth protocol tacacs+ pixfirewall(config)# aaa-server PIXAuth host 192.168.1.10 dog pixfirewall(config)# aaa authentication include any inbound 0 0 0 0 PIXAuth pixfirewall(config)# virtual http 192.168.1.251
graphics/alert_icon.gif

Virtual HTTP helps to correct Web browser problems with HTTP authentication.



Previous page
Table of content
Next page
CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218
Authors: Daniel P. Newman
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
CISSP Exam Cram 2
Metrics and Models in Software Quality Engineering (2nd Edition)
The CISSP and CAP Prep Guide: Platinum Edition
Snort Cookbook
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy