One function we need is to have the firewall provide authentication to external users before making certain applications (ports) available.
e.g. hide, say, RDP (3389) - so port access is blocked/invisible/secure and no one can use it. Unless user goes to specific firewall-provided URL and logs on with username/password - then firewall can show port
3389 to them.
Watchguard provide this functionality (Watchguard authentication applet) via their own webserver on port 4100
It's called VPN, and any quality firewall will allow VPN connections to authenticate.
Do not expose 4100 to the public, if you do, people that have System manager can attempt to connect to your firewall and do what they want - repeat, do not expose the WatchGuard ports to the External jack.
If you want to setup authentication so that users have to be approved, setup a VPN and then a rule that permits their user (FB USER) to access RDP.
Fortigate does this. It's an authenticated policy. Nothing to do with VPN by the way, although a VPN tunnel can also be authenticated by an outside server.
Your options for authenticating a policy are username/password stored in the unit, and LDAP query, or a RADIUS server, which is a standardized interface that talks to most other authentication servers such as a token system like RSA.
Version 3.0 actually includes Active Directory support so you can tie such authorization to active directory groups as well as the above methods.
It works as you describe, they go to a web page, the firewall prompts them for username/password, and once that is provided, that policy and other authenticated policies become available to the user.
Not heard of Fortigate though - but I will look it up now.
Looking for simple generic username/password (e.g. COMPANYUSER/COMPANYPASSWORD) - as we just want to hide services from spiders/robots/script-kiddies etc - and only show to semi-trusted people who can then authenticate with whatever service they want in the normal way.
Sorry, but I've got about 40 WatchGuard Firewalls and would never consider allowing 4100 access from the External interface.
4100 is not permitted access from the External Interface by default. So, by default, it's not DESIGNED to be external facing.
I just tried connecting to 8 different FireBox units, not one of them allow 4100 inbound from the external interface - in fact, if you try and edit the wg_authentication rule it gives a warning about not changing it.
Say you have INTERNAL users behind the firewall, and you want a specific subset of those users to have outgoing access to a specific port. The users move around from machine to machine, so you can't just do firewall acls or rules based on station IP.... You want some sort of authentication and ACL's based on user authentication.
My take was that he exposed the authentication to the WAN, which can be done, breaking the golden rules, and that he permitted INBOUND RDP for users that authenticate INBOUND.
There is no reason to use the firewall if they are already inside the LAN - at least not for allowing RDP connections inside the LAN.
I already implement what you describe in WatchGuard products using either Active Directory groups or local FireBox groups.
You can do this serveral ways with the Sidewinder: For Authentication types: LDAP NTlogin AD Safeword Token for two factor authentication Local DB
For Rule types: By Source By Destination By Port By VPN if you choose to.
And this Firewall is EAL4+ This evaluation meets the Application Layer Firewall Protection Profile which is a US National Security Agency's benchmark for firewalls. Sidewinder G2 achieved the evaluation at the Common Criteria Evaluation Assurance Level 4+ (EAL4+). This comprehensive evaluation raises the bar for our competitors and offers a clear choice for you.
formatting link
SIDEWINDER G2 SECURITY APPLIANCE Common Criteria certification The world's strongest firewall is certified to the world's most comprehensive security requirements
Common Criteria is the world's standard for evaluating security products. Widely respected for its extensive and comprehensive evaluation by an independent 3rd party, EAL4+ accreditation certifies that the firewall's design, software development methodology, and multi-layered security mechanisms meet or exceed the highest of all assurance levels defined by the international standard. The receipt of this award is just one more example of how Secure Computing's Sidewinder G2 defines excellence in meeting the security needs of the world's most important and sensitive networks.
This evaluation meets the Application Layer Firewall Protection Profile which is a US National Security Agency's benchmark for firewalls. Sidewinder G2 achieved the evaluation at the Common Criteria Evaluation Assurance Level 4+ (EAL4+). This comprehensive evaluation raises the bar for our competitors and offers a clear choice for you.
Completeness of Evaluation The most complete evaluation would include:
high number of security functional requirements evaluated (Sidewinder G2 ? 29 requirements) 2. operating system included in the evaluation (Sidewinder G2 ? includes SecureOS operating system) 3. appliance hardware included in the evaluation 4. protection profile included, preferably an application firewall protection profile (Sidewinder G2 - includes the medium application firewall protection profile as designed by the U.S. DoD)
Why Sidewinder G2® versus competitors?Sidewinder G2 is the only Common Criteria certified product that meets an application firewall protection profile at the medium robustness level. Additionally Sidewinder G2 differentiates itself from competitors by having included the operating system for the EAL4 certification. No other products have completed a certification that is as comprehensive as Secure Computing's Sidewinder G2.
To clarify - yes - in a previous job we exposed the Watchguard authentication applet to the Internet.
The full scenario:-
- An external user tried (say) to open up RDP to an internal host. The firewall would then ignore all requests
- The external user launched the watchguard authentication applet (on
4100) - and gave username/password credentials. THen - as long as this web page is still open (with java app running) - the firewall knows this host is trusted.
- The external user can then see RDP quite happily.
I believe this was simply done by setting a rule saying allow RDP in from USER to where USER was authenticated via the watchguard applet.
I can't recall any warnings on changing the rule (but it was a while ago) - but I am almost certain this was an approved way of getting validated by the firewall to access certain services. I guess this would not be a default setting.
Anyway - you see my need - I currently need numerous web (IIS) servers for internal users to be externally facing, along with loads of other services. So I either make them all public and leave a large visible footprint; or implement some form of authentication which is requried before the footprint is visible. The WG scenario is the only one I am currently familiar with.
Thanks - may I ask how? Is this via a HTTP(s) web page hosted by the sonicwall? Does it need JVM installed in the browser?
(also - if I can be cheeky - can I confirm the new sonicwalls provide NATing ability for different ports - e.g. 123.123.123.123 port 25 can go to host 10.1.10.1 and 123.123.123.123 port 80 can go to host
10.1.20.2 for instance?) Out current Sonicwall (old) only seems to support 1-to-1 NAT. *
*Maybe its setup - as it was configured a while ago and I don't fancy playing too much as it works as is!!
You can just set up a username/password on the box and apply it to the inbound policy then. Just note you have to start by having them browse or use ftp or telnet, so that the box can authenticate (even if there is no such server behind the address -- the box is the "server" in that case). Once they do that the other authenticated protocols (rdp) will work.
Check Point VPN-1 NG/NGX and Microsoft ISA Server 2004 have this functionality out of the box:
- In Check Point VPN-1 are 3 available types of authentication (user, session and client authentication) permitting to authenticate users by a transparent connection, a client agent or a parallel connection (like Watchguard does via port 4100). There are 6 available database schemes (OS Password, Check Point Password, SecurID, RADIUS, TACACS, LDAP).
Authentication with the first 5 schemes is free (included in every standard license) while the last one, LDAP, is available just by paying an additional price (in price lists is referred as SmartDirectory).
- In Microsoft ISA Server every rule can be enforced by authentication by specifying a Windows local SAM group or a Active Directory domain group. Multiple groups are supported as well.
It seems strange that they would suggest using something that gives a warning when changed. I've understood this method for a long time, but the tech people at wg support have always told me to not expose it to the web.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.