background image

222

Appendix B: Netperm Table

To implement this policy, you could create a more restrictive policy:

1.

#define inside hosts who will use the policy

2. *: permit-hosts 204.255.154.0:255.255.255.128 -policy restrictive

3. #define the policy

4. policy-restrictive: permit-proxy tn-gw rlogin-gw

5. policy-restrictive: permit-destination 192.33.112.*

6. policy-restrictive: authenticate *

7. policy-restrictive: auth server 127.0.0.1

Line 2 indicates that all proxies and applications (*) should use the restrictive policy for
requests from the designated subnet. If you specify the policy for only the TELNET
(tn-gw) and rlogin (rlogin-gw) proxies instead of for all (*), all other proxies (such as the
HTTP and FTP proxies) skip this policy and use another policy.

Line 4 indicates that this policy permits the TELNET and rlogin proxies. All other proxies
with requests from hosts within 204.255.154.0:255.255.255.128 deny the request after
parsing this line.

Line 5 indicates that these proxies can send requests to the set of destinations:
192.33.112.*. The TELNET and rlogin proxies deny requests to any other destinations
after parsing this line.

Lines 6 and 7 indicate that users on these networks must authenticate with the
authentication server on the firewall.

Put this policy above the inside policy so the proxies will use these rules rather than the
more generous inside policy. You may also want to create a matching restrictive outside
policy to restrict access from outside networks to this internal subnet.

Note that this type of policy may not prevent users on this inside network from reading
news and sending e-mail. The recommended setup for the Gauntlet firewall calls for
central mail and news servers on the inside networks. The news readers and mail agents
on the restricted subnet communicate directly with the news and mail servers. These
servers, which are not on the restricted subnet, communicate with the firewall.

If you are running mail and news servers on the firewall, this more restrictive policy
denies email and news activities from the restricted subnet.

Содержание Gauntlet

Страница 1: ...Gauntlet for IRIX Administrator s Guide Document Number 007 2826 004 ...

Страница 2: ...e clause at DFARS 52 227 7013 and or in similar or successor clauses in the FAR or in the DOD or NASA FAR Supplement Unpublished rights reserved under the Copyright Laws of the United States Contractor manufacturer is Silicon Graphics Inc 2011 N Shoreline Blvd Mountain View CA 94043 1389 Silicon Graphics and the Silicon Graphics logo are registered trademarks and IRIX and InPerson are trademarks o...

Страница 3: ...xiii Mailing Lists xxiii Frequently Asked Questions Lists xxiv White Papers xxiv How to Get Latest Security Patches xxv PART I Understanding the Gauntlet Internet Firewall 1 Understanding the Gauntlet Firewall 3 Understanding Gauntlet Firewall Concepts 3 Design Philosophy 3 Security Perimeter 4 Trusted and Untrusted Networks 4 Policy 6 Transparency 6 Understanding Gauntlet Firewall Components 7 Ha...

Страница 4: ... Services 22 Configuring the Proxy Rules 22 Advertising the Firewall as a Mail Exchanger 22 Configuring Your Internal Mail Hub 22 Verifying Your Setup 23 Using Mail 23 3 Managing POP3 Services 25 Understanding the Proxy 25 How the POP3 Proxy Works 26 Configuring the Firewall for POP3 26 Planning 27 Configuring Network Services 27 Configuring the Proxy Rules 27 Configuring Your Internal POP3 Mail S...

Страница 5: ...ying Your Setup 35 Using Terminal Services 35 TELNET Rlogin and TN3270 Without Authentication 35 TELNET and Rlogin With Authentication 36 TN3270 With Authentication 37 5 Managing FTP Services 39 Understanding the FTP Proxy 39 How the FTP Proxy Works 40 Configuring the Firewall for FTP Services 41 Planning 41 Configuring Network Services 41 Configuring the Proxy Rules 41 Creating Authentication Use...

Страница 6: ... 7 Managing Gopher and WWW Services 51 Understanding the Proxy 51 How It Works 52 Authenticated HTTP 53 Gopher and FTP Services 54 SHTTP and SSL Services 54 Configuring the Firewall for WWW and Gopher Services 54 Planning 54 Configuring Network Services 55 Configuring the Proxy Rules 55 Creating User Authentication Entries 55 Verifying Your Setup 55 Using Web Services 55 Using Proxy Aware Browsers...

Страница 7: ...Managing MediaBase Services 65 Understanding the MediaBase Proxy 65 How It Works 66 Configuring the Firewall to Use the MediaBase Proxy 66 Planning 66 Configuring Network Services 67 Configuring the Proxy Rules 67 Verifying Your Setup 67 Using the MediaBase Proxy 67 10 Managing X Window Services 69 Understanding the X11 Proxy 69 How the X11 Proxy Works 70 Configuring the Firewall for X11 Services ...

Страница 8: ...Receiving Machine 77 Verifying Your Setup 78 Using lp Services 78 12 Managing Sybase Services 79 Understanding the Sybase Proxy 79 How It Works 80 Configuring the Firewall for Sybase Services 81 Planning 81 Configuring Network Services 81 Configuring the Proxy Rules 81 Configuring Sybase Clients 82 Verifying Your Setup 82 PART III Administering General Gauntlet Firewall Services 13 Managing NNTP a...

Страница 9: ...Your Service 91 Verifying Your Setup 91 Configuring Multiple Newsfeeds 91 Configuring Your NNTP Proxy for Reading News 92 14 Managing General TCP Services With Authentication 93 Understanding the Circuit Proxy 93 How It Works 94 Configuring the Firewall for Authenticated TCP Services 95 Planning 95 Configuring Network Services 96 Configuring the Proxy Rules 97 Verifying Your Setup 98 Using the Cir...

Страница 10: ...he Network Access Control Daemon 111 Understanding the Network Access Control Daemon 111 How It Works 112 Configuring the Network Access Control Daemon 112 Planning 113 Configuring Network Services 113 Configuring the Proxy Rules 113 Configuring Your Service 113 Verifying Your Setup 113 17 The Graphical Management Interface 115 First Time User Tips 116 Help Links 116 Hide and Unhide Buttons 116 Ga...

Страница 11: ... Server 140 Configuring a Split DNS Server 142 Sendmail on Gauntlet Servers 146 Mail Hubs 146 Mail Relays 147 Gauntlet and Subdomains 147 Sendmail Configuration Form 148 swIPe Configuration Form 152 Authentication and Encryption Schemes 153 VPN Paths 154 Preparing a Server for swIPe Configuration 154 Configuring a Server for swIPe 156 Verifying Your Setup 159 Logfiles and Reports Configuration For...

Страница 12: ...e Passwords 177 Configuring the User Authentication Management System 178 Configuring Third Party Systems 178 Configuring Network Services 179 Configuring Authentication Management System Rules 180 Verifying Your Installation 180 Managing Groups 180 Creating Groups 181 Disabling Groups 181 Deleting Groups 181 Managing Users 181 Creating Users 181 Creating Users with Access Key II 183 Changing User...

Страница 13: ...Your Setup 193 Using the Login Shell Program 193 Accessing the Firewall from Trusted Networks 193 Accessing the Firewall from Untrusted Networks 193 Changing Password for User Account 194 20 Logging and Reporting 195 Understanding Logging and Reporting 195 Creating Logs 196 Configuring Logs 197 Configuring Additional Logging 197 Configuring Log Retention Time 197 Creating Reports 197 Service Summa...

Страница 14: ...ts 205 PART IV Appendixes A Gauntlet System Files 209 Viewing the Gauntlet File List 209 B Netperm Table 215 Policy Rules 215 Application Specific Rules 216 Proxies 216 Applications 217 Using This Information 217 Modifying the Netperm Table File 218 Netperm table Syntax 218 Precedence 218 Format 219 Keywords 220 Attributes 221 Creating New Policies 221 Adding Proxy Services 223 Denying Services By...

Страница 15: ...walls Passthrough Link 272 How It Works 273 Encrypting the Data 273 Decrypting the Data 273 Routing the Packet 274 D Configuring SSL on the Gauntlet Firewall 275 Getting Ready for SSL Configuration 275 SSL Configuration Procedure 276 Supplementary Instructions for Generating a Key Pair 277 Supplementary Instructions for Generating a Certificate 277 Saving the Email Reply from Your Certificate Auth...

Страница 16: ......

Страница 17: ...orks and Interfaces Configuration Form 1 of 2 124 Figure 17 7 Networks and Interfaces Configuration Form 2 of 2 125 Figure 17 8 Routing Configuration Form 129 Figure 17 9 Example Gauntlet Host Routing Configuration 130 Figure 17 10 Proxy Servers Configuration Form 1 of 3 136 Figure 17 11 Proxy Servers Configuration Form 2 of 3 137 Figure 17 12 Proxy Servers Configuration Form 3 of 3 138 Figure 17 ...

Страница 18: ...xviii List of Figures Figure 17 22 Authorizing Users Form 165 Figure 17 23 Add User Form 166 Figure 17 24 User Authentication 167 Figure C 1 Yoyodyne Virtual Private Network 270 ...

Страница 19: ...d why they are important It presents an overview of how the Gauntlet firewall system works Part II Configuring and Using Proxies explains how to configure the various applications and proxies Chapter 2 Managing SMTP Services explains what the SMTP proxy does and how it works It presents instructions for configuring the Gauntlet firewall as well as required and potential configuration steps for mai...

Страница 20: ...audio data Chapter 9 Managing MediaBase Services describes the MediaBase proxy which securely handles requests to play video and multimedia data Chapter 10 Managing X Window Services explains what the X11 proxy does and how it works It presents instructions for configuring the Gauntlet firewall as well as required and potential configuration steps for the X11 applications Chapter 11 Managing LP Se...

Страница 21: ...authentication systems Chapter 19 Using the Login Shell explains what the login shell does and how it works It presents instructions for configuring the Gauntlet firewall for more secure access Chapter 20 Logging and Reporting explains how the system logs activity It explains the different types of reports how to configure them and how to interpret them Chapter 21 Backups and System Integrity expl...

Страница 22: ... variables to be supplied by the user in examples code and syntax statements Fixed width type Prompts and onscreen text Bold fixed width type User input including keyboard keys printing and nonprinting literals supplied by the user in examples code and syntax statements see also ALL CAPS Environment variables Double quotation marks Onscreen menu items and references in text to document section tit...

Страница 23: ...k Steven M Bellovin William R Addison Wesley ISBN 0 201 63357 4 Newsgroups comp security firewalls Discussions of anything regarding network security firewalls Mailing Lists The Firewalls mailing list is for discussions of Internet firewall security systems and related issues Relevant topics include the design construction operation maintenance and philosophy of Internet firewall security systems ...

Страница 24: ...tis com Home NetworkSecurity Firewalls FirewallsNotEnough html A Network Perimeter with Secure External Access Avolio Frederick M and Ranum Marcus J Internet Society Symposium on Network and Distributed Systems Security February 1994 http www tis com Home NetworkSecurity Firewalls isoc html ftp tis com pub firewalls isoc94 ps Z Thinking About Firewalls Ranum Marcus J Presented at SANSII 1993 http ...

Страница 25: ...y patches if any at the time of product release so be sure to install those patches Stay in touch with the WWW site for Silicon Graphics Security Headquarters at http www sgi com Support Secur security html for new security patches and security advisories Be sure to install any security patches that replace patches found on your CD ROM ...

Страница 26: ......

Страница 27: ...PART ONE Understanding the Gauntlet Internet Firewall I ...

Страница 28: ......

Страница 29: ... page xxiii for a list of other resources that provide excellent introductory and advanced discussions of firewalls Understanding Gauntlet Firewall Concepts Simply put a firewall is a single point of defense that protects one side from the other In networking situations this usually means protecting a company s private network from other networks to which it is connected Firewalls can be as simple...

Страница 30: ...lly has no user accounts While you can setup an administrator account users do not need to log into the firewall to access information on the other side The Gauntlet Internet Firewall is auditable controllable and configurable You can configure many options to match your security policies The software logs the specified activities and processes fore review so that if you suspect a security breach ...

Страница 31: ...es for these sites They are the ones from which you are trying to protect your network However you still need to and want to communicate with these networks even though they are untrusted When you setup the firewall you explicitly configure the networks from which your firewall can accept requests but which it does not trust By default after initial configuration the untrusted networks are all net...

Страница 32: ... the request The default policy for trusted networks does not require users to authenticate the default policy for untrusted networks does require users to authenticate When installed all services are turned off It is up to you to enable the services which your site needs Transparency Transparency indicates that your firewall is not visible to your users as they work They can continue to TELNET to...

Страница 33: ...8 for information on minimizing exposure while implementing the Gauntlet software All known security holes are patched as of the release of the Gauntlet product refer to How to Get Latest Security Patches on page xxv for information on security patches As part of the firewall the operating system has been tailored to provide support for only the services necessary to run the firewall For example s...

Страница 34: ...let firewall includes proxies for the following types of services Terminal services TELNET and rlogin Electronic mail SMTP and POP3 File transfer services FTP Remote Execution Rsh Usenet news NNTP Web services HTTP SHTTP SSL Gopher services Gopher Gopher X Window services X11 Printing services lp SQL services Sybase SQL Server Audio service Real Audio In addition the Gauntlet firewall includes a g...

Страница 35: ...cannot be reused if sniffed by an attacker Additional Features The Gauntlet Firewall provides additional security by using the IRIX IP filter utility ipfilterd see ipfilterd 1M This allows Gauntlet to check IP packets based on several criteria for example address and protocol and processes or rejects the packets It detects spoofed packets claiming to be from one network that are actually from anot...

Страница 36: ...mpany Yoyodyne that has a connection to the Internet via an Internet service provider ISP They have installed a Gauntlet Internet Firewall to protect their corporate network yoyodyne com from all other hosts on the Internet They are using the standard configuration shown in Figure 1 1 ...

Страница 37: ...r The router only passes traffic from the Internet to the Gauntlet firewall when that traffic is bound for some part of the Yoyodyne internal network More sophisticated routers can additionally strengthen a companies security perimeter by implementing certain security functions such as IP spoofing filters Gauntlet Internet Firewall Internet Internal network Router ...

Страница 38: ...hrough at the application level to the other side Dual Homed Bastion Host In order to protect the inside network the firewall must be able to see all of the packets intended for hosts on the inside network While there are a number of ways to physically and logically accomplish this the recommended configuration is the firewall machine installed as a dual homed bastion host As a dual homed bastion ...

Страница 39: ... inside network traffic enters and exits through a network interface such as ec1 To accomplish this each interface has a separate IP address Yoyodyne was assigned the 204 254 155 network and chose 204 254 155 253 as the outside IP address and 10 0 1 253 for the inside IP address Gauntlet Internet Firewall Internet Internal network Router ec0 ec1 204 254 155 253 10 0 1 253 ...

Страница 40: ...a TELNET Receive Packet Routing information on outside hosts and at the ISP directs all requests for the company to the firewall In addition the domain name system DNS on the firewall and other outside DNS servers advertises the outside IP address of the firewall as the only way to connect to anything on the inside network Hosts on the inside network use routing information to direct all requests ...

Страница 41: ...locally it looks at the contents of the packet The operating system checks various tables on the firewall to determine if it offers the requested service on the requested port If it does not it logs the attempt as a potential security alert and rejects the request In our TELNET example the packet indicates that it is a TELNET request on port 23 The configuration tables indicate that the firewall s...

Страница 42: ... the appropriate program on the other side of the firewall using the standard protocol for that service In our TELNET example the TELNET proxy uses the generic outside policy because the request came from an outside network The outside policy permits TELNET to internal machines but requires authentication The firewall prompts the user to authenticate Once the user authenticates the proxy provides ...

Страница 43: ...PART TWO Configuring and Using Proxies II ...

Страница 44: ......

Страница 45: ...securely handles the transfer of SMTP mail between the inside and outside networks This chapter explains the concepts behind the proxy and how it works how to configure the proxy for SMTP mail transfer and how to configure these services to run through the firewall Understanding the Proxy The proxy for SMTP is actually two different processes a client smap and daemon smapd Together they provide co...

Страница 46: ...ry you specify A common policy is to have one mail hub for the inside network In this scenario outside networks know via DNS that they should send all mail for the domains yoyodyne com on the inside networks to the firewall firewall yoyodyne com itself for processing An outside host informs the firewall it has mail by connecting to smap on the SMTP port The smap client collects the mail from the o...

Страница 47: ... hostname or alias for all relay hosts A relay is a host inside the firewall that determines where to send mail with an unknown address you might have only one relay 4 Provide subdomains to be recognized if you want outgoing mail addresses rewritten to keep subdomain information The sendmail program transforms sender addresses from the user host domain format penny dimension yoyodyne com into the ...

Страница 48: ...ble for more information on smap and smapd options netperm table options and order of precedence Advertising the Firewall as a Mail Exchanger You need to advertise the firewall as the mail exchange site for your domain The DNS configuration in gauntlet admin can do this for you Consult the section on DNS configuration for specific instructions Configuring Your Internal Mail Hub As long as you are ...

Страница 49: ... Mail v bouncer bbnplanet com Subject Test Configuring Mail and the Gauntlet Firewall This is a test D The verbose mode ensures that you see the details of the delivery The bouncer service sends you a return message shortly If you need to test header rewriting or other custom configurations consider starting sendmail in debug mode Using Mail The firewall and the smap and smapd proxies for SMTP tra...

Страница 50: ......

Страница 51: ...POP3 mail transfer and how to configure POP3 services to run through the firewall Understanding the Proxy The Gauntlet POP3 proxy is an application level gateway that provides configurable access control authentication and logging mechanisms The POP3 proxy which runs on the firewall transfers mail between external workstations and internal mail servers based on rules you supply source IP address s...

Страница 52: ...ing for requests on the standard POP3 port 110 When the firewall receives requests for POP3 services on this port the proxy checks its configuration information in the netperm table file and determines whether the initiating host has permission to use POP3 services If the host does not have permission the proxy logs the connection attempt and displays an error message If the host has permission th...

Страница 53: ...admin Proxies form where you can enter the name of the destination POP3 server and modify the timeout value if you desire See Appendix B for more information on pop3 gw options netperm table options and order of precedence Configuring Your Internal POP3 Mail Server Configure your internal POP3 mail server 1 Configure your POP3 mail server to accept POP3 requests from the firewall If you need to sp...

Страница 54: ...procedures to use POP3 services To retrieve electronic mail using POP3 with authentication follow these steps Note that the order of these steps may differ for different user agents 1 Configure the mail user agent and set the name of the POP3 server to the firewall 2 Retrieve mail causing the user agent to connect to the firewall 3 Authenticate to the proxy by supplying your APOP password 4 Contin...

Страница 55: ...irewall firewall yoyodyne com to get his mail Next John retrieves his mail As part of the connection the proxy requests authentication information from the user agent which prompts him After authenticating the proxy transfers the request to the internal POP3 mail server mail yoyodyne com authenticates using the user s POP password as stored on the firewall and retrieves his mail ...

Страница 56: ......

Страница 57: ...ovide configurable access control authentication and logging mechanisms The TELNET and rlogin proxies which run on the firewall pass TELNET and rlogin requests through the firewall using rules you supply The TELNET proxy also passes TN3270 requests through the firewall You can configure the proxies to allow connections based on source IP address source hostname destination IP address destination h...

Страница 58: ...gin daemon rlogind or the rlogin proxy rlogin gw The default policy for this scenario is to allow all inside hosts to initiate TELNET or rlogin sessions without authenticating The inside host passes TELNET requests to the firewall which starts the netacl daemon The netacl daemon checks its permissions and determines that the inside host can use TELNET The netacl daemon starts the proxy The proxy l...

Страница 59: ...es as daemons listening for requests on the standard TELNET port 23 and Rlogin port 513 Common policies allow inside hosts to connect without authentication and outside hosts to connect with authentication This configuration using just the TELNET and Rlogin proxies without the netacl daemon prohibits running either TELNET or Rlogin on the firewall itself which would allow you to login to the firew...

Страница 60: ...t remote logins This setting actually changes the settings in the netperm table file so that the TELNET and rlogin proxies will start the actual TELNET and rlogin daemons when you try to connect to the firewall itself using the localhost host name Configuring Network Services You do not need to modify the IRIX configuration files on the firewall to support TELNET or rlogin traffic Configuring the ...

Страница 61: ...Enable transparent proxies using gauntlet admin to configure the proxies so that users working on the trusted networks behind the firewall do not see a change in their daily TELNET rlogin and TN3270 activities For example a transparent TELNET through firewall yoyoyne com might look like this dimension 26 telnet blaze clientsite com Trying 10 0 2 120 port 23 Connected to blaze clientsite com BSDI B...

Страница 62: ...o or through the firewall The example below shows a sample TELNET session from an untrusted network to a trusted network using S Key authentication at the firewall blaze clientsite com 28 telnet firewall yoyodyne com Trying 204 255 154 100 Connected to firewall yoyodyne com Escape character is Username scooter Skey Challenge s key 651 fi19289 SAFE DUB RISK CUE YARD NIL Login Accepted firewall yoyo...

Страница 63: ...t machine The TELNET daemon on dimension prompts Scooter for his user name and password on dimension The TELNET daemon on dimension verifies Scooter s user name and password and logs him in TN3270 With Authentication If you have configured terminal services to require authentication users need to follow different procedures to use TN3270 To use TN3270 with authentication 1 TN3270 to the firewall i...

Страница 64: ......

Страница 65: ...proxy that provides configurable access control authentication and logging mechanisms The FTP proxy which runs on the firewall passes FTP requests through the firewall using rules you supply You can configure the FTP proxy to allow file transfer activity based on source IP address source hostname destination IP address destination hostname FTP command for example STOR and RETR Using these options ...

Страница 66: ...e FTP sessions and transfer files without authenticating The inside host passes FTP requests to the firewall which starts the netacl daemon The netacl daemon checks its permissions and determines that the inside host can use FTP The netacl daemon starts the ftp gw The proxy logs the transaction and passes the request to the outside host The ftp gw remains active until either side terminates the co...

Страница 67: ...ic sources and destination Configuring Network Services You do not need to modify the IRIX configuration files on the firewall to support FTP traffic Configuring the Proxy Rules If you are using the Gauntlet Firewall default configuration you do not need to modify the proxy rules for FTP services Use the gauntlet admin Proxies form if you want to enable FTP or anonymous FTP If you have chosen a di...

Страница 68: ...configured any FTP activities to require authentication users must follow different procedures to use FTP To FTP using authentication follow these steps 1 FTP to the firewall itself 2 Authenticate to the proxy 3 Connect to the desired FTP server 4 Continue as before A common policy for the FTP proxy is to authenticate all requests from untrusted networks to or through the firewall The example belo...

Страница 69: ...s Clancy s user name and password and logs him in Clancy can now transfer files using regular FTP commands Using Authentication With Some GUI FTP Tools The FTP proxy can require you to authenticate twice Some GUI FTP tools for Microsoft Windows and the Macintosh require you to specify the user name and password in a dialog box These tools assume that once you supply this information you are connec...

Страница 70: ...res easy access by the public If you place the anonymous FTP server behind the firewall you are allowing an additional type of access within your security perimeter If you place the FTP server on the firewall itself you are allowing additional access to your firewall Evaluate both setups for the possible security risks to your site and how your site security policy addresses this type of access Ga...

Страница 71: ...er 45 Use checksums to watch for file changes Back up frequently You can also use the Info Server included with the Gauntlet firewall as an anonymous FTP server on the firewall itself See FTP Server on page 102 for more information ...

Страница 72: ......

Страница 73: ... configurable access control authentication and logging mechanisms The Rsh proxy which runs on the firewall passes Rsh requests through the firewall using rules you supply You can configure the Rsh proxy to allow remote shell activity based on source IP address source host name destination IP address destination host name Using these options you can configure your firewall to allow specific hosts ...

Страница 74: ...did before the firewall was put into place The default policy does not allow outside hosts to Rsh to hosts inside the perimeter The default policy and configuration using just the Rsh proxy prohibit running an Rsh server on the firewall itself Because the Rsh proxy is running on the standard Rsh port on the firewall all Rsh requests start the proxy There is no way to start the Rsh daemon needed to...

Страница 75: ... accessing a machine outside the perimeter from a machine inside the perimeter Using Rsh Services Following some initial configuration the firewall and the rsh gw proxy are transparent to the user Users can continue to use rsh to outside hosts as they did before Configuring the Remote Machine Before using Rsh users must add their user name and the name of the firewall to their rhosts file on the r...

Страница 76: ...g Rsh Services For example Penny who works at Yoyodyne needs to execute something remotely using her account at Big University She adds a line to the rhosts file in her account at Big University penny fire out yoyodyne com ...

Страница 77: ...ing HTTP proxy included with the Gauntlet Firewall securely handles requests for information via hypertext Gopher and file transfer The proxy supports hypertext transfer via the HTTP SHTTP and SSL protocols Gopher transfer via Gopher and Gopher protocols and file transfer via FTP This chapter explains the concepts behind the HTTP proxy and how it works how to configure the proxy for web services G...

Страница 78: ...the section on Configuring the Firewall for WWW and Gopher Services at the end of this chapter How It Works The IRIX system runs the HTTP proxy as a daemon listening for requests on the HTTP port 8080 and or the gopher port When the firewall receives requests for services via HTTP SHTTP SSL Gopher or Gopher the proxy looks at the request and places it in one of several categories The proxy then ch...

Страница 79: ...rd HTTP proxy on popular alternate ports Authenticated HTTP If you want to authenticate users before allowing them to access information the firewall runs the authenticating HTTP proxy ahttp gw as a daemon listening for requests on the HTTP port 8080 When the firewall receives requests for service on this port it performs the normal configuration checks to ensure that the initiating host has permi...

Страница 80: ...ervices If the request is for some sort of secure HTTP transaction using either the SHTTP protocol on port 8080 or SSL protocol on port 443 the proxy performs the appropriate hand off with the secure server at the other end of the connection If you have not configured or can not configure the web browser to know about the HTTP proxy as the security proxy the firewall calls the SSL plug proxy for a...

Страница 81: ...ll want to deny it for the HTTP proxy as well Creating User Authentication Entries Use the authentication management system to create authentication user entries for any users who authenticate when using the authenticating HTTP proxy See Chapter 17 for more information Consider using multiple authentication servers as explained on page 6 if you wish to require strong authentication for other inbou...

Страница 82: ...x from a preferences menu while others require you to edit a configuration file and others use environment variables If you are using the authenticating HTTP proxy ensure that the browser supports proxy authentication and persistent connections To configure the browser follow these steps 1 Specify that you can only have one network connection at a time if you are using the authenticating HTTP prox...

Страница 83: ...names of any internal or corporate HTTP servers localhost 127 0 0 1 Note that if you use the IP address instead of the hostname you must use the internal IP address of the firewall Figure 7 1 shows the configuration screen for version 2 0 of Netscape Navigator for Microsoft Windows Figure 7 1 Proxy Configuration for Netscape Navigator 2 0 for Windows Accessing Web Services Without Authentication O...

Страница 84: ...ou are using weak authentication enter your username and password when your browser prompts you to The proxy remembers this information and reauthenticates you if the connection breaks Strong Authentication If you are using strong authentication enter your username when your browser prompts you to The proxy uses your user name to determine the type of authentication you are using It prompts you a ...

Страница 85: ...RLs in bookmarks and hotlists Using Gopher Services The firewall configuration for the http gw proxy for Gopher services is transparent to the user if transparent proxies have been enabled using gauntlet admin Users can continue to point their Gopher clients to Gopher servers as they did before If you have disabled transparent proxies then users must rewrite each Gopher address If a user has a set...

Страница 86: ...lihood that someone may be able to exploit bugs in the WWW server to break into your firewall The best solution is generally to place your WWW server on a separate machine outside the perimeter Follow good host oriented security practices for this machine Turn off all other services Create the minimum number of user accounts Use strong authentication Patch your operating system and applications wi...

Страница 87: ...ation level proxy that provides configurable access control The proxy which runs on the firewall passes RealAudio client requests through the firewall using rules you supply You can configure the RealAudio proxy to allow connections based on source host name source IP address destination host name destination IP address Using these options you can configure the firewall to allow RealAudio clients ...

Страница 88: ... the default RealAudio proxy port 1080 The proxy works as described above However you must configure your RealAudio player to use the RealAudio proxy that is running on port 1080 Only recent RealAudio players can be configured explicitly to use the RealAudio proxy on port 1080 The transparent proxy feature does not need to be enabled in this case The default policy allows inside hosts to use RealA...

Страница 89: ...e the RealAudio server use the gauntlet admin Proxies form to enable the server Alternatively you may modify usr gauntlet config template netperm table to reflect your configuration See Appendix B for more information on rap gw options netperm table options and order of precedence Verifying Your Setup Verify your installation by using your RealAudio player to listen to audio files or live broadcas...

Страница 90: ...eed to configure your RealAudio player to know about the proxy and the other port To configure the RealAudio player 1 Select View 2 Select Preferences 3 Select Proxy 4 Check the Use Proxy box 5 Enter as the host the name for the inside interface of your firewall Now when you point your web browser or RealAudio player at a RealAudio file they use the proxy ...

Страница 91: ...l in the WebFORCE MediaBase Administrator s Guide Understanding the MediaBase Proxy The Gauntlet MediaBase proxy is an application level proxy that provides configurable access control The proxy which runs on the firewall passes MediaBase client and server requests through the firewall using rules that you supply You can configure the MediaBase proxy to allow connections based on source host name ...

Страница 92: ...passes the request to the appropriate host The mbase gw daemon is always active This daemon requires that MediaBase players also be configured to use a proxy The default policy allows clients inside the network to connect to MediaBase servers it does not allow outside clients such access however Because the firewall runs the MediaBase proxy on all MediaBase ports all requests from outside clients ...

Страница 93: ...he proxy rules for the MediaBase server To enable the MediaBase server use the gauntlet admin Proxies form to enable the server Alternatively you may modify usr gauntlet config template netperm table to reflect your configuration See Appendix B for more information on mbase gw options netperm table options and order of precedence Verifying Your Setup Verify your installation by using your MediaBas...

Страница 94: ......

Страница 95: ...allow X11 services through their firewall This chapter explains the concepts behind the X11 proxy and how it works how to configure the proxy and how to use X11 services through the firewall Understanding the X11 Proxy The Gauntlet X11 proxy is an application level proxy that provides configurable access control The proxy which runs on the firewall passes X11 display requests through the firewall ...

Страница 96: ...er TELNETs to the firewall which runs the TELNET proxy After checking permissions and authenticating users as described in chapter 1 the TELNET proxy tn gw displays a prompt for the user At the prompt the user indicates a wish to allow X displays across the firewall The TELNET proxy starts the X11 proxy x gw on port 6010 corresponding to X display 10 or higher The X11 proxy checks its configuratio...

Страница 97: ...o modify your network files on the firewall to use the X11 proxy The TELNET and Rlogin proxies are the only programs that can start the X proxy and they read their configuration information from the netperm table file Configuring the Proxy Rules To enable the X11 proxy for TELNET and Rlogin users use the gauntlet admin Proxies form Alternatively you may modify usr gauntlet config template netperm ...

Страница 98: ...Confirm the display request on the real display The example below shows a user working on the inside network who needs to display information from a program running on a machine on an outside network Clancy Rawhide working at his machine dimension on the inside network needs to run an X program on a client machine blaze clientsite com on an outside network and display the results on his display He...

Страница 99: ...aze The TELNET daemon on blaze verifies Clancy s user name and password and logs him in login crawhide Password Please wait checking for disk quotas You have mail blaze clientsite com 1 Next Clancy provides the X display information to the client machine blaze and starts the client application He uses the display information that the X proxy provided when he started the X proxy blaze clientsite_1 ...

Страница 100: ...74 Chapter 10 Managing X Window Services Figure 10 2 Example X Window Confirmation Finally Clancy views the results on his screen inside the firewall ...

Страница 101: ...the proxy and how to use lp services Understanding the lp Proxy The Gauntlet lp proxy is an application level gateway that provides configurable access control and logging mechanisms The lp proxy which runs on the firewall passes lp requests through the firewall using rules you supply You can configure the lp proxy to allow file transfer activity based on source IP address source hostname destinat...

Страница 102: ...nd passes the request to the outside host The lp gw remains active until either side closes the connection or the proxy times out the connection The default policy allows inside hosts to use lp Users on inside hosts can continue to print to outside hosts as they did before the firewall was put into place The default policy does not allow outside hosts to connect to inside hosts for printing The de...

Страница 103: ... information on lp gw options netperm table options and order of precedence To configure the netperm table file follow these steps 1 Add the lp proxy to your inside and outside policies as appropriate 2 Create an lp proxy section specifying the inside hosts outside server and printer queue lp gw printer host blaze clientsite com printer lp main 3 Configure other lp proxy options as appropriate for...

Страница 104: ...ur firewall to a host outside your firewall If you are configured to do so print a file from a host outside your firewall to a host on the inside of your firewall Using lp Services The firewall and the lp gw proxy are transparent to the user Users can continue to use lp to permitted servers and printers as they did before ...

Страница 105: ...onfigure the proxy and how to use Sybase services Understanding the Sybase Proxy The Gauntlet Sybase proxy is an application level proxy that provides configurable access control authentication and logging mechanisms The Sybase proxy which runs on the firewall passes Sybase requests through the firewall at the application level using rules you supply You can configure instances of the Sybase proxy...

Страница 106: ...controls allow you to have much more control over the connections to and from your system than without a firewall The logging capabilities are also much more extensive How It Works The firewall runs different instances of the Sybase proxy syb gw as daemons on different ports for different Sybase applications based on the information in the etc services and usr gauntlet bin gauntlet files These fil...

Страница 107: ... enforce your policy and configuring Sybase clients Planning 1 Determine which Sybase servers users need to access Determine whether you want to limit access to particular a server or not Obtain host name or IP address information for each server 2 For each server determine the port s on which the server accepts connections 3 Determine which external hosts can use these services 4 Determine which ...

Страница 108: ... as the host name of the actual machine running the Sybase server If you are not using transparency specify the host name as the IP address of the firewall If you are using server to server communications configure your servers as clients Consult your Sybase administration documentation for further information on configuring clients for accessing servers Verifying Your Setup Use your Sybase client...

Страница 109: ...PART THREE Administering General Gauntlet Firewall Services III ...

Страница 110: ......

Страница 111: ...n applications such as America Online CompuServe and Lotus Notes Each of these services uses a proprietary protocol which could require a multitude of application specific proxies Instead administrators can use the plug proxy to tunnel these through the firewall Warning The consequences of allowing proprietary protocols through your firewall are not well known Because the protocols are proprietary...

Страница 112: ...h version of the plug proxy you can configure the proxy to allow connections based on source IP address source hostname source port destination IP address destination hostname destination port Using these options for the plug proxy you could configure your firewall to allow your service provider s host on the outside to connect to the firewall and pass news via NNTP to your news machine on the ins...

Страница 113: ...ews server and one external news server The firewall itself cannot run an NNTP news server because the plug proxy is using the standard port for these services Hosts on both the inside and outside think the firewall is servicing requests The external news server thinks it is feeding news to the firewall and the internal news server thinks that it is receiving news from the firewall The firewall is...

Страница 114: ...Configuring Network Services You do not need to modify the IRIX configuration files on the firewall to support NNTP This is a standard service included in the default versions of these files on the Gauntlet Firewall Configuring the Proxy Rules In most cases you do not need to modify the proxy rules for NNTP This is a standard service Informing Your News Feed Inform your external news feed often yo...

Страница 115: ...to modify etc services but do not need to modify etc init d network local or usr gauntlet config template netperm table This section uses the Quote of the Day qotd service as an example Of course you must carefully determine if the benefits of something like a Quote of the Day service outweigh the risks of allowing that type of service within your security perimeter Planning 1 Determine which prot...

Страница 116: ...Add information about the plug proxy to etc init d network local so that the system knows what daemon to start to handle Quote of the Day requests echo qotd usr etc plug gw as qotd gw daemon qotd qotd See the comments in etc init d network on how to ensure that etc init d network local will be executed at boot time Use the same name for the service that you specified in etc services Configuring th...

Страница 117: ...ervice and application to connect to the firewall instead of directly to the server Consult the documentation included with your plugged service for information on possible configurations Verifying Your Setup Try accessing the service in the way it is meant to be used Conversely access the service in inappropriate ways Watch the logs on the firewall for error messages Configuring Multiple Newsfeed...

Страница 118: ... your users to read news For example you need to allow users to directly access news servers on untrusted networks To configure for reading news from servers on untrusted networks 1 Use the gauntlet administration tools to disable NNTP configuration for your firewall This configuration handles a single internal NNTP server connecting to a single external NNTP server Set both the internal and exter...

Страница 119: ...are proprietary the firewall and the proxy have no idea what sorts of data or requests the applications are sending Nor do we have any idea how safe the actual application is Do not use the circuit proxy for proprietary protocols without first performing a risk assessment This chapter explains the concepts behind the circuit proxy how it works and how to configure and use the circuit proxy Underst...

Страница 120: ...ore connecting if required The circuit proxy also logs all successful and unsuccessful connection attempts and the amount of data transferred These access controls allow you to have much more control over the connections to and from your system than without a firewall The logging capabilities are also much more extensive How It Works The firewall runs the circuit proxy ck gw as a daemon on a user ...

Страница 121: ...remains active until either side terminates the connection The original TELNET window also remains active until either side terminates the connection Configuring the Firewall for Authenticated TCP Services Configuring the Gauntlet firewall involves planning indicating which daemons the system will run configuring the proxies to enforce your policy starting your proxy rebooting your firewall and co...

Страница 122: ...knows about the service you are porxying indicating name of the service the port and that it uses TCP oracle 1176 tcp Oracle 3 Modify the default circuit proxy startup script in usr local etc mgmt rc so that the system knows what daemon to start Rename the default circuit proxy script D270ck gw to a file name that starts with S and a number The firewall starts the daemons in numeric order so name ...

Страница 123: ...ndicating the services offered and the ports used ck gw server service port remote port host remote host where server service indicates the name of the available service Used by the proxy to create the menu of available services port remote port indicates the port on the remote host to which the circuit proxy connects Specify by service name or port number host remote host indicates the name of th...

Страница 124: ...uthentication server For example use the auth server on the firewall ck gw authtype authhost 127 0 0 1 authport 7777 You can use the authserver attribute instead of authtype If you specify an authtype attribute the circuit proxy uses the authtype attribute instead of the authserver attribute 4 Comment your additions Verifying Your Setup Verify your installation by using your application through th...

Страница 125: ...In this example Robert Hikita working at a machine dimension inside the perimeter needs to access an Oracle database on a machine outside the perimeter He first TELNETs to the port ck gw on the firewall for Yoyodyne fire in yoyodyne com on which the circuit proxy is running The circuit proxy prompts Robert for his authentication userid which he provides hikita When the proxy responds with a challe...

Страница 126: ...ion in his original TELNET authentication session waiting for oracle client to be started type q return to abort oracle client started okay to proceed answer yes only if you started a oracle client y ck gw Robert returns to the original TELNET window in which he connected to the circuit proxy He notes that the circuit proxy has received a request for service He confirms the request y He leaves thi...

Страница 127: ...cessary It is a good idea to perform a careful risk assessment before placing WWW software on a firewall The Info Server included with the Gauntlet Internet Firewall services requests for HTTP Gopher and FTP services This chapter explains how the Info server and Info Proxy work how to configure the server and the proxy for the various protocols and how to use the server and the proxy Understanding...

Страница 128: ...ppropriate configuration information in the netperm table and determines whether the requesting host has permission to use the desired service If not the Info Server logs the connection and displays an error message If the host has permission to use the service the Info Server uses its internal database by default in usr gauntlet infodb to find the requested file or to go to the requested director...

Страница 129: ...sses a request it does not use standard directory commands to traverse the file hierarchy on the firewall Instead the Info Server uses a database manager which translates the FTP HTTP or Gopher request into the internal database structure The database manager then tells the Info Server the actual name of the file which the server displays or returns to the client The database uses usr gauntlet inf...

Страница 130: ... zero 0 character When the Info Server receives a request for the file latest gz the database manager translates the request and looks for the file Alatest0gz In many cases the files that start with A and H are actually symbolic links to the real text or binary file For example the file Alatest0gz would actually be a symbolic link to latest gz For text files the A file is generally a copy of the a...

Страница 131: ...ng only those files that you wish to display For example the L file could contain only the list of files that you want anyone to view even though you have other files in the directory Gopher Menu Files When the Info Server receives a request to display a Gopher menu it instead returns a specific file that contains the list of files that you wish to display for that directory For example when the I...

Страница 132: ...oxy Rules If you are using the Gauntlet firewall default configuration you do not need to modify the proxy rules for the info server To enable the info server use the gauntlet admin Proxies form to enable the info server select an idle timeout period and specify an information directory Enable anonymous FTP if desired Alternatively you may modify usr gauntlet config template netperm table to refle...

Страница 133: ...erver on the firewall follow these steps 1 Create your directory structure under usr gauntlet infodb D Prefix each directory with the letter D when you create the directory For example if you want to keep all of your pictures in the images directory firewall 32 cd usr gauntlet infodb D firewall 33 mkdir Dimages 2 Copy all of your files HTML text files executables and pictures to the appropriate di...

Страница 134: ...ocess for every file you wish to have accessible via the Info Server Binary Files Adding binary files to the database creates the necessary A and H files for images Use the addfile program usr gauntlet infodb tools addfile To add binary files to the database create the A and H files addfile file ctfiletype where file is the name of the binary file ctfiletype is one the default header file types us...

Страница 135: ...ame of the executable prepended with a Q and any periods converted to the zero 0 character Repeat this process for every binary file you wish to have accessible via the Info Server Creating FTP List Files Creating list files actually creates the L and N text files that the Info Server displays when it receives FTP ls and nlist requests Use the makedirlist script usr gauntlet infodb tools makedirli...

Страница 136: ...at it looks like a normal Gopher menu See the makedirlist script for examples of redirecting list files to text files for the Info Server 2 Modify the resulting file and add the other standard Gopher menu fields Advertising Your Server Advertise your HTTP Gopher or FTP Server to your customers or the world Be sure to advertise the outside IP address of the firewall specify that connections should ...

Страница 137: ... explains the concepts behind the network access control daemon how it works and how to configure it Understanding the Network Access Control Daemon The network access control daemon is a TCP wrapper program that provides configurable access control and logging mechanisms The network access control daemon which runs on the firewall starts different applications based on the source address of the r...

Страница 138: ...m specified in the netperm table For example the network access control daemon might start the TELNET proxy tn gw for some initiating hosts and the actual TELNET daemon telnetd for other initiating hosts The default configuration of the Gauntlet Internet Firewall uses the network access control daemon to control access to several different proxies and daemons For example the default configuration ...

Страница 139: ...cases you do not need to modify the proxy rules for NNTP This is a standard service Configuring Your Service Ensure that the other program you wish to run exists has appropriate file permissions etc For example 1 Create a file usr etc smtp deny txt using SMTP syntax that the network access control daemon can display for SMTP requests from the offending hosts 521 Mail from your system is not permit...

Страница 140: ......

Страница 141: ...ces Configuration Form on page 123 Routing Configuration Form on page 128 Proxy Servers Configuration Form on page 131 Domain Name Service DNS and Gauntlet on page 139 DNS Configuration Form on page 140 Sendmail Configuration Form on page 148 swIPe Configuration Form on page 152 Logfiles and Reports Configuration Form on page 159 Authorizing Users Form on page 163 Note You can modify directly some...

Страница 142: ...th the interface and your own configuration you might prefer to go directly to a particular form in a random order You can do this by clicking the name of the form in the menu bars that appear at the top and bottom of every form in the graphical management interface Help Links To view additional information on many subjects select any highlighted linked word or phrase on the form Caution If you cr...

Страница 143: ...r setup choose this option to put your firewall configuration in effect Caution Running Configure All interrupts all current connections including the telnet session if you are using one to manage Gauntlet remotely Using the Gauntlet Management Interface To configure the Gauntlet firewall you can start the management interface locally from the firewall itself or from a remote host including a remo...

Страница 144: ...ministrative user name and password 3 Enter the gauntlet admin user name and password By default the user name for the gauntlet admin management tool is gauntlet and the default password is admin Enter the default user name and password to start the Gauntlet management interface Note We strongly recommend that you assign a user name and password other than the default use this command gauntlet adm...

Страница 145: ...re all forms appropriately running Configure All interrupts all current connections The introductory management form describes how to use the forms based interface and contains a list of form names From this list you can access any other form go to the next form or configure your system ...

Страница 146: ...120 Chapter 17 The Graphical Management Interface Figure 17 3 Gauntlet Introductory Management Form 1 of 3 ...

Страница 147: ...Introductory Management Form 121 Figure 17 4 Gauntlet Introductory Management Form 2 of 3 ...

Страница 148: ...122 Chapter 17 The Graphical Management Interface Figure 17 5 Gauntlet Introductory Management Form 3 of 3 ...

Страница 149: ... bottom of the form so you can go directly to another form if you wish This chapter explains each configuration form in the order that it appears if you click Begin Configuration on the introductory management form and then click the Continue button on each form that follows Networks and Interfaces Configuration Form The Gauntlet networks and interfaces configuration form Figure 17 6 and Figure 17...

Страница 150: ...124 Chapter 17 The Graphical Management Interface Figure 17 6 Networks and Interfaces Configuration Form 1 of 2 ...

Страница 151: ...Networks and Interfaces Configuration Form 125 Figure 17 7 Networks and Interfaces Configuration Form 2 of 2 ...

Страница 152: ...etwork If this mask is not correct for your configuration click Edit and modify the mask field to change it Trusted Networks The Gauntlet firewall supports the concept of trusted networks networks whose users are permitted to access firewall services without user authentication see Authorizing Users Form on page 163 Typically trusted networks are your internal local networks To add networks to the...

Страница 153: ...permitted access to network services provided they pass authentication You can add to the list of untrusted networks by clicking the ADD button Remember that when you designate one or more untrusted networks users on these networks are allowed access with authentication all remaining outside networks are considered unknown and their users are refused connections If you leave the list of untrusted ...

Страница 154: ...o each network you add Use a metric of 0 if the gateway is an interface on the Gauntlet host and a metric of 1 if it is anywhere else Explicit routes are stored in usr gauntlet config explicit_routes To set the default route to a network enter default as the destination network and 0X00000000 as a network mask The default subnet mask automatically provided by the GUI for the destination network s ...

Страница 155: ...Routing Configuration Form 129 Figure 17 8 Routing Configuration Form ...

Страница 156: ... the default destination for all inbound packets Figure 17 9 Example Gauntlet Host Routing Configuration If hosts on your internal network are running a routing daemon they eventually acquire the default route from the Gauntlet host The default route can also be explicitly assigned to those hosts by their administrators Additional Routing Information For additional general routing information or i...

Страница 157: ...ecurity of the firewall When logins are enabled administrators can connect to the firewall by accessing the rlogin or TELNET proxies Example 17 1 illustrates a sample TELNET session Note The preferred method for managing the firewall remotely is described in Introductory Management Form on page 118 and Configuring Gauntlet for Secure Remote Administration on page 170 Example 17 1 Administrative TE...

Страница 158: ...able a proxy for the service When you enable a service the firewall runs a daemon to support it For example enabling TELNET means that a proxy TELNET server will run on the Gauntlet firewall to mediate and enable TELNET connections The proxy will be a transparent TELNET proxy if you have enabled transparent proxies Note You must also have configured the Networks Interfaces Configuration Form corre...

Страница 159: ...on is required HTTP Proxy Server Configuration If you enable HTTP hypertext transfer protocol for World Wide Web access you must also specify the following which port the HTTP server should use the default is 8080 which server the HTTP proxy defaults to for unqualified URLs unqualified URLs are HTTP request from a browser that do not include a server name just a path If you want users inside the f...

Страница 160: ...n be extremely useful if users are traveling for example Remote users must be using client software that supports POP3 APOP authentication This allows users to authenticate themselves to the Gauntlet firewall so the firewall can then plug the connection through to the internal POP3 server performing the identical authentication exchange with the internal POP3 server The user s password to the POP3...

Страница 161: ...ing the Firewall for Other Protocols in Chapter 11 for more information If you configured custom plug gateways click Enable to enable them RealAudio Proxy The RealAudio proxy allows clients inside the firewall to listen to audio files on outside servers You cannot configure the proxy to allow outside clients access to RealAudio servers inside the firewall see Chapter 13 for more information Click ...

Страница 162: ...136 Chapter 17 The Graphical Management Interface Figure 17 10 Proxy Servers Configuration Form 1 of 3 ...

Страница 163: ...Proxy Servers Configuration Form 137 Figure 17 11 Proxy Servers Configuration Form 2 of 3 ...

Страница 164: ...138 Chapter 17 The Graphical Management Interface Figure 17 12 Proxy Servers Configuration Form 3 of 3 ...

Страница 165: ... server that provides the address of the Internet side of its network connection 192 132 122 in Figure 17 9 In the case of a screened subnet the DNS server could be any of the public hosts in the subnet and it could provide addresses for all of these hosts and the router You should also set up the DNS Mail eXchanger MX record to advertise the name of the host s responsible for mail at your site Th...

Страница 166: ...f you are running a separate externally visible DNS server on a host on your DMZ you should enter its host name here instead if your Internet access provider provides your name service specify their name server s host name Do not enter the host name of any internal DNS servers you may be running as outside hosts cannot access them through the firewall The result is that the host name you enter is ...

Страница 167: ...addresses registered or unregistered in additional networks that is acceptable Enter the host name of your mail hub The mail hub is the server where mail from your domain is collected or focused before it is distributed see Mail Hubs on page 146 for possible mail hub configurations The DNS server running on the firewall will advertise MX resource records that focus email addressed to any recipient...

Страница 168: ...rect locations Use the following procedure to configure a split DNS configuration 1 After initially selecting Configure All using the Gauntlet administrative interface select and save the option on the DNS page to preserve the current DNS configuration files 2 Edit the nameserver line in firewall etc resolv conf which currently lists the IP address for your firewall to list the IP address for ns 3...

Страница 169: ...at firewalled sites Outside hosts cannot successfully query your internal DNS server for internal host names and IP addresses However on the firewall itself applications can resolve internal host names this is necessary for using host names to direct email delivery and for inbound application proxy connections ...

Страница 170: ...144 Chapter 17 The Graphical Management Interface Figure 17 13 DNS Configuration Form 1 of 2 ...

Страница 171: ...DNS Configuration Form 145 Figure 17 14 DNS Configuration Form 2 of 2 ...

Страница 172: ...mail to any of the users on internal hosts must be focused brought together to pass through the firewall and then delivered to the appropriate destinations Whether or not in a firewall context that is essentially what a mail hub is mail bound for different destinations is focused together and delivered to the mail hub and the mail hub figures out where the mail should go next You have three choice...

Страница 173: ...ts final destination When a network contains several relays each relay is responsible for delivery to a particular group of hosts within the network Gauntlet and Subdomains Using an internal machine as a domain level main mail hub has some advantages if you have extremely complex mail processing needs However Gauntlet s support for recognized subdomains makes it easy for you to hand off complex ma...

Страница 174: ...the firewall host for delivery will then be rewritten as documented in Subdomain names to be recognized for your site on page 150 Sendmail Configuration Form Use the Sendmail configuration form Figure 17 15 to modify the firewall s Sendmail configuration with a browser based interface If you prefer you can use the IRIX configmail tool or edit the etc sendmail cf file directly Be sure to check the ...

Страница 175: ...d in conjunction with the sendmail cf auto file configmail makes it possible to customize sendmail behavior without editing the sendmail cf file When you use configmail sendmail is not used to accept email on the firewall instead a simpler more secure program called smap accepts and queues incoming email messages and sendmail is periodically invoked to deliver messages in the queue Enter the hostn...

Страница 176: ...n to username DOMAIN_NAME before the message is delivered If recognized subdomains are set the Gauntlet firewall rewrites username some_host some_subdomain DOMAIN_NAME to username some_subdomain DOMAIN_NAME if some_subdomain is one of the recognized subdomains listed here otherwise it still rewrites the address to username DOMAIN_NAME This behavior and the fact that the Silicon Graphics sendmail c...

Страница 177: ...Sendmail on Gauntlet Servers 151 Figure 17 15 Sendmail Configuration Form ...

Страница 178: ...nds the security perimeter of the individual networks each protected by a participating firewall to encompass both networks In such a configuration the firewalls are considered peers Both peers in the VPN must be running Gauntlet software See Appendix C for detailed information on swIPe and VPNs Figure 17 16 illustrates two Gauntlet servers acting as peers in a VPN Notice that in this figure the p...

Страница 179: ...s that IP packets contain authentic source and destination addresses This verification protects against IP address spoofing it can be used in conjunction with permission sets to guarantee that interaction is occurring only between Gauntlet host Internet Internal network Gauntlet host Authentication Authentication Encrypted data Encrypted data ...

Страница 180: ...required a passthrough path forwards data freely to a destination that is not on the immediate VPN A path is identified by the addresses of the peer servers that it connects A key ID identifies the authentication algorithm and encryption key that are used to protect data on the path Preparing a Server for swIPe Configuration Prepare for swIPe configuration by performing the following steps 1 Ensur...

Страница 181: ...swIPe Configuration Form 155 Figure 17 17 illustrates the configuration form for swIPe Figure 17 17 swIPe Configuration Form ...

Страница 182: ...not work unless both ends have the same keys Both firewalls discard any packets that unexpectedly arrive encrypted The swIPe configuration form shown in Figure 17 17 consists of two parts the top of the form contains authentication and encryption parameters the bottom of the form identifies each path connecting the firewall to a peer A separate entry form is used to provide the information for eac...

Страница 183: ...r authentication and encryption To create a trusted or private link you must specify the key you wish to use by its Key ID Enter a number from 1 to 99 Click Authenticate packets and Encrypt packets to put either or both of these protection schemes into effect on this peer connection ...

Страница 184: ...to create a key string 4 Select Add to configure the path between this peer and its remote counterpart After your selection the Add swIPe Path Form is displayed Figure 17 19 Add swIPe Path Form 5 Select the path type 6 Enter the local and remote addresses of the peers in this VPN ...

Страница 185: ...PN 10 Coordinate your configuration with the administrator of the remote network Ensure that each firewall has the same encryption key for your VPN 11 Reboot your firewall at the same time as the other administrator reboots the remote firewall Verifying Your Setup If you are using a VPN with privacy and trust issue the ping command to ensure that packets are flowing properly ping uses ICMP packets...

Страница 186: ...syntax in the field provided on this form see the egrep 1 reference page For example enter localhost in the egrep field to keep lines that include the string localhost from appearing in the log file output Be careful not to specify filters that are too broad this might obscure warnings and notices that you want to see Example 17 2 Partial Log File Listing Aug 10 02 00 08 6F rfwall syslogd restart ...

Страница 187: ...Logfiles and Reports Configuration Form 161 Figure 17 20 Reports and Logfiles Form 1 of 2 ...

Страница 188: ...162 Chapter 17 The Graphical Management Interface Figure 17 21 Reports and Logfiles Form 2 of 2 Refer to Appendix A for command line and file information on reports ...

Страница 189: ...hecksums MDauth is also a software based system that uses challenge response MDauth is included as is with the Gauntlet firewall The IRIX executable that users need to generate responses is usr etc softmd5 S Key might be preferable to MDauth however especially in heterogeneous environments APOP A system included with APOP compliant applications uses an MD5 secure hash algorithm The application gen...

Страница 190: ...d administer user passwords using the third party s administration tools If you make an error when editing a user record click the Reset button to abort any changes that were made Adding a user with the Add Users form Figure 17 23 means that the user can use all of the enabled services The group field lets you associate groups of users Note Adding users and groups here does not create IRIX account...

Страница 191: ...Authorizing Users Form 165 Figure 17 22 Authorizing Users Form ...

Страница 192: ...166 Chapter 17 The Graphical Management Interface Figure 17 23 Add User Form ...

Страница 193: ...administrator of the system has already added the user in the authentication database as an S Key user with a password that the user knows It also assumes that the user has access to the usr bin key program on the client Gauntlet Firewall host Internet Internal network Hosts on local network A u t h o r i z e d Application proxy N o Y e s A u t h o r i z a t i o n r e q u i r e d N o Y e s ...

Страница 194: ... run the client locally so that his or her password is not sent over a network connection After a certain number of authentication sessions a new password must be set for S Key The remaining number of authentication sessions for the current password is the first string in the S Key server challenge 662 in the previous example Configuring Gauntlet for Remote Administration To configure Gauntlet rem...

Страница 195: ...election the Proxy Servers Configuration form is displayed shown in Figure 17 10 4 Click Enable remote gauntlet administration proxy on the Proxy Servers Configuration form The button to enable remote Gauntlet administration appears near the end of the Proxy Servers Configuration form shown in Figure 17 12 To enable remote registration of the firewall click this button 5 Reset the port number and ...

Страница 196: ... administration port back to the setting used by the HTTP proxy 8080 See Chapter 7 Configuring Web Browsers on page 56 for instructions Accessing the Administration Tool from an X Display You can also use remote X display from a remote host to run the Gauntlet administration interface To run the administration interface on a remote X display do this 1 Log in to the firewall from the remote host 2 ...

Страница 197: ...h your Web browser from the remote host 4 Set the Security proxy to access the remote administration proxy at port 21001 On the Netscape Manual Proxy Configuration page shown in Figure 7 1 set the Security proxy to access the remote administration proxy at port 21001 5 Access the Gauntlet administration interface and display the introductory management form See steps 1 through 3 of Configuring Gau...

Страница 198: ...erent timeout value if a different timeout interval is required A server with security features on will require the key password to be entered when the server is started which normally occurs at boot time Once security is activated to access the Gauntlet administration server from your browser use the URL https firewall 21000 cgi bin startup If security features are not activated you can continue ...

Страница 199: ...tication Management System As part of the security policy many sites may require some form of strong authentication which requires users to enter a one time password or use an authentication token There are many systems available that can be integrated into a IRIX networking environment each with its own programming and management interface These are described in more detail in the section Underst...

Страница 200: ...on which is within the perimeter he must pass the first authentication at the firewall firewall yoyodyne com When firewall yoyodyne com receives the information the TELNET proxy determines that the connection request is from an untrusted network and that John can access inside machines The TELNET proxy then prompts John for his authentication information user name and challenge which it verifies a...

Страница 201: ...onvenience of your users Groups The Gauntlet user authentication management system also makes use of groups Groups allow you to permit or deny services based on groups of user names rather than individual user names For example you can configure the X11 proxy to permit service to everyone in group sales Just as is the case with user names the groups that you create in the Gauntlet user authenticat...

Страница 202: ...tent user interface to these systems Currently supported systems are shown below Consult the system requirements card in your Gauntlet firewall package for the latest information on supported versions of the these products Access Key II This system from VASCO Data Security uses a random challenge password When the firewall prompts for authentication it provides a challenge The user enters their PI...

Страница 203: ... Users generate a set of passwords based on a seed word or phrase Each time they need to authenticate they use a different password When the firewall prompts for authentication it provides a challenge value The user enters his or her appropriate password for that challenge The Gauntlet authentication server verifies this value The Gauntlet firewall distribution includes a portion of the S Key pack...

Страница 204: ...rform all of these tasks from the firewall console as root Once you have configured and are using the system all activity to the authentication database is logged and included in the weekly summary reports Configuring Third Party Systems See the online configuration help available for the third party systems by clicking on the authentication system name on the gauntlet admin Authentication page No...

Страница 205: ... a client system on your ACE Server Be sure to use the IP address or host name for the inside address of the firewall if your ACE Server is running on a machine on your inside network 4 Copy the file var ace sdconf rec to the firewall as var ace sdconf rec This file contains information that tells the authentication server where to find the ACE Server 5 Modify usr local etc netperm table and add i...

Страница 206: ...from a host on the outside network To verify an installation using TELNET 1 On a host on the outside network TELNET to the firewall 2 At the TELNET proxy user name prompt enter a user name you have created 3 At the TELNET proxy password prompt enter the appropriate password or response for the user you have created 4 When you see the Login Accepted banner you have verified your installation You ar...

Страница 207: ...IRIX groups Disabling Groups You cannot disable entire groups You must disable usage based on individual users Deleting Groups To delete a group you must reassign all users in that group to another group or to no group at all Managing Users Creating Users Users can be created with the gauntlet admin interface If you need to create a large number of users use the authentication loader The authentic...

Страница 208: ...ify the authentication information by entering it again 6 Make the information active by saving these changes in gauntlet admin Creating Default Users Creating a default user allows you to authenticate users without manually creating entries for every user in the Gauntlet authentication database Note that this option is only available for Safeword Authentication Server SecurID You can only have on...

Страница 209: ...the key information into the user authentication management system using the key initialization tool usr etc vasco_init firebird vasco_init tmp vasco keyfile long This tool creates a user in the authentication management system and loads the key for this user It creates the user name by prepending the letter i to the serial number for that Access Key II This user is initially disabled If you are u...

Страница 210: ...eges and delete the old user name You can however change the long name information for a user using the gauntlet admin interface To change the long name information follow these steps 1 Select the record for the user name you wish to modify 2 Tab to the name field and change the information 3 Make these changes active by saving these changes Changing Groups Users can only belong to one group at a ...

Страница 211: ...ou must use the third party authentication server tools to allow a user to change passwords or change something equivalent such as a PIN for a hardware token device or to change devices altogether Allowing Users to Change Their Password Because users are generally not allowed to log directly into the firewall they must change their password from another machine The default policy allows users conn...

Страница 212: ...hn s key is 664 fi582901 Enabling Users Enabling users also allows users who have been disabled to use the system again To enable a user follow these steps 1 Select the record for the user name you wish to modify 2 Check the Enable box 3 Save your changes Disabling Users Disabling users allows you to keep the user information in the system but does not allow the user to use the system The user aut...

Страница 213: ...rom the user authentication management system It does not remove users from your firewall or from your internal network To delete a user follow these steps 1 Select the delete option for the record for the user name you wish to delete 2 Confirm your deletion action ...

Страница 214: ......

Страница 215: ...ion scheme for logging into the firewall itself as you do for activity between opposite sides of your security perimeter This section explains the concepts behind the login shell program and how it works how to configure the program and how to use it Understanding the Login Shell Program The login shell program is a wrapper program that authenticates the user using strong authentication before pas...

Страница 216: ...t the standard FTP daemon does not use bin login so will not invoke the login shell program for authentication This is not generally a problem as running the standard FTP daemon on the firewall is strongly discouraged Configuring the Firewall to use the Login Shell Program Configuring the Gauntlet firewall involves planning enabling remote login creating user accounts configuring the proxy to enfo...

Страница 217: ...e for your strong authentication information 2 Specify login sh as the shell 3 Create the user s home directory if necessary mkdir home scooter 4 Add the user to group wheel so that they can su to root Use vi to edit etc groups Configuring the Proxy Rules If you are running the Gauntlet firewall default configuration you do not need to modify configuration rules for the login shell If you have cho...

Страница 218: ...t system Securing Other Applications To secure other applications 1 Disable programs such as chsh that allow users to change their shells Either remove the executable or change the file permissions to 700 chmod 700 chsh Note that you should only create accounts on the firewall for people who need to administer the firewall They will all generally have access to the root password Changing file perm...

Страница 219: ...r user name you are prompted for your strong authentication information Using the Login Shell Program Accessing the Firewall from Trusted Networks Login to the firewall via the console TELNET or Rlogin as you did before Note that after you enter your user name you are prompted for the response or password specified for your authentication scheme Become root via su to do work as needed Accessing th...

Страница 220: ...d Do not use the passwd or chpass programs on your UNIX system To change your password you must follow the instructions for changing your strong authentication information as described on page 135 If you use the passwd or chpass programs you will create a UNIX password You will then need to provide both your UNIX password and your strong authentication information when you login to the firewall ...

Страница 221: ...urity policy This chapter describes the concepts behind logging and reporting systems configuring these systems and understanding the log and report formats Understanding Logging and Reporting The Gauntlet Firewall follows the philosophy that it is easy to compress consolidate summarize and delete log information it is impossible to retroactively gather log information on an event that has already...

Страница 222: ... adm SYSLOG You don t need to do anything special to create the logs Even if you choose not to do anything with the information in the logs the programs still write the information You never know when you might need it The message log file also contains information from other programs such as bind cron and other IRIX utilities that use the syslog command As with any other information that the sysl...

Страница 223: ...etperm table file Consult Appendix B for more information on editing the netperm table file and proxy specific logging options Configuring Log Retention Time If you wish to change the length of time the firewall retains log files you may do so with the gauntlet admin interface To set the retention time set the number of days to retain the logs Creating Reports The Gauntlet Internet Firewall contai...

Страница 224: ...report Exception Reports Exception Reports include noteworthy items The Gauntlet Firewall defines a list of items that are not noteworthy and ignores those sorts of entries in the logs The firewall considers all other events as possible security events Thus any item that you have not specifically told the firewall to ignore it reports This report includes information that could indicate a possible...

Страница 225: ...nore when parsing the logs This allows you to configure the firewall to ignore events that you know are routine for your situation To modify the events that the reporting scripts ignore modify the list of events on the Proxies form in gauntlet admin Use regular expressions to denote events that are not significant Configuring the Firewall To change your reporting options use the gauntlet admin int...

Страница 226: ...e gif Oct 30 10 47 25 firewall http gw 12080 content type image gif Oct 30 10 47 27 firewall http gw 12080 exit host unknown 10 0 1 17 cmds 1 in 5581 out 0 user unauth duration 4 Oct 30 10 47 28 firewall http gw 12081 permit host unknown 10 0 1 17 use of gateway Ver g3 0 3 0 Oct 30 10 47 28 firewall http gw 12081 log host unknown 10 0 1 17 protocol HTTP cmd get dest www tis com path art buttons 2 ...

Страница 227: ... 0 0 Top 100 telnet gateway clients in terms of traffic Connects Host Address Input Output Total 287 dimension yoyodyne com 267484 11412 278896 2 john yoyodyne com 10 0 472366 4719 477085 6 jersey yoyodyne com 10 291915 3608 295523 6 eight yoyodyne com 10 0 495575 2249 497824 1 blaze clientsite com 20 169588 1473 171061 3 lizardo yoyodyne com 10 4204 318 4522 2 planet10 yoyodyne com 1 123 64 187 1...

Страница 228: ... 1 17 Dec 12 10 18 55 localhost authsrv 2188 BADAUTH penny rlogin gw unknown 10 0 1 17 Dec 12 10 19 03 localhost authsrv 2188 BADAUTH nobody rlogin gw unknown 10 0 1 17 Dec 12 10 19 05 localhost authsrv 2188 BADAUTH penny rlogin gw unknown 10 0 1 17 Dec 12 10 19 10 localhost authsrv 2190 BADAUTH penny rlogin gw unknown 10 0 1 17 Dec 12 10 19 13 localhost authsrv 2190 BADAUTH penny rlogin gw unknow...

Страница 229: ... backup procedures as described in the IRIX Advanced Site and Server Administration Guide In particular you should be sure to back up the following usr gauntlet cgi data usr gauntlet config usr etc fw authdb etc apop pass etc skeykeys usr gauntlet checksums var adm Note that if you perform normal backups of the firewall system as you would any IRIX system these files are going to be backed up but ...

Страница 230: ...nt on the firewall for the administrator you still want to ensure that no person or process has modified your system The Gauntlet Internet firewall is designed to make it easy to verify system integrity Understanding System Integrity The Gauntlet integrity database is collection of cryptographic checksums or message digests for many files on your filesystem The database contains a checksum for eac...

Страница 231: ...Store a copy of the initial integrity database created during the first weekly report with your original distribution media Verifying System Integrity If you elect to receive weekly reports you will automatically receive the results of a system integrity check If you do not elect to receive these reports integrity checking is not performed Understanding the Results Review the changes noted in the ...

Страница 232: ......

Страница 233: ...Appendixes IV ...

Страница 234: ......

Страница 235: ...ant to see a list of the files that the Gauntlet software manipulates click the view link in the Managing Your Firewall portion of the introductory form If you do not want to use the forms based interface you can directly edit these files although that is not recommended Table A 1 lists files that may be modified through this interface Some of these files are safe for you to modify as long as nobo...

Страница 236: ...untlet when it is done performing whatever task it is up to cgi data g Yes Stores settings from the configuration pages config trusted networks Yes Lists networks which are to be considered trusted config untrusted networks Yes Lists networks which are to be considered untrusted config trusted ports Yes Lists ports on which traffic will be permitted to pass through the firewall unimpeded config tr...

Страница 237: ...nformation about configured swIPe peers and paths Editing this file is not recommended although it is safe to do so because the format of this file is obscure config authserver protocols No Lists DSO Dynamic Shared Object files which support additional authentication mechanisms This will be updated by Gauntlet when you install or remove Gauntlet authentication software subsystems using inst config...

Страница 238: ...n be used for login are passworded it forces root to have a password and it inserts a gauntlet user which cannot log in but whose password is used to control access to gauntlet admin etc sendmail cf Maybe Sendmail configuration file It is safe to modify this file only if you have selected preserving sendmail cf on the sendmail page etc aliases Yes Gauntlet modifies the alias for root on the firewa...

Страница 239: ...boot Maybe DNS configuration file It is safe to modify this file only if you have selected preserving your DNS configuration on the DNS page tmp retry Yes Retry files are created to support data entry validation in the gauntlet admin interface var named localhost rev Maybe DNS configuration file It is safe to modify this file only if you have selected preserving your DNS configuration on the DNS p...

Страница 240: ...ng your DNS configuration on the DNS page var spool cron crontabs root Yes Gauntlet adds various jobs to run at regular intervals usr etc resolv conf Maybe DNS configuration file It is safe to modify this file only if you have selected preserving your DNS configuration on the DNS page Table A 1 continued The Gauntlet File List Filename Safe Description ...

Страница 241: ...not always support the older table format Remember to make a backup copy of your working netperm table file before you attempt any conversions Note Gauntlet uses usr gauntlet config template netperm table to create thus overwriting usr gauntlet config netperm table Any modifications you wish to be permanent must be made to the template netperm table file Policy Rules Policies are collections of ge...

Страница 242: ...erver It requires strong authentication for all outside requests with the authentication server that is on the firewall Notice that the outside policy does not permit the HTTP proxy because you generally do not want people all over the Internet accessing Web servers on your internal network It does however allow the Info Server which allows you to run an HTTP Gopher or FTP server on your firewall ...

Страница 243: ...at allows all proxies and applications to send to any destination Because the more restrictive rule is above the generic policy in the netperm table file the FTP proxy uses the restrictive rule and denies requests to ftp bigu edu Applications Other Gauntlet applications such as the authentication server also read configuration information from the netperm table file Using This Information As part ...

Страница 244: ... You do not need to restart the proxies to make the changes take effect The proxies reread the table anytime the file date and time change Netperm table Syntax Precedence Applications and proxies read the tables from the top of the table to the bottom They use the first rule that applies for a particular attribute If there are multiple rules in the table that could apply for an attribute the appli...

Страница 245: ...t can also match the value for the as name flag used when starting the proxy attribute is a configuration parameter for that application or proxy valuelist is the value for the specific configuration parameter Some attributes allow multiple values A rule must fit on a single line The length of a line varies by operating system but is generally around 1 024 bytes There is no provision for continuin...

Страница 246: ...her proxy using the http gw proxy http gw HTTP proxy lp gw line printer proxy netacl fingerd network access control proxy running finger service netacl ftpd network access control proxy running FTP service netacl rlogind network access control proxy running rlogin service netacl telnetd network access control proxy running TELNET service nntp gw NNTP news proxy using the plug gw proxy policy trust...

Страница 247: ...e a new policy follow these steps 1 Add a line indicating source networks that use the policy the name of the policy 2 Add rules indicating which proxies this policy allows 3 Add rules indicating permitted destinations authentication and logging 4 Place the policy lines above or below the generic policies as appropriate For example the generic policy for Yoyodyne uses the default Gauntlet inside p...

Страница 248: ...Line 5 indicates that these proxies can send requests to the set of destinations 192 33 112 The TELNET and rlogin proxies deny requests to any other destinations after parsing this line Lines 6 and 7 indicate that users on these networks must authenticate with the authentication server on the firewall Put this policy above the inside policy so the proxies will use these rules rather than the more ...

Страница 249: ...y options For example after careful analysis Yoyodyne wants to add support for Quote of the Day qotd service for users on its inside networks This involves using the proxy First add a line to the inside policy 135 policy inside permit proxy qotd gw Then create a section above the policies in which you define the communications rules for the Quote of the Day connection 95 QotD through plug proxy ru...

Страница 250: ...e that the rule applies to all policies You must include this rule above the policy rules The policies are based on permitted hosts Including the deny hosts rule in a policy has no effect because the application is using the permit hosts rule that defines the policy Note that the smap proxies do not use the policy rules so you can still receive mail from the denied host or network For example Yoyo...

Страница 251: ... operations keyword For example Yoyodyne wants to permit only members of the group developer to use the Rlogin proxy when accessing outside hosts 55 authsrv permit operation group developer rlogin gw 100 rlogin gw authenticate 101 rlogin gw extended permissions These commands prevent any other users who are not members of group developer in the Gauntlet authentication database from using the Rlogi...

Страница 252: ...ations when you specify extended permissions The deny rule must appear before the permit rule because the proxies use the first matching rule If you specify the permit rule before the deny rule the authentication server would never read the deny rule because the permit rule matches all TELNET operations Denying Access to a Host or Network You can deny access to a particular host or network on a pr...

Страница 253: ...able attributes and values The bulleted list at the top of each attribute indicates which proxies applications or policies can use that attribute For example if tn gw is listed that indicates you can use this attribute for the TELNET proxy If policy policy is listed that means you can use this attribute in a policy definition All proxies that use this policy will then use this attribute You can al...

Страница 254: ...tion server that the proxies use for authenticating users Syntax authserver host port Example This example requires proxies to use the authentication server on the firewall itself using port 7777 policy outside authserver 127 0 0 1 7777 Provided for future extensibility host Specifies the host running the authentication server Specify by IP address or hostname port Specifies the port on the host t...

Страница 255: ...ting HTTP proxy passes requests after handling the authentication The executable handles FTP Gopher and other protocols Syntax backend executable host Specifies indicates the hosts for which the circuit proxy authenticates Specify individual machines entire networks or subnets Use IP addresses or host names The wildcard is valid authhost host Specifies the host running the authentication server Sp...

Страница 256: ...xample This example sends mail to the firewalladmin alias smapd badadmin firewalladmin baddir policy policy smapd Specifies the directory in which the smapd server places any spooled mail that it cannot deliver normally Syntax baddir directory user Specifies the name of a user or alias directory Specifies the name of a directory on the same device as the spool directory Do not include a trailing s...

Страница 257: ...server sleeps for twenty minutes 1200 seconds after five unsuccessful login attempts authsrv badsleep 1200 child limit authsrv ck gw ftp gw http gw info gw lp gw netacl seconds Specifies the number of seconds the authentication server sleeps before allowing login attempts from a user who has attempted and failed to login five times in a row If this option is set to 0 the authentication server allo...

Страница 258: ... the TELNET proxy allows only 10 child processes to run at a single time tn gw child limit 10 circuitexec ck gw Specifies the location of the program that the circuit proxy runs once it allows a connection from the client program processes Specifies the maximum number of child processes that each daemon allows to run at a given time If this option is set to 0 or not set each daemon allows an unlim...

Страница 259: ...indicates that a user can have 12 active sessions ck gw circuitsperuser 12 circuit timeout ck gw Specifies the amount of time the client server connection is idle with no network activity before disconnecting Overridden by the timeout option for a particular server as set with the server attribute programs Specifies the location and name of the program that the circuit proxy runs once it allows a ...

Страница 260: ...er activity before disconnecting clients Specifies single hosts entire networks or subnets Specify by IP address or hostname The wildcard is valid printer Indicates the printer queue to which this rule applies queue Specifies the name of the printer queue to which this rule applies deny Indicates commands that clients cannot execute The default allows users to issue all lp commands log Indicates e...

Страница 261: ... database that the authentication server uses This option is mandatory unless you compile the authentication server with a specific database path Syntax database path lpcommands Specifies the lp commands that the clients can issue when sending jobs through the proxy The space between the and and the list entries is required Valid keywords which correspond to the first level lp protocol commands ar...

Страница 262: ...ess to a user because they do not have permission to use the proxy Syntax denial msg file Example This example displays the file usr local etc ftp deny txt when the FTP proxy denies access to a user ftp gw denial msg usr local etc ftp deny txt denydest msg ftp gw http gw policy policy rlogin gw tn gw file Specifies the name of the file the proxy displays when it denies access to a user because the...

Страница 263: ...e TELNET proxy denies access to a user tn gw denydest msg usr local etc tn denydest txt destination ftp gw http gw info gw lp gw netacl plug gw policy policy pop3 gw rap gw rlogin gw rsh gw tn gw Specifies destination hosts and networks permissions file Specifies the name of the file the proxy displays when it denies access to a user because they are trying to access a destination that they are no...

Страница 264: ...ttp gw info gw lp gw netacl plug gw pop3 gw rap gw rlogin gw rsh gw smap smapd tn gw x gw permit Indicates hosts to which the proxies and applications can send requests deny Indicates hosts to which the proxies and applications cannot send requests destination list Specifies single hosts entire networks or subnets Specify by IP address or hostname The wildcard is valid If no destination list is sp...

Страница 265: ...p display policy policy x gw Specifies the destination display on which applications display Syntax display host displaynumber screennumber Example This example indicates that the X gateway displays all X applications on the display attached to dimension x gw display dimension 10 0 directory Specifies the directory that the proxy makes its root directory before providing service host Specifies the...

Страница 266: ...display the file usr local etc finger txt for finger requests netacl fingerd exec bin cat usr local etc finger txt extended permissions policy policy rlogin gw rsh gw tn gw Specifies whether the proxies check for extended permissions for users as they authenticate This option is equivalent to the extend and extnd options in previous versions Syntax extended permissions program Specifies the name o...

Страница 267: ...causes the HTTP proxy to remove the related tags from within the HTML code permit deny feature features Example 1 This example indicates that the HTTP proxy removes Java or Javascript tags from within any HTML accessed through the proxy http gw deny feature java javascript Syntax 2 feature features Example 2 This example indicates that the HTTP proxy removes from any HTML it accesses all HTML that...

Страница 268: ...must remove or comment out this setting if you wish to disable it The settings force_source_address false and force_source_address off are not valid You must be using officially registered routable addresses on your trusted networks in order to use this option Example This example indicates that the plug proxy for America Online will use the IP address of the originating host as the source address...

Страница 269: ...on functions Valid values for the HTTP proxy are BINARY Read Files DIR List Directories EXEC Exec Commands pattern Specifies the pattern in the URL for which the HTTP uses this rule Quotes are not required protocol Specifies the protocol that the HTTP proxy uses when talking to the remote host Valid values are FTP GOPHER HTTP host port Specifies the host and port to which the HTTP proxy forwards r...

Страница 270: ...mands WRITE Write Data Example This example indicates that the FTP proxy does not allow people to retrieve RETR files ftp gw deny function RETR This example indicates that the HTTP proxy does not allow people to perform FTP requests through the HTTP proxy http gw deny function FTP groupid ftp gw http gw info gw lp gw netacl plug gw pop3 gw rap gw rlogin gw rsh gw smap ...

Страница 271: ...firewall and a caching proxy Syntax handoff host port The HTTP proxy communicates with the next proxy as if it were a client rather than as another proxy You cannot use this setting in place of specifing the HTTP proxy in your browser group Specifies the name of the group as either a name or numeric id from the etc group file host port Specifies the host and port to which the HTTP proxy forwards r...

Страница 272: ...est when it sends it to the destination host Syntax http gw permit deny header header You can only specify one header per line Consult the HTTP 1 0 1 1 specifications a for a list of headers Note that certain headers are always processed by the HTTP proxy and are dealt with specifically Connection Content Length Content Type Location Proxy Connection Example This example indicates that the HTTP pr...

Страница 273: ...plays the file usr local etc rlogin help txt when a user requests access from the Rlogin proxy rlogin gw help msg usr local etc rlogin help txt hosts authsrv ftp gw http gw info gw lp gw netacl plug gw pop3 gw rap gw rlogin gw rsh gw file Specifies the name of the file the proxy displays when the user accesses the help command If no file is specified the proxy displays a list of internal commands ...

Страница 274: ...s on the 10 0 1 0 255 255 255 0 subnet cannot use the FTP proxy ftp gw deny hosts 10 0 1 0 255 255 255 0 This example indicates that the authentication server only accepts connections from the firewall itself localhost permit Indicates hosts for which the proxy uses a particular policy or the hosts that can use the proxy deny Indicates hosts that cannot use the proxy hosts Specifies the hosts for ...

Страница 275: ...t proxies log only the operations listed rather than all operations the default This option is equivalent to the log command in previous versions Syntax log operations Valid values for the info gw are CWD QUIT LIST NLST NOOP PASV PORT PWD RETR SIZE STOR SYSY TYPE operations Specifies operations that the proxies log ...

Страница 276: ...icy log only retrieve RETR and storage STOR activities policy inside log RETR STOR maxchildren policy policy smapd Specifies the maximum number of child processes the smapd server can fork to handle mail Syntax maxchildren children Example This example indicates that the smapd server can fork no more than 20 children smapd maxchildren 20 children Specifies the maximum number of child processes the...

Страница 277: ...ntication server indicates that the userid does not exist rather than displaying a bogus SNK challenge when users attempt to login and fail authsrv nobogus true operation authsrv Specifies explicitly permitted or denied operations for particular users or groups at particular times of day Note that the authentication server only uses these rules when the policy or the proxy uses the extended permis...

Страница 278: ...rsh gw Rsh proxy tn gw TELNET proxy all of these proxies destination Specifies the hosts to which the proxies can or cannot send requests Specify individual machines entire networks or subnets Use IP addresses or host names The wildcard is valid options Specifies particular operations for each protocol that can be controlled Valid values are ftp gw consult the ftpd 1 reference manual page rlogin g...

Страница 279: ...ntax permit deny password change Example This example allows users on the inside network to change their passwords from both the TELNET and Rlogin proxies policy inside permit password change hostname Specifies the name of the host that the HTTP proxy uses when prepending URLs Specify an individual interface Use an IP addresses or host name permit Indicates hosts from which users can change their ...

Страница 280: ...s option is required for the POP3 proxy Syntax pop server host Example This example indicates that the POP3 proxy accesses the POP3 server running on the inside mail hub mail pop3 gw pop server mail port plug gw Specifies the connection rule for this instance of the plug proxy including the hosts and the ports Syntax port port hosts desthost hosts privport destport port host Specifies the name of ...

Страница 281: ... subnets Specify by IP address or hostname The wildcard is valid desthost Indicates hosts to which the plug proxy connects hosts Specifies single hosts entire networks or subnets Specify by IP address or hostname The wildcard is valid privport Indicates that the proxy uses a reserved port number when connecting Provided for future extensibility destport Indicates the port on which the plug proxy c...

Страница 282: ... This example indicates that the TELNET proxy displays the prompt Yoyodyne TELNET proxy tn gw prompt Yoyodyne TELNET proxy proxy policy policy Specifies proxy permissions printer Indicates the printer queue name serverqueue Specifies the name of the remote printer queue to which proxy sends the print jobs If server queue is not specified the client s queue name will be used as server queue name pr...

Страница 283: ...wall Example This example indicates the SecurID server communicates with the firewall as firewall yoyodyne com authsrv securidhost firewall yoyodyne com permit Indicates proxies that this policy allows to run deny Indicates hosts that this policy does not allow to run Including a deny proxy rule has the same effect as not including those proxies in a permit proxy rule proxy list Specifies the name...

Страница 284: ... remote port host remote host hostport port timeout minutes nookay program Specifies an alternate path for the sendmail executable or other program you are using to deliver mail server service Specifies a symbolic name for the service Must be unique Used by the proxy to create the menu of available services port remote port Specifies the port on the remote host to which the circuit proxy connects ...

Страница 285: ...mple indicates that the login shell program looks in the usr local etc login shellfile file for information about users and their shells login sh shellfile usr local etc login shellfile timeout ftp gw http gw info gw lp gw netacl plug gw timeout minutes Specifies the number of minutes the client server connection is idle before disconnecting for this service nookay Specifies that the proxy does no...

Страница 286: ...e This example indicates that the inside policy allows 1800 seconds 30 minutes of idle time before the proxies disconnect policy inside timeout 1800 unknown authsrv Specifies a list of additional names that the authentication server checks in addition to the authentication database when checking for extended permissions on a per user basis seconds Specifies the number of seconds the proxy is idle ...

Страница 287: ...enny to be valid user names when it checks for extended permissions authsrv permit unknown scooter hikita penny url filter http gw policy policy Specifies characters that you do not want to see in a URL Syntax url filter filterlist Example This example indicates that you do not want to see the carriage return line feed pair in any URLs http gw url filter 0D 0A names Specifies a list of names separ...

Страница 288: ...cation server assigns the user name to the group unknown Syntax permit unknown names Example This example indicates that the authentication server considers scooter hikita and penny to be valid user names when it checks for extended permissions authsrv permit unknown scooter hikita penny url filter http gw Specifies characters that you want to deny in a URL Syntax url filter filterlist names Speci...

Страница 289: ... filter 0D 0A userid ftp gw http gw info gw lp gw netacl plug gw policy policy pop3 gw rap gw rlogin gw rsh gw smap smapd tn gw x gw Specifies the user ID the proxy uses when running This option is equivalent to the user command in previous versions Syntax userid user user Specifies the user as either a name or numeric ID from the etc passwd file ...

Страница 290: ...dicates that group grads can use the accounting service ck gw user servers group grads accounting user timeout ck gw Specifies the amount of time the proxy is idle with no active client connections before disconnecting user user Specifies the name of a user who can access a particular service group group Specifies the name of a group who can access a particular service deny Specifies that the user...

Страница 291: ...ol directory for undelivered mail Syntax wakeup seconds Example This example indicates that the smapd server sleeps for 120 seconds between scans smapd wakeup 120 welcome msg ftp gw policy policy rlogin gw tn gw minutes Specifies the number of minutes the proxy is active with no client connections before disconnecting seconds Specifies the number of seconds that the smapd server sleeps between sca...

Страница 292: ...to which the TELNET and Rlogin proxies pass requests for the X proxy Generally specifies the location of the X proxy Syntax xforwarder program Example This example indicates that the TELNET and Rlogin proxies use the standard X proxy for requests from the inside network policy inside xforwarder usr local etc x gw file Specifies the name of the file the proxy displays as a welcome banner upon succe...

Страница 293: ...e This example allows the hosts on the inside network to start the X11 proxy policy inside permit xgateway permit Indicates that the TELNET and Rlogin proxies can accept requests to start the X11 proxy deny Indicates that the TELNET and Rlogin proxies do not accept requests to start the X11 proxy Provided for future extensibility ...

Страница 294: ......

Страница 295: ... between various points within this network Understanding Virtual Private Networks When using a single firewall the defense perimeter includes the network of machines that sit behind the firewall inside the perimeter Communication with any other machines or networks outside the perimeter is over some untrusted network such as the Internet A Virtual Private Network extends the defense perimeter to ...

Страница 296: ...rivate Networks Figure C 1 Yoyodyne Virtual Private Network Gauntlet host Gauntlet host California office Maryland office 10 0 6 10 0 1 1 0 0 6 1 1 9 2 1 6 8 1 1 2 0 4 2 5 5 1 5 4 1 0 0 1 0 0 1 1 0 0 Internet Encrypted traffic ...

Страница 297: ...ense perimeter Any activities that you allow within your network can be used with machines on the remote network For example Yoyodyne allows users in the Maryland office to use the network time protocol NTP within the network to set the clocks on their machines If Yoyodyne sets up a VPN with the California office using privacy with trust they can now use ntp with machines in the California office ...

Страница 298: ...st to network communications The most common use of privacy without trust creates a private link between two networks Sites that create a VPN without trust must of course share the encryption key that gives them the privacy However they can now use different policies and procedures and have different administrative control Encryption Through Multiple Firewalls Passthrough Link A VPN can use encryp...

Страница 299: ...e key provided for this VPN during firewall to firewall configuration The new packet contains encrypted data and a header that indicates this is a special encrypted protocol The firewall then sends the encrypted packets across the Internet or other untrusted network to the firewall for the remote network When the remote firewall receives the packet on its outside interface the IP input layer recog...

Страница 300: ... the routing layer forwards the packet on to the appropriate host on the inside network If the VPN between the two networks uses just privacy with no trust the routing layer hands the packet to the appropriate service or proxy The proxies treat this packet as they would any other packet from any other untrusted network ...

Страница 301: ...Netscape administration utility If you perform this procedure on a host other than the firewall you can use a Netscape browser to access the firewall after you start the administration utility To implement SSL on the firewall the firewall must contain a digital ID file also known as a certificate that identifies it as a trusted server when clients connect to it Certificates are distributed by a Ce...

Страница 302: ...re both admin type admin on both entry lines unless you have changed the defaults 4 Choose Gauntlet from the Server Selector page 5 Choose Encryption from the menu bar at the top of the page to configure SSL SSL Configuration Procedure The SSL configuration procedure has of three parts Generating the server s key pair Requesting a certificate from a Certification Authority Installing the certifica...

Страница 303: ...uest Certificate procedure 4 Save your entries in the key pair file in the correct location Use this full pathname as the keyfile location when you save it usr ns home httpd gauntlet config ServerKey db Supplementary Instructions for Generating a Certificate After you generate the key pair see Supplementary Instructions for Generating a Key Pair on page 277 choose Request Certificate to apply for ...

Страница 304: ...r your certificate arrives and you save it in a file complete the certificate installation procedure and turn encryption on for the firewall These instructions are supplementary to the instructions provided in the Help screens for the install certificate procedure 1 Choose Request Certificate from the sidebar menu on the Encryption page 2 In the Certificate Name field enter the fully qualified hos...

Страница 305: ......

Страница 306: ...printing and binding Please send the title and part number of the document with your comments The part number for this document is 007 2826 004 Thank you Three Ways to Reach Us To send your comments by electronic mail use either of these addresses On the Internet techpubs sgi com For UUCP mail through any backbone site your_site sgi techpubs To fax your comments or annotated copies of manual pages...

Отзывы: