The method used for Client-Auth is HTTP:900 or Telnet:259 directly to
the firewall. Client-auth is also the least secure CP authentication
type, so I never use it. But I do implement User-Auth sometimes. I
know that if your rulebase looks like this:
users@any, dest any, service http, action user-auth
internal_lan, dest any, service http, action accept
and a user's machine is on the "internal_lan" then the user will pass
http UNauthenticated.
User-Auth is limited to working with only HTTP, FTP, Telnet, RLogin,
and HTTPS, and it is extremely noisy when authenticating outbound HTTP
(you have to auth every connection). It seems to be most feasable for
inbound HTTP connections or outbound HTTP connections to specific
hosts. But User-Auth is more secure than Client-Auth, and you don't
have to allow connections to the firewall to authenticate.
Client-Auth is good because it works with all protocols.
Session-Auth is the way to go if you need to work with any protocol,
is less noisy than User-Auth, and does not require direct firewall
connections (it is transparent). The only downside is that you need
client software on every machine.
-fwguru
On 4/26/05, Sascha Picchiantano <s.pic AT espique DOT de> wrote:
> fwguru:
>
> > I don't know from your email if your are authenticating inbound or
> > outbound HTTP. For outbound HTTP, check to see that no other rules
> > will accept unauthenticated outbound HTTP. Otherwise, it will skip
> > the client-auth rule, and the connection will be accepted by the less
> > restrictive (non-authed) outbound HTTP rule, even if the outbound rule
> > is below the client-auth rule.
>
> that I don't really understand. I want to use outbound HTTP. Currently
> my rule base has one unauthenticated rule, that allows a single machine
> (web cache) to access the Internet using HTTP. Then, later on below that
> rule I have the client auth rule. This works just fine. Now if I'd place
> the client auth rule before the stealth (and thus before the
> unauthenticated HTTP) rule, the web cache will no longer be able to
> access the internet - unauthenticated that is. Here is what I currently
> have:
>
> 1. - allow HTTO outbound, unauthenticated, source: web cache server
> 2. - allow HTTP outbound, client auth, source: any
>
> Note that I have about 200 rules and that the two mentioned here are not
> numer 1 and 2, it's just to illustrate how they are ordered. I want to
> place a stealth rule on top of the rule base - where it belongs.
>
> If I get you right I place a new rule before the stealth rule that
> allows HTTP, source local LAN, destination firewall. Would that be
> enough to allow the clients to authenticate? Is the authentication done
> over HTTP or does it use some other protocol? Which one?
>
> Thanks,
> Sascha
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
