Home
/
Silicon Graphics
/
Gauntlet
/
Administrator'S Manual

Silicon Graphics Gauntlet, Administrator'S Manual, Page: 128 / 306

Share

Page: 128 / 306

Silicon Graphics Gauntlet Administrator'S Manual Download Page 128

102

Chapter 15: Managing Information Services on the Firewall

The Gauntlet Info Server implements a minimalist design, in which the server handles
only the file requests. A variety of management tools (on a per-service basis) actually
provide the data. These smaller programs are easier to analyze and verify that there are
no holes. Simpler code is easier to verify.

How It Works

The following sections describe how the InfoServer works.

HTTP and Gopher Server

When serving as an HTTP or Gopher server, the Info Server (info-gw) runs on the firewall
as a daemon listening for TCP-based requests on port 8000. When the firewall receives a
request, it forks a child copy of the Info Server, leaving the parent Info Server to continue
listening for requests.

The child Info Server process looks at the request and places it in one of several categories
(such as Gopher or HTTP).

It checks the appropriate configuration information (in the netperm-table) and determines
whether the requesting host has permission to use the desired service. If not, the Info
Server logs the connection and displays an error message.

If the host has permission to use the service, the Info Server uses its internal database (by
default in /usr/gauntlet/infodb) to find the requested file or to go to the requested directory.
The client thinks it is talking to a regular HTTP or Gopher server, even though it is not.

FTP Server

When serving as an anonymous FTP server, the Info Server runs in conjunction with the
network access control (netacl) daemon. In this scenario, the IRIX system runs the
network access control daemon (netacl) as a daemon listening for requests on the
standard FTP port (21). Whenever the firewall receives a FTP request on this port, the
netacl daemon checks its configuration information (in the netperm-table file) and
determines whether the initiating host has permission to use FTP. If the host has
permission, the netacl daemon starts the standard FTP proxy (ftp-gw) or the Info Server

«
...
126
127
128
129
130
...
»

Summary of Contents for Gauntlet

Page 1: ...Gauntlet for IRIX Administrator s Guide Document Number 007 2826 004 ...

Page 2: ...e clause at DFARS 52 227 7013 and or in similar or successor clauses in the FAR or in the DOD or NASA FAR Supplement Unpublished rights reserved under the Copyright Laws of the United States Contractor manufacturer is Silicon Graphics Inc 2011 N Shoreline Blvd Mountain View CA 94043 1389 Silicon Graphics and the Silicon Graphics logo are registered trademarks and IRIX and InPerson are trademarks o...

Page 3: ...xiii Mailing Lists xxiii Frequently Asked Questions Lists xxiv White Papers xxiv How to Get Latest Security Patches xxv PART I Understanding the Gauntlet Internet Firewall 1 Understanding the Gauntlet Firewall 3 Understanding Gauntlet Firewall Concepts 3 Design Philosophy 3 Security Perimeter 4 Trusted and Untrusted Networks 4 Policy 6 Transparency 6 Understanding Gauntlet Firewall Components 7 Ha...

Page 4: ... Services 22 Configuring the Proxy Rules 22 Advertising the Firewall as a Mail Exchanger 22 Configuring Your Internal Mail Hub 22 Verifying Your Setup 23 Using Mail 23 3 Managing POP3 Services 25 Understanding the Proxy 25 How the POP3 Proxy Works 26 Configuring the Firewall for POP3 26 Planning 27 Configuring Network Services 27 Configuring the Proxy Rules 27 Configuring Your Internal POP3 Mail S...

Page 5: ...ying Your Setup 35 Using Terminal Services 35 TELNET Rlogin and TN3270 Without Authentication 35 TELNET and Rlogin With Authentication 36 TN3270 With Authentication 37 5 Managing FTP Services 39 Understanding the FTP Proxy 39 How the FTP Proxy Works 40 Configuring the Firewall for FTP Services 41 Planning 41 Configuring Network Services 41 Configuring the Proxy Rules 41 Creating Authentication Use...

Page 6: ... 7 Managing Gopher and WWW Services 51 Understanding the Proxy 51 How It Works 52 Authenticated HTTP 53 Gopher and FTP Services 54 SHTTP and SSL Services 54 Configuring the Firewall for WWW and Gopher Services 54 Planning 54 Configuring Network Services 55 Configuring the Proxy Rules 55 Creating User Authentication Entries 55 Verifying Your Setup 55 Using Web Services 55 Using Proxy Aware Browsers...

Page 7: ...Managing MediaBase Services 65 Understanding the MediaBase Proxy 65 How It Works 66 Configuring the Firewall to Use the MediaBase Proxy 66 Planning 66 Configuring Network Services 67 Configuring the Proxy Rules 67 Verifying Your Setup 67 Using the MediaBase Proxy 67 10 Managing X Window Services 69 Understanding the X11 Proxy 69 How the X11 Proxy Works 70 Configuring the Firewall for X11 Services ...

Page 8: ...Receiving Machine 77 Verifying Your Setup 78 Using lp Services 78 12 Managing Sybase Services 79 Understanding the Sybase Proxy 79 How It Works 80 Configuring the Firewall for Sybase Services 81 Planning 81 Configuring Network Services 81 Configuring the Proxy Rules 81 Configuring Sybase Clients 82 Verifying Your Setup 82 PART III Administering General Gauntlet Firewall Services 13 Managing NNTP a...

Page 9: ...Your Service 91 Verifying Your Setup 91 Configuring Multiple Newsfeeds 91 Configuring Your NNTP Proxy for Reading News 92 14 Managing General TCP Services With Authentication 93 Understanding the Circuit Proxy 93 How It Works 94 Configuring the Firewall for Authenticated TCP Services 95 Planning 95 Configuring Network Services 96 Configuring the Proxy Rules 97 Verifying Your Setup 98 Using the Cir...

Page 10: ...he Network Access Control Daemon 111 Understanding the Network Access Control Daemon 111 How It Works 112 Configuring the Network Access Control Daemon 112 Planning 113 Configuring Network Services 113 Configuring the Proxy Rules 113 Configuring Your Service 113 Verifying Your Setup 113 17 The Graphical Management Interface 115 First Time User Tips 116 Help Links 116 Hide and Unhide Buttons 116 Ga...

Page 11: ... Server 140 Configuring a Split DNS Server 142 Sendmail on Gauntlet Servers 146 Mail Hubs 146 Mail Relays 147 Gauntlet and Subdomains 147 Sendmail Configuration Form 148 swIPe Configuration Form 152 Authentication and Encryption Schemes 153 VPN Paths 154 Preparing a Server for swIPe Configuration 154 Configuring a Server for swIPe 156 Verifying Your Setup 159 Logfiles and Reports Configuration For...

Page 12: ...e Passwords 177 Configuring the User Authentication Management System 178 Configuring Third Party Systems 178 Configuring Network Services 179 Configuring Authentication Management System Rules 180 Verifying Your Installation 180 Managing Groups 180 Creating Groups 181 Disabling Groups 181 Deleting Groups 181 Managing Users 181 Creating Users 181 Creating Users with Access Key II 183 Changing User...

Page 13: ...Your Setup 193 Using the Login Shell Program 193 Accessing the Firewall from Trusted Networks 193 Accessing the Firewall from Untrusted Networks 193 Changing Password for User Account 194 20 Logging and Reporting 195 Understanding Logging and Reporting 195 Creating Logs 196 Configuring Logs 197 Configuring Additional Logging 197 Configuring Log Retention Time 197 Creating Reports 197 Service Summa...

Page 14: ...ts 205 PART IV Appendixes A Gauntlet System Files 209 Viewing the Gauntlet File List 209 B Netperm Table 215 Policy Rules 215 Application Specific Rules 216 Proxies 216 Applications 217 Using This Information 217 Modifying the Netperm Table File 218 Netperm table Syntax 218 Precedence 218 Format 219 Keywords 220 Attributes 221 Creating New Policies 221 Adding Proxy Services 223 Denying Services By...

Page 15: ...walls Passthrough Link 272 How It Works 273 Encrypting the Data 273 Decrypting the Data 273 Routing the Packet 274 D Configuring SSL on the Gauntlet Firewall 275 Getting Ready for SSL Configuration 275 SSL Configuration Procedure 276 Supplementary Instructions for Generating a Key Pair 277 Supplementary Instructions for Generating a Certificate 277 Saving the Email Reply from Your Certificate Auth...

Page 16: ......

Page 17: ...orks and Interfaces Configuration Form 1 of 2 124 Figure 17 7 Networks and Interfaces Configuration Form 2 of 2 125 Figure 17 8 Routing Configuration Form 129 Figure 17 9 Example Gauntlet Host Routing Configuration 130 Figure 17 10 Proxy Servers Configuration Form 1 of 3 136 Figure 17 11 Proxy Servers Configuration Form 2 of 3 137 Figure 17 12 Proxy Servers Configuration Form 3 of 3 138 Figure 17 ...

Page 18: ...xviii List of Figures Figure 17 22 Authorizing Users Form 165 Figure 17 23 Add User Form 166 Figure 17 24 User Authentication 167 Figure C 1 Yoyodyne Virtual Private Network 270 ...

Page 19: ...d why they are important It presents an overview of how the Gauntlet firewall system works Part II Configuring and Using Proxies explains how to configure the various applications and proxies Chapter 2 Managing SMTP Services explains what the SMTP proxy does and how it works It presents instructions for configuring the Gauntlet firewall as well as required and potential configuration steps for mai...

Page 20: ...audio data Chapter 9 Managing MediaBase Services describes the MediaBase proxy which securely handles requests to play video and multimedia data Chapter 10 Managing X Window Services explains what the X11 proxy does and how it works It presents instructions for configuring the Gauntlet firewall as well as required and potential configuration steps for the X11 applications Chapter 11 Managing LP Se...

Page 21: ...authentication systems Chapter 19 Using the Login Shell explains what the login shell does and how it works It presents instructions for configuring the Gauntlet firewall for more secure access Chapter 20 Logging and Reporting explains how the system logs activity It explains the different types of reports how to configure them and how to interpret them Chapter 21 Backups and System Integrity expl...

Page 22: ... variables to be supplied by the user in examples code and syntax statements Fixed width type Prompts and onscreen text Bold fixed width type User input including keyboard keys printing and nonprinting literals supplied by the user in examples code and syntax statements see also ALL CAPS Environment variables Double quotation marks Onscreen menu items and references in text to document section tit...

Page 23: ...k Steven M Bellovin William R Addison Wesley ISBN 0 201 63357 4 Newsgroups comp security firewalls Discussions of anything regarding network security firewalls Mailing Lists The Firewalls mailing list is for discussions of Internet firewall security systems and related issues Relevant topics include the design construction operation maintenance and philosophy of Internet firewall security systems ...

Page 24: ...tis com Home NetworkSecurity Firewalls FirewallsNotEnough html A Network Perimeter with Secure External Access Avolio Frederick M and Ranum Marcus J Internet Society Symposium on Network and Distributed Systems Security February 1994 http www tis com Home NetworkSecurity Firewalls isoc html ftp tis com pub firewalls isoc94 ps Z Thinking About Firewalls Ranum Marcus J Presented at SANSII 1993 http ...

Page 25: ...y patches if any at the time of product release so be sure to install those patches Stay in touch with the WWW site for Silicon Graphics Security Headquarters at http www sgi com Support Secur security html for new security patches and security advisories Be sure to install any security patches that replace patches found on your CD ROM ...

Page 26: ......

Page 27: ...PART ONE Understanding the Gauntlet Internet Firewall I ...

Page 28: ......

Page 29: ... page xxiii for a list of other resources that provide excellent introductory and advanced discussions of firewalls Understanding Gauntlet Firewall Concepts Simply put a firewall is a single point of defense that protects one side from the other In networking situations this usually means protecting a company s private network from other networks to which it is connected Firewalls can be as simple...

Page 30: ...lly has no user accounts While you can setup an administrator account users do not need to log into the firewall to access information on the other side The Gauntlet Internet Firewall is auditable controllable and configurable You can configure many options to match your security policies The software logs the specified activities and processes fore review so that if you suspect a security breach ...

Page 31: ...es for these sites They are the ones from which you are trying to protect your network However you still need to and want to communicate with these networks even though they are untrusted When you setup the firewall you explicitly configure the networks from which your firewall can accept requests but which it does not trust By default after initial configuration the untrusted networks are all net...

Page 32: ... the request The default policy for trusted networks does not require users to authenticate the default policy for untrusted networks does require users to authenticate When installed all services are turned off It is up to you to enable the services which your site needs Transparency Transparency indicates that your firewall is not visible to your users as they work They can continue to TELNET to...

Page 33: ...8 for information on minimizing exposure while implementing the Gauntlet software All known security holes are patched as of the release of the Gauntlet product refer to How to Get Latest Security Patches on page xxv for information on security patches As part of the firewall the operating system has been tailored to provide support for only the services necessary to run the firewall For example s...

Page 34: ...let firewall includes proxies for the following types of services Terminal services TELNET and rlogin Electronic mail SMTP and POP3 File transfer services FTP Remote Execution Rsh Usenet news NNTP Web services HTTP SHTTP SSL Gopher services Gopher Gopher X Window services X11 Printing services lp SQL services Sybase SQL Server Audio service Real Audio In addition the Gauntlet firewall includes a g...

Page 35: ...cannot be reused if sniffed by an attacker Additional Features The Gauntlet Firewall provides additional security by using the IRIX IP filter utility ipfilterd see ipfilterd 1M This allows Gauntlet to check IP packets based on several criteria for example address and protocol and processes or rejects the packets It detects spoofed packets claiming to be from one network that are actually from anot...

Page 36: ...mpany Yoyodyne that has a connection to the Internet via an Internet service provider ISP They have installed a Gauntlet Internet Firewall to protect their corporate network yoyodyne com from all other hosts on the Internet They are using the standard configuration shown in Figure 1 1 ...

Page 37: ...r The router only passes traffic from the Internet to the Gauntlet firewall when that traffic is bound for some part of the Yoyodyne internal network More sophisticated routers can additionally strengthen a companies security perimeter by implementing certain security functions such as IP spoofing filters Gauntlet Internet Firewall Internet Internal network Router ...

Page 38: ...hrough at the application level to the other side Dual Homed Bastion Host In order to protect the inside network the firewall must be able to see all of the packets intended for hosts on the inside network While there are a number of ways to physically and logically accomplish this the recommended configuration is the firewall machine installed as a dual homed bastion host As a dual homed bastion ...

Page 39: ... inside network traffic enters and exits through a network interface such as ec1 To accomplish this each interface has a separate IP address Yoyodyne was assigned the 204 254 155 network and chose 204 254 155 253 as the outside IP address and 10 0 1 253 for the inside IP address Gauntlet Internet Firewall Internet Internal network Router ec0 ec1 204 254 155 253 10 0 1 253 ...

Page 40: ...a TELNET Receive Packet Routing information on outside hosts and at the ISP directs all requests for the company to the firewall In addition the domain name system DNS on the firewall and other outside DNS servers advertises the outside IP address of the firewall as the only way to connect to anything on the inside network Hosts on the inside network use routing information to direct all requests ...

Page 41: ...locally it looks at the contents of the packet The operating system checks various tables on the firewall to determine if it offers the requested service on the requested port If it does not it logs the attempt as a potential security alert and rejects the request In our TELNET example the packet indicates that it is a TELNET request on port 23 The configuration tables indicate that the firewall s...

Page 42: ... the appropriate program on the other side of the firewall using the standard protocol for that service In our TELNET example the TELNET proxy uses the generic outside policy because the request came from an outside network The outside policy permits TELNET to internal machines but requires authentication The firewall prompts the user to authenticate Once the user authenticates the proxy provides ...

Page 43: ...PART TWO Configuring and Using Proxies II ...

Page 44: ......

Page 45: ...securely handles the transfer of SMTP mail between the inside and outside networks This chapter explains the concepts behind the proxy and how it works how to configure the proxy for SMTP mail transfer and how to configure these services to run through the firewall Understanding the Proxy The proxy for SMTP is actually two different processes a client smap and daemon smapd Together they provide co...

Page 46: ...ry you specify A common policy is to have one mail hub for the inside network In this scenario outside networks know via DNS that they should send all mail for the domains yoyodyne com on the inside networks to the firewall firewall yoyodyne com itself for processing An outside host informs the firewall it has mail by connecting to smap on the SMTP port The smap client collects the mail from the o...

Page 47: ... hostname or alias for all relay hosts A relay is a host inside the firewall that determines where to send mail with an unknown address you might have only one relay 4 Provide subdomains to be recognized if you want outgoing mail addresses rewritten to keep subdomain information The sendmail program transforms sender addresses from the user host domain format penny dimension yoyodyne com into the ...

Page 48: ...ble for more information on smap and smapd options netperm table options and order of precedence Advertising the Firewall as a Mail Exchanger You need to advertise the firewall as the mail exchange site for your domain The DNS configuration in gauntlet admin can do this for you Consult the section on DNS configuration for specific instructions Configuring Your Internal Mail Hub As long as you are ...

Page 49: ... Mail v bouncer bbnplanet com Subject Test Configuring Mail and the Gauntlet Firewall This is a test D The verbose mode ensures that you see the details of the delivery The bouncer service sends you a return message shortly If you need to test header rewriting or other custom configurations consider starting sendmail in debug mode Using Mail The firewall and the smap and smapd proxies for SMTP tra...

Page 50: ......

Page 51: ...POP3 mail transfer and how to configure POP3 services to run through the firewall Understanding the Proxy The Gauntlet POP3 proxy is an application level gateway that provides configurable access control authentication and logging mechanisms The POP3 proxy which runs on the firewall transfers mail between external workstations and internal mail servers based on rules you supply source IP address s...

Page 52: ...ing for requests on the standard POP3 port 110 When the firewall receives requests for POP3 services on this port the proxy checks its configuration information in the netperm table file and determines whether the initiating host has permission to use POP3 services If the host does not have permission the proxy logs the connection attempt and displays an error message If the host has permission th...

Page 53: ...admin Proxies form where you can enter the name of the destination POP3 server and modify the timeout value if you desire See Appendix B for more information on pop3 gw options netperm table options and order of precedence Configuring Your Internal POP3 Mail Server Configure your internal POP3 mail server 1 Configure your POP3 mail server to accept POP3 requests from the firewall If you need to sp...

Page 54: ...procedures to use POP3 services To retrieve electronic mail using POP3 with authentication follow these steps Note that the order of these steps may differ for different user agents 1 Configure the mail user agent and set the name of the POP3 server to the firewall 2 Retrieve mail causing the user agent to connect to the firewall 3 Authenticate to the proxy by supplying your APOP password 4 Contin...

Page 55: ...irewall firewall yoyodyne com to get his mail Next John retrieves his mail As part of the connection the proxy requests authentication information from the user agent which prompts him After authenticating the proxy transfers the request to the internal POP3 mail server mail yoyodyne com authenticates using the user s POP password as stored on the firewall and retrieves his mail ...

Page 56: ......

Page 57: ...ovide configurable access control authentication and logging mechanisms The TELNET and rlogin proxies which run on the firewall pass TELNET and rlogin requests through the firewall using rules you supply The TELNET proxy also passes TN3270 requests through the firewall You can configure the proxies to allow connections based on source IP address source hostname destination IP address destination h...

Page 58: ...gin daemon rlogind or the rlogin proxy rlogin gw The default policy for this scenario is to allow all inside hosts to initiate TELNET or rlogin sessions without authenticating The inside host passes TELNET requests to the firewall which starts the netacl daemon The netacl daemon checks its permissions and determines that the inside host can use TELNET The netacl daemon starts the proxy The proxy l...

Page 59: ...es as daemons listening for requests on the standard TELNET port 23 and Rlogin port 513 Common policies allow inside hosts to connect without authentication and outside hosts to connect with authentication This configuration using just the TELNET and Rlogin proxies without the netacl daemon prohibits running either TELNET or Rlogin on the firewall itself which would allow you to login to the firew...

Page 60: ...t remote logins This setting actually changes the settings in the netperm table file so that the TELNET and rlogin proxies will start the actual TELNET and rlogin daemons when you try to connect to the firewall itself using the localhost host name Configuring Network Services You do not need to modify the IRIX configuration files on the firewall to support TELNET or rlogin traffic Configuring the ...

Page 61: ...Enable transparent proxies using gauntlet admin to configure the proxies so that users working on the trusted networks behind the firewall do not see a change in their daily TELNET rlogin and TN3270 activities For example a transparent TELNET through firewall yoyoyne com might look like this dimension 26 telnet blaze clientsite com Trying 10 0 2 120 port 23 Connected to blaze clientsite com BSDI B...

Page 62: ...o or through the firewall The example below shows a sample TELNET session from an untrusted network to a trusted network using S Key authentication at the firewall blaze clientsite com 28 telnet firewall yoyodyne com Trying 204 255 154 100 Connected to firewall yoyodyne com Escape character is Username scooter Skey Challenge s key 651 fi19289 SAFE DUB RISK CUE YARD NIL Login Accepted firewall yoyo...

Page 63: ...t machine The TELNET daemon on dimension prompts Scooter for his user name and password on dimension The TELNET daemon on dimension verifies Scooter s user name and password and logs him in TN3270 With Authentication If you have configured terminal services to require authentication users need to follow different procedures to use TN3270 To use TN3270 with authentication 1 TN3270 to the firewall i...

Page 64: ......

Page 65: ...proxy that provides configurable access control authentication and logging mechanisms The FTP proxy which runs on the firewall passes FTP requests through the firewall using rules you supply You can configure the FTP proxy to allow file transfer activity based on source IP address source hostname destination IP address destination hostname FTP command for example STOR and RETR Using these options ...

Page 66: ...e FTP sessions and transfer files without authenticating The inside host passes FTP requests to the firewall which starts the netacl daemon The netacl daemon checks its permissions and determines that the inside host can use FTP The netacl daemon starts the ftp gw The proxy logs the transaction and passes the request to the outside host The ftp gw remains active until either side terminates the co...

Page 67: ...ic sources and destination Configuring Network Services You do not need to modify the IRIX configuration files on the firewall to support FTP traffic Configuring the Proxy Rules If you are using the Gauntlet Firewall default configuration you do not need to modify the proxy rules for FTP services Use the gauntlet admin Proxies form if you want to enable FTP or anonymous FTP If you have chosen a di...

Page 68: ...configured any FTP activities to require authentication users must follow different procedures to use FTP To FTP using authentication follow these steps 1 FTP to the firewall itself 2 Authenticate to the proxy 3 Connect to the desired FTP server 4 Continue as before A common policy for the FTP proxy is to authenticate all requests from untrusted networks to or through the firewall The example belo...

Page 69: ...s Clancy s user name and password and logs him in Clancy can now transfer files using regular FTP commands Using Authentication With Some GUI FTP Tools The FTP proxy can require you to authenticate twice Some GUI FTP tools for Microsoft Windows and the Macintosh require you to specify the user name and password in a dialog box These tools assume that once you supply this information you are connec...

Page 70: ...res easy access by the public If you place the anonymous FTP server behind the firewall you are allowing an additional type of access within your security perimeter If you place the FTP server on the firewall itself you are allowing additional access to your firewall Evaluate both setups for the possible security risks to your site and how your site security policy addresses this type of access Ga...

Page 71: ...er 45 Use checksums to watch for file changes Back up frequently You can also use the Info Server included with the Gauntlet firewall as an anonymous FTP server on the firewall itself See FTP Server on page 102 for more information ...

Page 72: ......

Page 73: ... configurable access control authentication and logging mechanisms The Rsh proxy which runs on the firewall passes Rsh requests through the firewall using rules you supply You can configure the Rsh proxy to allow remote shell activity based on source IP address source host name destination IP address destination host name Using these options you can configure your firewall to allow specific hosts ...

Page 74: ...did before the firewall was put into place The default policy does not allow outside hosts to Rsh to hosts inside the perimeter The default policy and configuration using just the Rsh proxy prohibit running an Rsh server on the firewall itself Because the Rsh proxy is running on the standard Rsh port on the firewall all Rsh requests start the proxy There is no way to start the Rsh daemon needed to...

Page 75: ... accessing a machine outside the perimeter from a machine inside the perimeter Using Rsh Services Following some initial configuration the firewall and the rsh gw proxy are transparent to the user Users can continue to use rsh to outside hosts as they did before Configuring the Remote Machine Before using Rsh users must add their user name and the name of the firewall to their rhosts file on the r...

Page 76: ...g Rsh Services For example Penny who works at Yoyodyne needs to execute something remotely using her account at Big University She adds a line to the rhosts file in her account at Big University penny fire out yoyodyne com ...

Page 77: ...ing HTTP proxy included with the Gauntlet Firewall securely handles requests for information via hypertext Gopher and file transfer The proxy supports hypertext transfer via the HTTP SHTTP and SSL protocols Gopher transfer via Gopher and Gopher protocols and file transfer via FTP This chapter explains the concepts behind the HTTP proxy and how it works how to configure the proxy for web services G...

Page 78: ...the section on Configuring the Firewall for WWW and Gopher Services at the end of this chapter How It Works The IRIX system runs the HTTP proxy as a daemon listening for requests on the HTTP port 8080 and or the gopher port When the firewall receives requests for services via HTTP SHTTP SSL Gopher or Gopher the proxy looks at the request and places it in one of several categories The proxy then ch...

Page 79: ...rd HTTP proxy on popular alternate ports Authenticated HTTP If you want to authenticate users before allowing them to access information the firewall runs the authenticating HTTP proxy ahttp gw as a daemon listening for requests on the HTTP port 8080 When the firewall receives requests for service on this port it performs the normal configuration checks to ensure that the initiating host has permi...

Page 80: ...ervices If the request is for some sort of secure HTTP transaction using either the SHTTP protocol on port 8080 or SSL protocol on port 443 the proxy performs the appropriate hand off with the secure server at the other end of the connection If you have not configured or can not configure the web browser to know about the HTTP proxy as the security proxy the firewall calls the SSL plug proxy for a...

Page 81: ...ll want to deny it for the HTTP proxy as well Creating User Authentication Entries Use the authentication management system to create authentication user entries for any users who authenticate when using the authenticating HTTP proxy See Chapter 17 for more information Consider using multiple authentication servers as explained on page 6 if you wish to require strong authentication for other inbou...

Page 82: ...x from a preferences menu while others require you to edit a configuration file and others use environment variables If you are using the authenticating HTTP proxy ensure that the browser supports proxy authentication and persistent connections To configure the browser follow these steps 1 Specify that you can only have one network connection at a time if you are using the authenticating HTTP prox...

Page 83: ...names of any internal or corporate HTTP servers localhost 127 0 0 1 Note that if you use the IP address instead of the hostname you must use the internal IP address of the firewall Figure 7 1 shows the configuration screen for version 2 0 of Netscape Navigator for Microsoft Windows Figure 7 1 Proxy Configuration for Netscape Navigator 2 0 for Windows Accessing Web Services Without Authentication O...

Page 84: ...ou are using weak authentication enter your username and password when your browser prompts you to The proxy remembers this information and reauthenticates you if the connection breaks Strong Authentication If you are using strong authentication enter your username when your browser prompts you to The proxy uses your user name to determine the type of authentication you are using It prompts you a ...

Page 85: ...RLs in bookmarks and hotlists Using Gopher Services The firewall configuration for the http gw proxy for Gopher services is transparent to the user if transparent proxies have been enabled using gauntlet admin Users can continue to point their Gopher clients to Gopher servers as they did before If you have disabled transparent proxies then users must rewrite each Gopher address If a user has a set...

Page 86: ...lihood that someone may be able to exploit bugs in the WWW server to break into your firewall The best solution is generally to place your WWW server on a separate machine outside the perimeter Follow good host oriented security practices for this machine Turn off all other services Create the minimum number of user accounts Use strong authentication Patch your operating system and applications wi...

Page 87: ...ation level proxy that provides configurable access control The proxy which runs on the firewall passes RealAudio client requests through the firewall using rules you supply You can configure the RealAudio proxy to allow connections based on source host name source IP address destination host name destination IP address Using these options you can configure the firewall to allow RealAudio clients ...

Page 88: ... the default RealAudio proxy port 1080 The proxy works as described above However you must configure your RealAudio player to use the RealAudio proxy that is running on port 1080 Only recent RealAudio players can be configured explicitly to use the RealAudio proxy on port 1080 The transparent proxy feature does not need to be enabled in this case The default policy allows inside hosts to use RealA...

Page 89: ...e the RealAudio server use the gauntlet admin Proxies form to enable the server Alternatively you may modify usr gauntlet config template netperm table to reflect your configuration See Appendix B for more information on rap gw options netperm table options and order of precedence Verifying Your Setup Verify your installation by using your RealAudio player to listen to audio files or live broadcas...

Page 90: ...eed to configure your RealAudio player to know about the proxy and the other port To configure the RealAudio player 1 Select View 2 Select Preferences 3 Select Proxy 4 Check the Use Proxy box 5 Enter as the host the name for the inside interface of your firewall Now when you point your web browser or RealAudio player at a RealAudio file they use the proxy ...

Page 91: ...l in the WebFORCE MediaBase Administrator s Guide Understanding the MediaBase Proxy The Gauntlet MediaBase proxy is an application level proxy that provides configurable access control The proxy which runs on the firewall passes MediaBase client and server requests through the firewall using rules that you supply You can configure the MediaBase proxy to allow connections based on source host name ...

Page 92: ...passes the request to the appropriate host The mbase gw daemon is always active This daemon requires that MediaBase players also be configured to use a proxy The default policy allows clients inside the network to connect to MediaBase servers it does not allow outside clients such access however Because the firewall runs the MediaBase proxy on all MediaBase ports all requests from outside clients ...

Page 93: ...he proxy rules for the MediaBase server To enable the MediaBase server use the gauntlet admin Proxies form to enable the server Alternatively you may modify usr gauntlet config template netperm table to reflect your configuration See Appendix B for more information on mbase gw options netperm table options and order of precedence Verifying Your Setup Verify your installation by using your MediaBas...

Page 94: ......

Page 95: ...allow X11 services through their firewall This chapter explains the concepts behind the X11 proxy and how it works how to configure the proxy and how to use X11 services through the firewall Understanding the X11 Proxy The Gauntlet X11 proxy is an application level proxy that provides configurable access control The proxy which runs on the firewall passes X11 display requests through the firewall ...

Page 96: ...er TELNETs to the firewall which runs the TELNET proxy After checking permissions and authenticating users as described in chapter 1 the TELNET proxy tn gw displays a prompt for the user At the prompt the user indicates a wish to allow X displays across the firewall The TELNET proxy starts the X11 proxy x gw on port 6010 corresponding to X display 10 or higher The X11 proxy checks its configuratio...

Page 97: ...o modify your network files on the firewall to use the X11 proxy The TELNET and Rlogin proxies are the only programs that can start the X proxy and they read their configuration information from the netperm table file Configuring the Proxy Rules To enable the X11 proxy for TELNET and Rlogin users use the gauntlet admin Proxies form Alternatively you may modify usr gauntlet config template netperm ...

Page 98: ...Confirm the display request on the real display The example below shows a user working on the inside network who needs to display information from a program running on a machine on an outside network Clancy Rawhide working at his machine dimension on the inside network needs to run an X program on a client machine blaze clientsite com on an outside network and display the results on his display He...

Page 99: ...aze The TELNET daemon on blaze verifies Clancy s user name and password and logs him in login crawhide Password Please wait checking for disk quotas You have mail blaze clientsite com 1 Next Clancy provides the X display information to the client machine blaze and starts the client application He uses the display information that the X proxy provided when he started the X proxy blaze clientsite_1 ...

Page 100: ...74 Chapter 10 Managing X Window Services Figure 10 2 Example X Window Confirmation Finally Clancy views the results on his screen inside the firewall ...

Page 101: ...the proxy and how to use lp services Understanding the lp Proxy The Gauntlet lp proxy is an application level gateway that provides configurable access control and logging mechanisms The lp proxy which runs on the firewall passes lp requests through the firewall using rules you supply You can configure the lp proxy to allow file transfer activity based on source IP address source hostname destinat...

Page 102: ...nd passes the request to the outside host The lp gw remains active until either side closes the connection or the proxy times out the connection The default policy allows inside hosts to use lp Users on inside hosts can continue to print to outside hosts as they did before the firewall was put into place The default policy does not allow outside hosts to connect to inside hosts for printing The de...

Page 103: ... information on lp gw options netperm table options and order of precedence To configure the netperm table file follow these steps 1 Add the lp proxy to your inside and outside policies as appropriate 2 Create an lp proxy section specifying the inside hosts outside server and printer queue lp gw printer host blaze clientsite com printer lp main 3 Configure other lp proxy options as appropriate for...

Page 104: ...ur firewall to a host outside your firewall If you are configured to do so print a file from a host outside your firewall to a host on the inside of your firewall Using lp Services The firewall and the lp gw proxy are transparent to the user Users can continue to use lp to permitted servers and printers as they did before ...

Page 105: ...onfigure the proxy and how to use Sybase services Understanding the Sybase Proxy The Gauntlet Sybase proxy is an application level proxy that provides configurable access control authentication and logging mechanisms The Sybase proxy which runs on the firewall passes Sybase requests through the firewall at the application level using rules you supply You can configure instances of the Sybase proxy...

Page 106: ...controls allow you to have much more control over the connections to and from your system than without a firewall The logging capabilities are also much more extensive How It Works The firewall runs different instances of the Sybase proxy syb gw as daemons on different ports for different Sybase applications based on the information in the etc services and usr gauntlet bin gauntlet files These fil...

Page 107: ... enforce your policy and configuring Sybase clients Planning 1 Determine which Sybase servers users need to access Determine whether you want to limit access to particular a server or not Obtain host name or IP address information for each server 2 For each server determine the port s on which the server accepts connections 3 Determine which external hosts can use these services 4 Determine which ...

Page 108: ... as the host name of the actual machine running the Sybase server If you are not using transparency specify the host name as the IP address of the firewall If you are using server to server communications configure your servers as clients Consult your Sybase administration documentation for further information on configuring clients for accessing servers Verifying Your Setup Use your Sybase client...

Page 109: ...PART THREE Administering General Gauntlet Firewall Services III ...

Page 110: ......

Page 111: ...n applications such as America Online CompuServe and Lotus Notes Each of these services uses a proprietary protocol which could require a multitude of application specific proxies Instead administrators can use the plug proxy to tunnel these through the firewall Warning The consequences of allowing proprietary protocols through your firewall are not well known Because the protocols are proprietary...

Page 112: ...h version of the plug proxy you can configure the proxy to allow connections based on source IP address source hostname source port destination IP address destination hostname destination port Using these options for the plug proxy you could configure your firewall to allow your service provider s host on the outside to connect to the firewall and pass news via NNTP to your news machine on the ins...

Page 113: ...ews server and one external news server The firewall itself cannot run an NNTP news server because the plug proxy is using the standard port for these services Hosts on both the inside and outside think the firewall is servicing requests The external news server thinks it is feeding news to the firewall and the internal news server thinks that it is receiving news from the firewall The firewall is...

Page 114: ...Configuring Network Services You do not need to modify the IRIX configuration files on the firewall to support NNTP This is a standard service included in the default versions of these files on the Gauntlet Firewall Configuring the Proxy Rules In most cases you do not need to modify the proxy rules for NNTP This is a standard service Informing Your News Feed Inform your external news feed often yo...

Page 115: ...to modify etc services but do not need to modify etc init d network local or usr gauntlet config template netperm table This section uses the Quote of the Day qotd service as an example Of course you must carefully determine if the benefits of something like a Quote of the Day service outweigh the risks of allowing that type of service within your security perimeter Planning 1 Determine which prot...

Page 116: ...Add information about the plug proxy to etc init d network local so that the system knows what daemon to start to handle Quote of the Day requests echo qotd usr etc plug gw as qotd gw daemon qotd qotd See the comments in etc init d network on how to ensure that etc init d network local will be executed at boot time Use the same name for the service that you specified in etc services Configuring th...

Page 117: ...ervice and application to connect to the firewall instead of directly to the server Consult the documentation included with your plugged service for information on possible configurations Verifying Your Setup Try accessing the service in the way it is meant to be used Conversely access the service in inappropriate ways Watch the logs on the firewall for error messages Configuring Multiple Newsfeed...

Page 118: ... your users to read news For example you need to allow users to directly access news servers on untrusted networks To configure for reading news from servers on untrusted networks 1 Use the gauntlet administration tools to disable NNTP configuration for your firewall This configuration handles a single internal NNTP server connecting to a single external NNTP server Set both the internal and exter...

Page 119: ...are proprietary the firewall and the proxy have no idea what sorts of data or requests the applications are sending Nor do we have any idea how safe the actual application is Do not use the circuit proxy for proprietary protocols without first performing a risk assessment This chapter explains the concepts behind the circuit proxy how it works and how to configure and use the circuit proxy Underst...

Page 120: ...ore connecting if required The circuit proxy also logs all successful and unsuccessful connection attempts and the amount of data transferred These access controls allow you to have much more control over the connections to and from your system than without a firewall The logging capabilities are also much more extensive How It Works The firewall runs the circuit proxy ck gw as a daemon on a user ...

Page 121: ...remains active until either side terminates the connection The original TELNET window also remains active until either side terminates the connection Configuring the Firewall for Authenticated TCP Services Configuring the Gauntlet firewall involves planning indicating which daemons the system will run configuring the proxies to enforce your policy starting your proxy rebooting your firewall and co...

Page 122: ...knows about the service you are porxying indicating name of the service the port and that it uses TCP oracle 1176 tcp Oracle 3 Modify the default circuit proxy startup script in usr local etc mgmt rc so that the system knows what daemon to start Rename the default circuit proxy script D270ck gw to a file name that starts with S and a number The firewall starts the daemons in numeric order so name ...

Page 123: ...ndicating the services offered and the ports used ck gw server service port remote port host remote host where server service indicates the name of the available service Used by the proxy to create the menu of available services port remote port indicates the port on the remote host to which the circuit proxy connects Specify by service name or port number host remote host indicates the name of th...

Page 124: ...uthentication server For example use the auth server on the firewall ck gw authtype authhost 127 0 0 1 authport 7777 You can use the authserver attribute instead of authtype If you specify an authtype attribute the circuit proxy uses the authtype attribute instead of the authserver attribute 4 Comment your additions Verifying Your Setup Verify your installation by using your application through th...

Page 125: ...In this example Robert Hikita working at a machine dimension inside the perimeter needs to access an Oracle database on a machine outside the perimeter He first TELNETs to the port ck gw on the firewall for Yoyodyne fire in yoyodyne com on which the circuit proxy is running The circuit proxy prompts Robert for his authentication userid which he provides hikita When the proxy responds with a challe...

Page 126: ...ion in his original TELNET authentication session waiting for oracle client to be started type q return to abort oracle client started okay to proceed answer yes only if you started a oracle client y ck gw Robert returns to the original TELNET window in which he connected to the circuit proxy He notes that the circuit proxy has received a request for service He confirms the request y He leaves thi...

Page 127: ...cessary It is a good idea to perform a careful risk assessment before placing WWW software on a firewall The Info Server included with the Gauntlet Internet Firewall services requests for HTTP Gopher and FTP services This chapter explains how the Info server and Info Proxy work how to configure the server and the proxy for the various protocols and how to use the server and the proxy Understanding...

Page 128: ...ppropriate configuration information in the netperm table and determines whether the requesting host has permission to use the desired service If not the Info Server logs the connection and displays an error message If the host has permission to use the service the Info Server uses its internal database by default in usr gauntlet infodb to find the requested file or to go to the requested director...

Page 129: ...sses a request it does not use standard directory commands to traverse the file hierarchy on the firewall Instead the Info Server uses a database manager which translates the FTP HTTP or Gopher request into the internal database structure The database manager then tells the Info Server the actual name of the file which the server displays or returns to the client The database uses usr gauntlet inf...

Page 130: ... zero 0 character When the Info Server receives a request for the file latest gz the database manager translates the request and looks for the file Alatest0gz In many cases the files that start with A and H are actually symbolic links to the real text or binary file For example the file Alatest0gz would actually be a symbolic link to latest gz For text files the A file is generally a copy of the a...

Page 131: ...ng only those files that you wish to display For example the L file could contain only the list of files that you want anyone to view even though you have other files in the directory Gopher Menu Files When the Info Server receives a request to display a Gopher menu it instead returns a specific file that contains the list of files that you wish to display for that directory For example when the I...

Page 132: ...oxy Rules If you are using the Gauntlet firewall default configuration you do not need to modify the proxy rules for the info server To enable the info server use the gauntlet admin Proxies form to enable the info server select an idle timeout period and specify an information directory Enable anonymous FTP if desired Alternatively you may modify usr gauntlet config template netperm table to refle...

Page 133: ...erver on the firewall follow these steps 1 Create your directory structure under usr gauntlet infodb D Prefix each directory with the letter D when you create the directory For example if you want to keep all of your pictures in the images directory firewall 32 cd usr gauntlet infodb D firewall 33 mkdir Dimages 2 Copy all of your files HTML text files executables and pictures to the appropriate di...

Page 134: ...ocess for every file you wish to have accessible via the Info Server Binary Files Adding binary files to the database creates the necessary A and H files for images Use the addfile program usr gauntlet infodb tools addfile To add binary files to the database create the A and H files addfile file ctfiletype where file is the name of the binary file ctfiletype is one the default header file types us...

Page 135: ...ame of the executable prepended with a Q and any periods converted to the zero 0 character Repeat this process for every binary file you wish to have accessible via the Info Server Creating FTP List Files Creating list files actually creates the L and N text files that the Info Server displays when it receives FTP ls and nlist requests Use the makedirlist script usr gauntlet infodb tools makedirli...

Page 136: ...at it looks like a normal Gopher menu See the makedirlist script for examples of redirecting list files to text files for the Info Server 2 Modify the resulting file and add the other standard Gopher menu fields Advertising Your Server Advertise your HTTP Gopher or FTP Server to your customers or the world Be sure to advertise the outside IP address of the firewall specify that connections should ...

Page 137: ... explains the concepts behind the network access control daemon how it works and how to configure it Understanding the Network Access Control Daemon The network access control daemon is a TCP wrapper program that provides configurable access control and logging mechanisms The network access control daemon which runs on the firewall starts different applications based on the source address of the r...

Page 138: ...m specified in the netperm table For example the network access control daemon might start the TELNET proxy tn gw for some initiating hosts and the actual TELNET daemon telnetd for other initiating hosts The default configuration of the Gauntlet Internet Firewall uses the network access control daemon to control access to several different proxies and daemons For example the default configuration ...

Page 139: ...cases you do not need to modify the proxy rules for NNTP This is a standard service Configuring Your Service Ensure that the other program you wish to run exists has appropriate file permissions etc For example 1 Create a file usr etc smtp deny txt using SMTP syntax that the network access control daemon can display for SMTP requests from the offending hosts 521 Mail from your system is not permit...

Page 140: ......

Page 141: ...ces Configuration Form on page 123 Routing Configuration Form on page 128 Proxy Servers Configuration Form on page 131 Domain Name Service DNS and Gauntlet on page 139 DNS Configuration Form on page 140 Sendmail Configuration Form on page 148 swIPe Configuration Form on page 152 Logfiles and Reports Configuration Form on page 159 Authorizing Users Form on page 163 Note You can modify directly some...

Page 142: ...th the interface and your own configuration you might prefer to go directly to a particular form in a random order You can do this by clicking the name of the form in the menu bars that appear at the top and bottom of every form in the graphical management interface Help Links To view additional information on many subjects select any highlighted linked word or phrase on the form Caution If you cr...

Page 143: ...r setup choose this option to put your firewall configuration in effect Caution Running Configure All interrupts all current connections including the telnet session if you are using one to manage Gauntlet remotely Using the Gauntlet Management Interface To configure the Gauntlet firewall you can start the management interface locally from the firewall itself or from a remote host including a remo...

Page 144: ...ministrative user name and password 3 Enter the gauntlet admin user name and password By default the user name for the gauntlet admin management tool is gauntlet and the default password is admin Enter the default user name and password to start the Gauntlet management interface Note We strongly recommend that you assign a user name and password other than the default use this command gauntlet adm...

Page 145: ...re all forms appropriately running Configure All interrupts all current connections The introductory management form describes how to use the forms based interface and contains a list of form names From this list you can access any other form go to the next form or configure your system ...

Page 146: ...120 Chapter 17 The Graphical Management Interface Figure 17 3 Gauntlet Introductory Management Form 1 of 3 ...

Page 147: ...Introductory Management Form 121 Figure 17 4 Gauntlet Introductory Management Form 2 of 3 ...

Page 148: ...122 Chapter 17 The Graphical Management Interface Figure 17 5 Gauntlet Introductory Management Form 3 of 3 ...

Page 149: ... bottom of the form so you can go directly to another form if you wish This chapter explains each configuration form in the order that it appears if you click Begin Configuration on the introductory management form and then click the Continue button on each form that follows Networks and Interfaces Configuration Form The Gauntlet networks and interfaces configuration form Figure 17 6 and Figure 17...

Page 150: ...124 Chapter 17 The Graphical Management Interface Figure 17 6 Networks and Interfaces Configuration Form 1 of 2 ...

Page 151: ...Networks and Interfaces Configuration Form 125 Figure 17 7 Networks and Interfaces Configuration Form 2 of 2 ...

Page 152: ...etwork If this mask is not correct for your configuration click Edit and modify the mask field to change it Trusted Networks The Gauntlet firewall supports the concept of trusted networks networks whose users are permitted to access firewall services without user authentication see Authorizing Users Form on page 163 Typically trusted networks are your internal local networks To add networks to the...

Page 153: ...permitted access to network services provided they pass authentication You can add to the list of untrusted networks by clicking the ADD button Remember that when you designate one or more untrusted networks users on these networks are allowed access with authentication all remaining outside networks are considered unknown and their users are refused connections If you leave the list of untrusted ...

Page 154: ...o each network you add Use a metric of 0 if the gateway is an interface on the Gauntlet host and a metric of 1 if it is anywhere else Explicit routes are stored in usr gauntlet config explicit_routes To set the default route to a network enter default as the destination network and 0X00000000 as a network mask The default subnet mask automatically provided by the GUI for the destination network s ...

Page 155: ...Routing Configuration Form 129 Figure 17 8 Routing Configuration Form ...

Page 156: ... the default destination for all inbound packets Figure 17 9 Example Gauntlet Host Routing Configuration If hosts on your internal network are running a routing daemon they eventually acquire the default route from the Gauntlet host The default route can also be explicitly assigned to those hosts by their administrators Additional Routing Information For additional general routing information or i...

Page 157: ...ecurity of the firewall When logins are enabled administrators can connect to the firewall by accessing the rlogin or TELNET proxies Example 17 1 illustrates a sample TELNET session Note The preferred method for managing the firewall remotely is described in Introductory Management Form on page 118 and Configuring Gauntlet for Secure Remote Administration on page 170 Example 17 1 Administrative TE...

Page 158: ...able a proxy for the service When you enable a service the firewall runs a daemon to support it For example enabling TELNET means that a proxy TELNET server will run on the Gauntlet firewall to mediate and enable TELNET connections The proxy will be a transparent TELNET proxy if you have enabled transparent proxies Note You must also have configured the Networks Interfaces Configuration Form corre...

Page 159: ...on is required HTTP Proxy Server Configuration If you enable HTTP hypertext transfer protocol for World Wide Web access you must also specify the following which port the HTTP server should use the default is 8080 which server the HTTP proxy defaults to for unqualified URLs unqualified URLs are HTTP request from a browser that do not include a server name just a path If you want users inside the f...

Page 160: ...n be extremely useful if users are traveling for example Remote users must be using client software that supports POP3 APOP authentication This allows users to authenticate themselves to the Gauntlet firewall so the firewall can then plug the connection through to the internal POP3 server performing the identical authentication exchange with the internal POP3 server The user s password to the POP3...

Page 161: ...ing the Firewall for Other Protocols in Chapter 11 for more information If you configured custom plug gateways click Enable to enable them RealAudio Proxy The RealAudio proxy allows clients inside the firewall to listen to audio files on outside servers You cannot configure the proxy to allow outside clients access to RealAudio servers inside the firewall see Chapter 13 for more information Click ...

Page 162: ...136 Chapter 17 The Graphical Management Interface Figure 17 10 Proxy Servers Configuration Form 1 of 3 ...

Page 163: ...Proxy Servers Configuration Form 137 Figure 17 11 Proxy Servers Configuration Form 2 of 3 ...

Page 164: ...138 Chapter 17 The Graphical Management Interface Figure 17 12 Proxy Servers Configuration Form 3 of 3 ...

Page 165: ... server that provides the address of the Internet side of its network connection 192 132 122 in Figure 17 9 In the case of a screened subnet the DNS server could be any of the public hosts in the subnet and it could provide addresses for all of these hosts and the router You should also set up the DNS Mail eXchanger MX record to advertise the name of the host s responsible for mail at your site Th...

Page 166: ...f you are running a separate externally visible DNS server on a host on your DMZ you should enter its host name here instead if your Internet access provider provides your name service specify their name server s host name Do not enter the host name of any internal DNS servers you may be running as outside hosts cannot access them through the firewall The result is that the host name you enter is ...

Page 167: ...addresses registered or unregistered in additional networks that is acceptable Enter the host name of your mail hub The mail hub is the server where mail from your domain is collected or focused before it is distributed see Mail Hubs on page 146 for possible mail hub configurations The DNS server running on the firewall will advertise MX resource records that focus email addressed to any recipient...

Page 168: ...rect locations Use the following procedure to configure a split DNS configuration 1 After initially selecting Configure All using the Gauntlet administrative interface select and save the option on the DNS page to preserve the current DNS configuration files 2 Edit the nameserver line in firewall etc resolv conf which currently lists the IP address for your firewall to list the IP address for ns 3...

Page 169: ...at firewalled sites Outside hosts cannot successfully query your internal DNS server for internal host names and IP addresses However on the firewall itself applications can resolve internal host names this is necessary for using host names to direct email delivery and for inbound application proxy connections ...

Page 170: ...144 Chapter 17 The Graphical Management Interface Figure 17 13 DNS Configuration Form 1 of 2 ...

Page 171: ...DNS Configuration Form 145 Figure 17 14 DNS Configuration Form 2 of 2 ...

Page 172: ...mail to any of the users on internal hosts must be focused brought together to pass through the firewall and then delivered to the appropriate destinations Whether or not in a firewall context that is essentially what a mail hub is mail bound for different destinations is focused together and delivered to the mail hub and the mail hub figures out where the mail should go next You have three choice...

Page 173: ...ts final destination When a network contains several relays each relay is responsible for delivery to a particular group of hosts within the network Gauntlet and Subdomains Using an internal machine as a domain level main mail hub has some advantages if you have extremely complex mail processing needs However Gauntlet s support for recognized subdomains makes it easy for you to hand off complex ma...

Page 174: ...the firewall host for delivery will then be rewritten as documented in Subdomain names to be recognized for your site on page 150 Sendmail Configuration Form Use the Sendmail configuration form Figure 17 15 to modify the firewall s Sendmail configuration with a browser based interface If you prefer you can use the IRIX configmail tool or edit the etc sendmail cf file directly Be sure to check the ...

Page 175: ...d in conjunction with the sendmail cf auto file configmail makes it possible to customize sendmail behavior without editing the sendmail cf file When you use configmail sendmail is not used to accept email on the firewall instead a simpler more secure program called smap accepts and queues incoming email messages and sendmail is periodically invoked to deliver messages in the queue Enter the hostn...

Page 176: ...n to username DOMAIN_NAME before the message is delivered If recognized subdomains are set the Gauntlet firewall rewrites username some_host some_subdomain DOMAIN_NAME to username some_subdomain DOMAIN_NAME if some_subdomain is one of the recognized subdomains listed here otherwise it still rewrites the address to username DOMAIN_NAME This behavior and the fact that the Silicon Graphics sendmail c...

Page 177: ...Sendmail on Gauntlet Servers 151 Figure 17 15 Sendmail Configuration Form ...

Page 178: ...nds the security perimeter of the individual networks each protected by a participating firewall to encompass both networks In such a configuration the firewalls are considered peers Both peers in the VPN must be running Gauntlet software See Appendix C for detailed information on swIPe and VPNs Figure 17 16 illustrates two Gauntlet servers acting as peers in a VPN Notice that in this figure the p...

Page 179: ...s that IP packets contain authentic source and destination addresses This verification protects against IP address spoofing it can be used in conjunction with permission sets to guarantee that interaction is occurring only between Gauntlet host Internet Internal network Gauntlet host Authentication Authentication Encrypted data Encrypted data ...

Page 180: ...required a passthrough path forwards data freely to a destination that is not on the immediate VPN A path is identified by the addresses of the peer servers that it connects A key ID identifies the authentication algorithm and encryption key that are used to protect data on the path Preparing a Server for swIPe Configuration Prepare for swIPe configuration by performing the following steps 1 Ensur...

Page 181: ...swIPe Configuration Form 155 Figure 17 17 illustrates the configuration form for swIPe Figure 17 17 swIPe Configuration Form ...

Page 182: ...not work unless both ends have the same keys Both firewalls discard any packets that unexpectedly arrive encrypted The swIPe configuration form shown in Figure 17 17 consists of two parts the top of the form contains authentication and encryption parameters the bottom of the form identifies each path connecting the firewall to a peer A separate entry form is used to provide the information for eac...

Page 183: ...r authentication and encryption To create a trusted or private link you must specify the key you wish to use by its Key ID Enter a number from 1 to 99 Click Authenticate packets and Encrypt packets to put either or both of these protection schemes into effect on this peer connection ...

Page 184: ...to create a key string 4 Select Add to configure the path between this peer and its remote counterpart After your selection the Add swIPe Path Form is displayed Figure 17 19 Add swIPe Path Form 5 Select the path type 6 Enter the local and remote addresses of the peers in this VPN ...

Page 185: ...PN 10 Coordinate your configuration with the administrator of the remote network Ensure that each firewall has the same encryption key for your VPN 11 Reboot your firewall at the same time as the other administrator reboots the remote firewall Verifying Your Setup If you are using a VPN with privacy and trust issue the ping command to ensure that packets are flowing properly ping uses ICMP packets...

Page 186: ...syntax in the field provided on this form see the egrep 1 reference page For example enter localhost in the egrep field to keep lines that include the string localhost from appearing in the log file output Be careful not to specify filters that are too broad this might obscure warnings and notices that you want to see Example 17 2 Partial Log File Listing Aug 10 02 00 08 6F rfwall syslogd restart ...

Page 187: ...Logfiles and Reports Configuration Form 161 Figure 17 20 Reports and Logfiles Form 1 of 2 ...

Page 188: ...162 Chapter 17 The Graphical Management Interface Figure 17 21 Reports and Logfiles Form 2 of 2 Refer to Appendix A for command line and file information on reports ...

Page 189: ...hecksums MDauth is also a software based system that uses challenge response MDauth is included as is with the Gauntlet firewall The IRIX executable that users need to generate responses is usr etc softmd5 S Key might be preferable to MDauth however especially in heterogeneous environments APOP A system included with APOP compliant applications uses an MD5 secure hash algorithm The application gen...

Page 190: ...d administer user passwords using the third party s administration tools If you make an error when editing a user record click the Reset button to abort any changes that were made Adding a user with the Add Users form Figure 17 23 means that the user can use all of the enabled services The group field lets you associate groups of users Note Adding users and groups here does not create IRIX account...

Page 191: ...Authorizing Users Form 165 Figure 17 22 Authorizing Users Form ...

Page 192: ...166 Chapter 17 The Graphical Management Interface Figure 17 23 Add User Form ...

Page 193: ...administrator of the system has already added the user in the authentication database as an S Key user with a password that the user knows It also assumes that the user has access to the usr bin key program on the client Gauntlet Firewall host Internet Internal network Hosts on local network A u t h o r i z e d Application proxy N o Y e s A u t h o r i z a t i o n r e q u i r e d N o Y e s ...

Page 194: ... run the client locally so that his or her password is not sent over a network connection After a certain number of authentication sessions a new password must be set for S Key The remaining number of authentication sessions for the current password is the first string in the S Key server challenge 662 in the previous example Configuring Gauntlet for Remote Administration To configure Gauntlet rem...

Page 195: ...election the Proxy Servers Configuration form is displayed shown in Figure 17 10 4 Click Enable remote gauntlet administration proxy on the Proxy Servers Configuration form The button to enable remote Gauntlet administration appears near the end of the Proxy Servers Configuration form shown in Figure 17 12 To enable remote registration of the firewall click this button 5 Reset the port number and ...

Page 196: ... administration port back to the setting used by the HTTP proxy 8080 See Chapter 7 Configuring Web Browsers on page 56 for instructions Accessing the Administration Tool from an X Display You can also use remote X display from a remote host to run the Gauntlet administration interface To run the administration interface on a remote X display do this 1 Log in to the firewall from the remote host 2 ...

Page 197: ...h your Web browser from the remote host 4 Set the Security proxy to access the remote administration proxy at port 21001 On the Netscape Manual Proxy Configuration page shown in Figure 7 1 set the Security proxy to access the remote administration proxy at port 21001 5 Access the Gauntlet administration interface and display the introductory management form See steps 1 through 3 of Configuring Gau...

Page 198: ...erent timeout value if a different timeout interval is required A server with security features on will require the key password to be entered when the server is started which normally occurs at boot time Once security is activated to access the Gauntlet administration server from your browser use the URL https firewall 21000 cgi bin startup If security features are not activated you can continue ...

Page 199: ...tication Management System As part of the security policy many sites may require some form of strong authentication which requires users to enter a one time password or use an authentication token There are many systems available that can be integrated into a IRIX networking environment each with its own programming and management interface These are described in more detail in the section Underst...

Page 200: ...on which is within the perimeter he must pass the first authentication at the firewall firewall yoyodyne com When firewall yoyodyne com receives the information the TELNET proxy determines that the connection request is from an untrusted network and that John can access inside machines The TELNET proxy then prompts John for his authentication information user name and challenge which it verifies a...

Page 201: ...onvenience of your users Groups The Gauntlet user authentication management system also makes use of groups Groups allow you to permit or deny services based on groups of user names rather than individual user names For example you can configure the X11 proxy to permit service to everyone in group sales Just as is the case with user names the groups that you create in the Gauntlet user authenticat...

Page 202: ...tent user interface to these systems Currently supported systems are shown below Consult the system requirements card in your Gauntlet firewall package for the latest information on supported versions of the these products Access Key II This system from VASCO Data Security uses a random challenge password When the firewall prompts for authentication it provides a challenge The user enters their PI...

Page 203: ... Users generate a set of passwords based on a seed word or phrase Each time they need to authenticate they use a different password When the firewall prompts for authentication it provides a challenge value The user enters his or her appropriate password for that challenge The Gauntlet authentication server verifies this value The Gauntlet firewall distribution includes a portion of the S Key pack...

Page 204: ...rform all of these tasks from the firewall console as root Once you have configured and are using the system all activity to the authentication database is logged and included in the weekly summary reports Configuring Third Party Systems See the online configuration help available for the third party systems by clicking on the authentication system name on the gauntlet admin Authentication page No...

Page 205: ... a client system on your ACE Server Be sure to use the IP address or host name for the inside address of the firewall if your ACE Server is running on a machine on your inside network 4 Copy the file var ace sdconf rec to the firewall as var ace sdconf rec This file contains information that tells the authentication server where to find the ACE Server 5 Modify usr local etc netperm table and add i...

Page 206: ...from a host on the outside network To verify an installation using TELNET 1 On a host on the outside network TELNET to the firewall 2 At the TELNET proxy user name prompt enter a user name you have created 3 At the TELNET proxy password prompt enter the appropriate password or response for the user you have created 4 When you see the Login Accepted banner you have verified your installation You ar...

Page 207: ...IRIX groups Disabling Groups You cannot disable entire groups You must disable usage based on individual users Deleting Groups To delete a group you must reassign all users in that group to another group or to no group at all Managing Users Creating Users Users can be created with the gauntlet admin interface If you need to create a large number of users use the authentication loader The authentic...

Page 208: ...ify the authentication information by entering it again 6 Make the information active by saving these changes in gauntlet admin Creating Default Users Creating a default user allows you to authenticate users without manually creating entries for every user in the Gauntlet authentication database Note that this option is only available for Safeword Authentication Server SecurID You can only have on...

Page 209: ...the key information into the user authentication management system using the key initialization tool usr etc vasco_init firebird vasco_init tmp vasco keyfile long This tool creates a user in the authentication management system and loads the key for this user It creates the user name by prepending the letter i to the serial number for that Access Key II This user is initially disabled If you are u...

Page 210: ...eges and delete the old user name You can however change the long name information for a user using the gauntlet admin interface To change the long name information follow these steps 1 Select the record for the user name you wish to modify 2 Tab to the name field and change the information 3 Make these changes active by saving these changes Changing Groups Users can only belong to one group at a ...

Page 211: ...ou must use the third party authentication server tools to allow a user to change passwords or change something equivalent such as a PIN for a hardware token device or to change devices altogether Allowing Users to Change Their Password Because users are generally not allowed to log directly into the firewall they must change their password from another machine The default policy allows users conn...

Page 212: ...hn s key is 664 fi582901 Enabling Users Enabling users also allows users who have been disabled to use the system again To enable a user follow these steps 1 Select the record for the user name you wish to modify 2 Check the Enable box 3 Save your changes Disabling Users Disabling users allows you to keep the user information in the system but does not allow the user to use the system The user aut...

Page 213: ...rom the user authentication management system It does not remove users from your firewall or from your internal network To delete a user follow these steps 1 Select the delete option for the record for the user name you wish to delete 2 Confirm your deletion action ...

Page 214: ......

Page 215: ...ion scheme for logging into the firewall itself as you do for activity between opposite sides of your security perimeter This section explains the concepts behind the login shell program and how it works how to configure the program and how to use it Understanding the Login Shell Program The login shell program is a wrapper program that authenticates the user using strong authentication before pas...

Page 216: ...t the standard FTP daemon does not use bin login so will not invoke the login shell program for authentication This is not generally a problem as running the standard FTP daemon on the firewall is strongly discouraged Configuring the Firewall to use the Login Shell Program Configuring the Gauntlet firewall involves planning enabling remote login creating user accounts configuring the proxy to enfo...

Page 217: ...e for your strong authentication information 2 Specify login sh as the shell 3 Create the user s home directory if necessary mkdir home scooter 4 Add the user to group wheel so that they can su to root Use vi to edit etc groups Configuring the Proxy Rules If you are running the Gauntlet firewall default configuration you do not need to modify configuration rules for the login shell If you have cho...

Page 218: ...t system Securing Other Applications To secure other applications 1 Disable programs such as chsh that allow users to change their shells Either remove the executable or change the file permissions to 700 chmod 700 chsh Note that you should only create accounts on the firewall for people who need to administer the firewall They will all generally have access to the root password Changing file perm...

Page 219: ...r user name you are prompted for your strong authentication information Using the Login Shell Program Accessing the Firewall from Trusted Networks Login to the firewall via the console TELNET or Rlogin as you did before Note that after you enter your user name you are prompted for the response or password specified for your authentication scheme Become root via su to do work as needed Accessing th...

Page 220: ...d Do not use the passwd or chpass programs on your UNIX system To change your password you must follow the instructions for changing your strong authentication information as described on page 135 If you use the passwd or chpass programs you will create a UNIX password You will then need to provide both your UNIX password and your strong authentication information when you login to the firewall ...

Page 221: ...urity policy This chapter describes the concepts behind logging and reporting systems configuring these systems and understanding the log and report formats Understanding Logging and Reporting The Gauntlet Firewall follows the philosophy that it is easy to compress consolidate summarize and delete log information it is impossible to retroactively gather log information on an event that has already...

Page 222: ... adm SYSLOG You don t need to do anything special to create the logs Even if you choose not to do anything with the information in the logs the programs still write the information You never know when you might need it The message log file also contains information from other programs such as bind cron and other IRIX utilities that use the syslog command As with any other information that the sysl...

Page 223: ...etperm table file Consult Appendix B for more information on editing the netperm table file and proxy specific logging options Configuring Log Retention Time If you wish to change the length of time the firewall retains log files you may do so with the gauntlet admin interface To set the retention time set the number of days to retain the logs Creating Reports The Gauntlet Internet Firewall contai...

Page 224: ...report Exception Reports Exception Reports include noteworthy items The Gauntlet Firewall defines a list of items that are not noteworthy and ignores those sorts of entries in the logs The firewall considers all other events as possible security events Thus any item that you have not specifically told the firewall to ignore it reports This report includes information that could indicate a possible...

Page 225: ...nore when parsing the logs This allows you to configure the firewall to ignore events that you know are routine for your situation To modify the events that the reporting scripts ignore modify the list of events on the Proxies form in gauntlet admin Use regular expressions to denote events that are not significant Configuring the Firewall To change your reporting options use the gauntlet admin int...

Page 226: ...e gif Oct 30 10 47 25 firewall http gw 12080 content type image gif Oct 30 10 47 27 firewall http gw 12080 exit host unknown 10 0 1 17 cmds 1 in 5581 out 0 user unauth duration 4 Oct 30 10 47 28 firewall http gw 12081 permit host unknown 10 0 1 17 use of gateway Ver g3 0 3 0 Oct 30 10 47 28 firewall http gw 12081 log host unknown 10 0 1 17 protocol HTTP cmd get dest www tis com path art buttons 2 ...

Page 227: ... 0 0 Top 100 telnet gateway clients in terms of traffic Connects Host Address Input Output Total 287 dimension yoyodyne com 267484 11412 278896 2 john yoyodyne com 10 0 472366 4719 477085 6 jersey yoyodyne com 10 291915 3608 295523 6 eight yoyodyne com 10 0 495575 2249 497824 1 blaze clientsite com 20 169588 1473 171061 3 lizardo yoyodyne com 10 4204 318 4522 2 planet10 yoyodyne com 1 123 64 187 1...

Page 228: ... 1 17 Dec 12 10 18 55 localhost authsrv 2188 BADAUTH penny rlogin gw unknown 10 0 1 17 Dec 12 10 19 03 localhost authsrv 2188 BADAUTH nobody rlogin gw unknown 10 0 1 17 Dec 12 10 19 05 localhost authsrv 2188 BADAUTH penny rlogin gw unknown 10 0 1 17 Dec 12 10 19 10 localhost authsrv 2190 BADAUTH penny rlogin gw unknown 10 0 1 17 Dec 12 10 19 13 localhost authsrv 2190 BADAUTH penny rlogin gw unknow...

Page 229: ... backup procedures as described in the IRIX Advanced Site and Server Administration Guide In particular you should be sure to back up the following usr gauntlet cgi data usr gauntlet config usr etc fw authdb etc apop pass etc skeykeys usr gauntlet checksums var adm Note that if you perform normal backups of the firewall system as you would any IRIX system these files are going to be backed up but ...

Page 230: ...nt on the firewall for the administrator you still want to ensure that no person or process has modified your system The Gauntlet Internet firewall is designed to make it easy to verify system integrity Understanding System Integrity The Gauntlet integrity database is collection of cryptographic checksums or message digests for many files on your filesystem The database contains a checksum for eac...

Page 231: ...Store a copy of the initial integrity database created during the first weekly report with your original distribution media Verifying System Integrity If you elect to receive weekly reports you will automatically receive the results of a system integrity check If you do not elect to receive these reports integrity checking is not performed Understanding the Results Review the changes noted in the ...

Page 232: ......

Page 233: ...Appendixes IV ...

Page 234: ......

Page 235: ...ant to see a list of the files that the Gauntlet software manipulates click the view link in the Managing Your Firewall portion of the introductory form If you do not want to use the forms based interface you can directly edit these files although that is not recommended Table A 1 lists files that may be modified through this interface Some of these files are safe for you to modify as long as nobo...

Page 236: ...untlet when it is done performing whatever task it is up to cgi data g Yes Stores settings from the configuration pages config trusted networks Yes Lists networks which are to be considered trusted config untrusted networks Yes Lists networks which are to be considered untrusted config trusted ports Yes Lists ports on which traffic will be permitted to pass through the firewall unimpeded config tr...

Page 237: ...nformation about configured swIPe peers and paths Editing this file is not recommended although it is safe to do so because the format of this file is obscure config authserver protocols No Lists DSO Dynamic Shared Object files which support additional authentication mechanisms This will be updated by Gauntlet when you install or remove Gauntlet authentication software subsystems using inst config...

Page 238: ...n be used for login are passworded it forces root to have a password and it inserts a gauntlet user which cannot log in but whose password is used to control access to gauntlet admin etc sendmail cf Maybe Sendmail configuration file It is safe to modify this file only if you have selected preserving sendmail cf on the sendmail page etc aliases Yes Gauntlet modifies the alias for root on the firewa...

Page 239: ...boot Maybe DNS configuration file It is safe to modify this file only if you have selected preserving your DNS configuration on the DNS page tmp retry Yes Retry files are created to support data entry validation in the gauntlet admin interface var named localhost rev Maybe DNS configuration file It is safe to modify this file only if you have selected preserving your DNS configuration on the DNS p...

Page 240: ...ng your DNS configuration on the DNS page var spool cron crontabs root Yes Gauntlet adds various jobs to run at regular intervals usr etc resolv conf Maybe DNS configuration file It is safe to modify this file only if you have selected preserving your DNS configuration on the DNS page Table A 1 continued The Gauntlet File List Filename Safe Description ...

Page 241: ...not always support the older table format Remember to make a backup copy of your working netperm table file before you attempt any conversions Note Gauntlet uses usr gauntlet config template netperm table to create thus overwriting usr gauntlet config netperm table Any modifications you wish to be permanent must be made to the template netperm table file Policy Rules Policies are collections of ge...

Page 242: ...erver It requires strong authentication for all outside requests with the authentication server that is on the firewall Notice that the outside policy does not permit the HTTP proxy because you generally do not want people all over the Internet accessing Web servers on your internal network It does however allow the Info Server which allows you to run an HTTP Gopher or FTP server on your firewall ...

Page 243: ...at allows all proxies and applications to send to any destination Because the more restrictive rule is above the generic policy in the netperm table file the FTP proxy uses the restrictive rule and denies requests to ftp bigu edu Applications Other Gauntlet applications such as the authentication server also read configuration information from the netperm table file Using This Information As part ...

Page 244: ... You do not need to restart the proxies to make the changes take effect The proxies reread the table anytime the file date and time change Netperm table Syntax Precedence Applications and proxies read the tables from the top of the table to the bottom They use the first rule that applies for a particular attribute If there are multiple rules in the table that could apply for an attribute the appli...

Page 245: ...t can also match the value for the as name flag used when starting the proxy attribute is a configuration parameter for that application or proxy valuelist is the value for the specific configuration parameter Some attributes allow multiple values A rule must fit on a single line The length of a line varies by operating system but is generally around 1 024 bytes There is no provision for continuin...

Page 246: ...her proxy using the http gw proxy http gw HTTP proxy lp gw line printer proxy netacl fingerd network access control proxy running finger service netacl ftpd network access control proxy running FTP service netacl rlogind network access control proxy running rlogin service netacl telnetd network access control proxy running TELNET service nntp gw NNTP news proxy using the plug gw proxy policy trust...

Page 247: ...e a new policy follow these steps 1 Add a line indicating source networks that use the policy the name of the policy 2 Add rules indicating which proxies this policy allows 3 Add rules indicating permitted destinations authentication and logging 4 Place the policy lines above or below the generic policies as appropriate For example the generic policy for Yoyodyne uses the default Gauntlet inside p...

Page 248: ...Line 5 indicates that these proxies can send requests to the set of destinations 192 33 112 The TELNET and rlogin proxies deny requests to any other destinations after parsing this line Lines 6 and 7 indicate that users on these networks must authenticate with the authentication server on the firewall Put this policy above the inside policy so the proxies will use these rules rather than the more ...

Page 249: ...y options For example after careful analysis Yoyodyne wants to add support for Quote of the Day qotd service for users on its inside networks This involves using the proxy First add a line to the inside policy 135 policy inside permit proxy qotd gw Then create a section above the policies in which you define the communications rules for the Quote of the Day connection 95 QotD through plug proxy ru...

Page 250: ...e that the rule applies to all policies You must include this rule above the policy rules The policies are based on permitted hosts Including the deny hosts rule in a policy has no effect because the application is using the permit hosts rule that defines the policy Note that the smap proxies do not use the policy rules so you can still receive mail from the denied host or network For example Yoyo...

Page 251: ... operations keyword For example Yoyodyne wants to permit only members of the group developer to use the Rlogin proxy when accessing outside hosts 55 authsrv permit operation group developer rlogin gw 100 rlogin gw authenticate 101 rlogin gw extended permissions These commands prevent any other users who are not members of group developer in the Gauntlet authentication database from using the Rlogi...

Page 252: ...ations when you specify extended permissions The deny rule must appear before the permit rule because the proxies use the first matching rule If you specify the permit rule before the deny rule the authentication server would never read the deny rule because the permit rule matches all TELNET operations Denying Access to a Host or Network You can deny access to a particular host or network on a pr...

Page 253: ...able attributes and values The bulleted list at the top of each attribute indicates which proxies applications or policies can use that attribute For example if tn gw is listed that indicates you can use this attribute for the TELNET proxy If policy policy is listed that means you can use this attribute in a policy definition All proxies that use this policy will then use this attribute You can al...

Page 254: ...tion server that the proxies use for authenticating users Syntax authserver host port Example This example requires proxies to use the authentication server on the firewall itself using port 7777 policy outside authserver 127 0 0 1 7777 Provided for future extensibility host Specifies the host running the authentication server Specify by IP address or hostname port Specifies the port on the host t...

Page 255: ...ting HTTP proxy passes requests after handling the authentication The executable handles FTP Gopher and other protocols Syntax backend executable host Specifies indicates the hosts for which the circuit proxy authenticates Specify individual machines entire networks or subnets Use IP addresses or host names The wildcard is valid authhost host Specifies the host running the authentication server Sp...

Page 256: ...xample This example sends mail to the firewalladmin alias smapd badadmin firewalladmin baddir policy policy smapd Specifies the directory in which the smapd server places any spooled mail that it cannot deliver normally Syntax baddir directory user Specifies the name of a user or alias directory Specifies the name of a directory on the same device as the spool directory Do not include a trailing s...

Page 257: ...server sleeps for twenty minutes 1200 seconds after five unsuccessful login attempts authsrv badsleep 1200 child limit authsrv ck gw ftp gw http gw info gw lp gw netacl seconds Specifies the number of seconds the authentication server sleeps before allowing login attempts from a user who has attempted and failed to login five times in a row If this option is set to 0 the authentication server allo...

Page 258: ... the TELNET proxy allows only 10 child processes to run at a single time tn gw child limit 10 circuitexec ck gw Specifies the location of the program that the circuit proxy runs once it allows a connection from the client program processes Specifies the maximum number of child processes that each daemon allows to run at a given time If this option is set to 0 or not set each daemon allows an unlim...

Page 259: ...indicates that a user can have 12 active sessions ck gw circuitsperuser 12 circuit timeout ck gw Specifies the amount of time the client server connection is idle with no network activity before disconnecting Overridden by the timeout option for a particular server as set with the server attribute programs Specifies the location and name of the program that the circuit proxy runs once it allows a ...

Page 260: ...er activity before disconnecting clients Specifies single hosts entire networks or subnets Specify by IP address or hostname The wildcard is valid printer Indicates the printer queue to which this rule applies queue Specifies the name of the printer queue to which this rule applies deny Indicates commands that clients cannot execute The default allows users to issue all lp commands log Indicates e...

Page 261: ... database that the authentication server uses This option is mandatory unless you compile the authentication server with a specific database path Syntax database path lpcommands Specifies the lp commands that the clients can issue when sending jobs through the proxy The space between the and and the list entries is required Valid keywords which correspond to the first level lp protocol commands ar...

Page 262: ...ess to a user because they do not have permission to use the proxy Syntax denial msg file Example This example displays the file usr local etc ftp deny txt when the FTP proxy denies access to a user ftp gw denial msg usr local etc ftp deny txt denydest msg ftp gw http gw policy policy rlogin gw tn gw file Specifies the name of the file the proxy displays when it denies access to a user because the...

Page 263: ...e TELNET proxy denies access to a user tn gw denydest msg usr local etc tn denydest txt destination ftp gw http gw info gw lp gw netacl plug gw policy policy pop3 gw rap gw rlogin gw rsh gw tn gw Specifies destination hosts and networks permissions file Specifies the name of the file the proxy displays when it denies access to a user because they are trying to access a destination that they are no...

Page 264: ...ttp gw info gw lp gw netacl plug gw pop3 gw rap gw rlogin gw rsh gw smap smapd tn gw x gw permit Indicates hosts to which the proxies and applications can send requests deny Indicates hosts to which the proxies and applications cannot send requests destination list Specifies single hosts entire networks or subnets Specify by IP address or hostname The wildcard is valid If no destination list is sp...

Page 265: ...p display policy policy x gw Specifies the destination display on which applications display Syntax display host displaynumber screennumber Example This example indicates that the X gateway displays all X applications on the display attached to dimension x gw display dimension 10 0 directory Specifies the directory that the proxy makes its root directory before providing service host Specifies the...

Page 266: ...display the file usr local etc finger txt for finger requests netacl fingerd exec bin cat usr local etc finger txt extended permissions policy policy rlogin gw rsh gw tn gw Specifies whether the proxies check for extended permissions for users as they authenticate This option is equivalent to the extend and extnd options in previous versions Syntax extended permissions program Specifies the name o...

Page 267: ...causes the HTTP proxy to remove the related tags from within the HTML code permit deny feature features Example 1 This example indicates that the HTTP proxy removes Java or Javascript tags from within any HTML accessed through the proxy http gw deny feature java javascript Syntax 2 feature features Example 2 This example indicates that the HTTP proxy removes from any HTML it accesses all HTML that...

Page 268: ...must remove or comment out this setting if you wish to disable it The settings force_source_address false and force_source_address off are not valid You must be using officially registered routable addresses on your trusted networks in order to use this option Example This example indicates that the plug proxy for America Online will use the IP address of the originating host as the source address...

Page 269: ...on functions Valid values for the HTTP proxy are BINARY Read Files DIR List Directories EXEC Exec Commands pattern Specifies the pattern in the URL for which the HTTP uses this rule Quotes are not required protocol Specifies the protocol that the HTTP proxy uses when talking to the remote host Valid values are FTP GOPHER HTTP host port Specifies the host and port to which the HTTP proxy forwards r...

Page 270: ...mands WRITE Write Data Example This example indicates that the FTP proxy does not allow people to retrieve RETR files ftp gw deny function RETR This example indicates that the HTTP proxy does not allow people to perform FTP requests through the HTTP proxy http gw deny function FTP groupid ftp gw http gw info gw lp gw netacl plug gw pop3 gw rap gw rlogin gw rsh gw smap ...

Page 271: ...firewall and a caching proxy Syntax handoff host port The HTTP proxy communicates with the next proxy as if it were a client rather than as another proxy You cannot use this setting in place of specifing the HTTP proxy in your browser group Specifies the name of the group as either a name or numeric id from the etc group file host port Specifies the host and port to which the HTTP proxy forwards r...

Page 272: ...est when it sends it to the destination host Syntax http gw permit deny header header You can only specify one header per line Consult the HTTP 1 0 1 1 specifications a for a list of headers Note that certain headers are always processed by the HTTP proxy and are dealt with specifically Connection Content Length Content Type Location Proxy Connection Example This example indicates that the HTTP pr...

Page 273: ...plays the file usr local etc rlogin help txt when a user requests access from the Rlogin proxy rlogin gw help msg usr local etc rlogin help txt hosts authsrv ftp gw http gw info gw lp gw netacl plug gw pop3 gw rap gw rlogin gw rsh gw file Specifies the name of the file the proxy displays when the user accesses the help command If no file is specified the proxy displays a list of internal commands ...

Page 274: ...s on the 10 0 1 0 255 255 255 0 subnet cannot use the FTP proxy ftp gw deny hosts 10 0 1 0 255 255 255 0 This example indicates that the authentication server only accepts connections from the firewall itself localhost permit Indicates hosts for which the proxy uses a particular policy or the hosts that can use the proxy deny Indicates hosts that cannot use the proxy hosts Specifies the hosts for ...

Page 275: ...t proxies log only the operations listed rather than all operations the default This option is equivalent to the log command in previous versions Syntax log operations Valid values for the info gw are CWD QUIT LIST NLST NOOP PASV PORT PWD RETR SIZE STOR SYSY TYPE operations Specifies operations that the proxies log ...

Page 276: ...icy log only retrieve RETR and storage STOR activities policy inside log RETR STOR maxchildren policy policy smapd Specifies the maximum number of child processes the smapd server can fork to handle mail Syntax maxchildren children Example This example indicates that the smapd server can fork no more than 20 children smapd maxchildren 20 children Specifies the maximum number of child processes the...

Page 277: ...ntication server indicates that the userid does not exist rather than displaying a bogus SNK challenge when users attempt to login and fail authsrv nobogus true operation authsrv Specifies explicitly permitted or denied operations for particular users or groups at particular times of day Note that the authentication server only uses these rules when the policy or the proxy uses the extended permis...

Page 278: ...rsh gw Rsh proxy tn gw TELNET proxy all of these proxies destination Specifies the hosts to which the proxies can or cannot send requests Specify individual machines entire networks or subnets Use IP addresses or host names The wildcard is valid options Specifies particular operations for each protocol that can be controlled Valid values are ftp gw consult the ftpd 1 reference manual page rlogin g...

Page 279: ...ntax permit deny password change Example This example allows users on the inside network to change their passwords from both the TELNET and Rlogin proxies policy inside permit password change hostname Specifies the name of the host that the HTTP proxy uses when prepending URLs Specify an individual interface Use an IP addresses or host name permit Indicates hosts from which users can change their ...

Page 280: ...s option is required for the POP3 proxy Syntax pop server host Example This example indicates that the POP3 proxy accesses the POP3 server running on the inside mail hub mail pop3 gw pop server mail port plug gw Specifies the connection rule for this instance of the plug proxy including the hosts and the ports Syntax port port hosts desthost hosts privport destport port host Specifies the name of ...

Page 281: ... subnets Specify by IP address or hostname The wildcard is valid desthost Indicates hosts to which the plug proxy connects hosts Specifies single hosts entire networks or subnets Specify by IP address or hostname The wildcard is valid privport Indicates that the proxy uses a reserved port number when connecting Provided for future extensibility destport Indicates the port on which the plug proxy c...

Page 282: ... This example indicates that the TELNET proxy displays the prompt Yoyodyne TELNET proxy tn gw prompt Yoyodyne TELNET proxy proxy policy policy Specifies proxy permissions printer Indicates the printer queue name serverqueue Specifies the name of the remote printer queue to which proxy sends the print jobs If server queue is not specified the client s queue name will be used as server queue name pr...

Page 283: ...wall Example This example indicates the SecurID server communicates with the firewall as firewall yoyodyne com authsrv securidhost firewall yoyodyne com permit Indicates proxies that this policy allows to run deny Indicates hosts that this policy does not allow to run Including a deny proxy rule has the same effect as not including those proxies in a permit proxy rule proxy list Specifies the name...

Page 284: ... remote port host remote host hostport port timeout minutes nookay program Specifies an alternate path for the sendmail executable or other program you are using to deliver mail server service Specifies a symbolic name for the service Must be unique Used by the proxy to create the menu of available services port remote port Specifies the port on the remote host to which the circuit proxy connects ...

Page 285: ...mple indicates that the login shell program looks in the usr local etc login shellfile file for information about users and their shells login sh shellfile usr local etc login shellfile timeout ftp gw http gw info gw lp gw netacl plug gw timeout minutes Specifies the number of minutes the client server connection is idle before disconnecting for this service nookay Specifies that the proxy does no...

Page 286: ...e This example indicates that the inside policy allows 1800 seconds 30 minutes of idle time before the proxies disconnect policy inside timeout 1800 unknown authsrv Specifies a list of additional names that the authentication server checks in addition to the authentication database when checking for extended permissions on a per user basis seconds Specifies the number of seconds the proxy is idle ...

Page 287: ...enny to be valid user names when it checks for extended permissions authsrv permit unknown scooter hikita penny url filter http gw policy policy Specifies characters that you do not want to see in a URL Syntax url filter filterlist Example This example indicates that you do not want to see the carriage return line feed pair in any URLs http gw url filter 0D 0A names Specifies a list of names separ...

Page 288: ...cation server assigns the user name to the group unknown Syntax permit unknown names Example This example indicates that the authentication server considers scooter hikita and penny to be valid user names when it checks for extended permissions authsrv permit unknown scooter hikita penny url filter http gw Specifies characters that you want to deny in a URL Syntax url filter filterlist names Speci...

Page 289: ... filter 0D 0A userid ftp gw http gw info gw lp gw netacl plug gw policy policy pop3 gw rap gw rlogin gw rsh gw smap smapd tn gw x gw Specifies the user ID the proxy uses when running This option is equivalent to the user command in previous versions Syntax userid user user Specifies the user as either a name or numeric ID from the etc passwd file ...

Page 290: ...dicates that group grads can use the accounting service ck gw user servers group grads accounting user timeout ck gw Specifies the amount of time the proxy is idle with no active client connections before disconnecting user user Specifies the name of a user who can access a particular service group group Specifies the name of a group who can access a particular service deny Specifies that the user...

Page 291: ...ol directory for undelivered mail Syntax wakeup seconds Example This example indicates that the smapd server sleeps for 120 seconds between scans smapd wakeup 120 welcome msg ftp gw policy policy rlogin gw tn gw minutes Specifies the number of minutes the proxy is active with no client connections before disconnecting seconds Specifies the number of seconds that the smapd server sleeps between sca...

Page 292: ...to which the TELNET and Rlogin proxies pass requests for the X proxy Generally specifies the location of the X proxy Syntax xforwarder program Example This example indicates that the TELNET and Rlogin proxies use the standard X proxy for requests from the inside network policy inside xforwarder usr local etc x gw file Specifies the name of the file the proxy displays as a welcome banner upon succe...

Page 293: ...e This example allows the hosts on the inside network to start the X11 proxy policy inside permit xgateway permit Indicates that the TELNET and Rlogin proxies can accept requests to start the X11 proxy deny Indicates that the TELNET and Rlogin proxies do not accept requests to start the X11 proxy Provided for future extensibility ...

Page 294: ......

Page 295: ... between various points within this network Understanding Virtual Private Networks When using a single firewall the defense perimeter includes the network of machines that sit behind the firewall inside the perimeter Communication with any other machines or networks outside the perimeter is over some untrusted network such as the Internet A Virtual Private Network extends the defense perimeter to ...

Page 296: ...rivate Networks Figure C 1 Yoyodyne Virtual Private Network Gauntlet host Gauntlet host California office Maryland office 10 0 6 10 0 1 1 0 0 6 1 1 9 2 1 6 8 1 1 2 0 4 2 5 5 1 5 4 1 0 0 1 0 0 1 1 0 0 Internet Encrypted traffic ...

Page 297: ...ense perimeter Any activities that you allow within your network can be used with machines on the remote network For example Yoyodyne allows users in the Maryland office to use the network time protocol NTP within the network to set the clocks on their machines If Yoyodyne sets up a VPN with the California office using privacy with trust they can now use ntp with machines in the California office ...

Page 298: ...st to network communications The most common use of privacy without trust creates a private link between two networks Sites that create a VPN without trust must of course share the encryption key that gives them the privacy However they can now use different policies and procedures and have different administrative control Encryption Through Multiple Firewalls Passthrough Link A VPN can use encryp...

Page 299: ...e key provided for this VPN during firewall to firewall configuration The new packet contains encrypted data and a header that indicates this is a special encrypted protocol The firewall then sends the encrypted packets across the Internet or other untrusted network to the firewall for the remote network When the remote firewall receives the packet on its outside interface the IP input layer recog...

Page 300: ... the routing layer forwards the packet on to the appropriate host on the inside network If the VPN between the two networks uses just privacy with no trust the routing layer hands the packet to the appropriate service or proxy The proxies treat this packet as they would any other packet from any other untrusted network ...

Page 301: ...Netscape administration utility If you perform this procedure on a host other than the firewall you can use a Netscape browser to access the firewall after you start the administration utility To implement SSL on the firewall the firewall must contain a digital ID file also known as a certificate that identifies it as a trusted server when clients connect to it Certificates are distributed by a Ce...

Page 302: ...re both admin type admin on both entry lines unless you have changed the defaults 4 Choose Gauntlet from the Server Selector page 5 Choose Encryption from the menu bar at the top of the page to configure SSL SSL Configuration Procedure The SSL configuration procedure has of three parts Generating the server s key pair Requesting a certificate from a Certification Authority Installing the certifica...

Page 303: ...uest Certificate procedure 4 Save your entries in the key pair file in the correct location Use this full pathname as the keyfile location when you save it usr ns home httpd gauntlet config ServerKey db Supplementary Instructions for Generating a Certificate After you generate the key pair see Supplementary Instructions for Generating a Key Pair on page 277 choose Request Certificate to apply for ...

Page 304: ...r your certificate arrives and you save it in a file complete the certificate installation procedure and turn encryption on for the firewall These instructions are supplementary to the instructions provided in the Help screens for the install certificate procedure 1 Choose Request Certificate from the sidebar menu on the Encryption page 2 In the Certificate Name field enter the fully qualified hos...

Page 305: ......

Page 306: ...printing and binding Please send the title and part number of the document with your comments The part number for this document is 007 2826 004 Thank you Three Ways to Reach Us To send your comments by electronic mail use either of these addresses On the Internet techpubs sgi com For UUCP mail through any backbone site your_site sgi techpubs To fax your comments or annotated copies of manual pages...

Reviews:

No comments