[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall-1 4.0 and Implicit Authentication

To: jake.rog@ttcmail.com
Subject: RE: [FW1] Firewall-1 4.0 and Implicit Authentication
From: Jason_T_Findley@pgatourhq.com
Date: Wed, 28 Apr 1999 09:43:34 -0400
Cc: FW1 Mailing List <fw-1-mailinglist@lists.us.checkpoint.com>



I have the following rule:
Source         Dest Service        Action          Track          Install
On
User_Group          any  Authenticated   Client Auth         Long
GW


The properties for client auth are: Standard signon, partially automatic. I
open up a browser, get prompted to sign in, authenticate with the firewall,
and browse away, to as many sites as I want, without getting authenticated
again. I dont have to specify any proxy settings to my browser at all.
So, doesnt this mean that there is no need for implicit client auth?





"Jake Rog" <jake.rog@ttcmail.com> on 04/28/99 09:38:00 AM

Please respond to jake.rog@ttcmail.com
                                                              
                                                              
                                                              
 To:      Jason T Findley/PGA TOUR, "FW1 Mailing List"        
          <fw-1-mailinglist@lists.us.checkpoint.com>          
                                                              
 cc:                                                          
                                                              
                                                              
                                                              
 Subject: RE: [FW1] Firewall-1 4.0 and Implicit               
          Authentication                                      
                                                              








In order to achieve that you have to use the FW1 as a WEB proxy and point
the Web Browser to the Firewall IP address.  I would think that this would
be a great security risk to allow people to send ANY packets to the
Firewall
directly.

Usually I would have the rule that says:

Source    Dest Service   Action    Track           Install On
ANY       FW   ANY       DROP      Long       GW

Any thoughts???

P.S.  Also, which IP address do you use as a Proxy Internal/External???

> -----Original Message-----
> From: Jason_T_Findley@pgatourhq.com
> [mailto:Jason_T_Findley@pgatourhq.com]
> Sent: Wednesday, April 28, 1999 9:11 AM
> To: FW1 Mailing List
> Subject: RE: [FW1] Firewall-1 4.0 and Implicit Authentication
>
>
>
>
>
> Correct me if I'm wrong, but doesnt ver 4.0 get rid of the need to use
> implicit client auth? I have tested user auth for http with ver 4 and it
> only prompted me for a  password once, no matter how many sites I went
to.
> Am I missing something?
>
>
>
>
>
> "Woods, Chris" <Chris-Woods@forum-financial.com> on 04/28/99 09:07:25 AM
>
>
>
>  To:      FW1 Mailing List
>           <fw-1-mailinglist@lists.us.checkpoint.com>
>
>  cc:      (bcc: Jason T Findley/PGA TOUR)
>
>
>
>  Subject: RE: [FW1] Firewall-1 4.0 and Implicit
>           Authentication
>
>
>
>
>
>
>
>
>
>
> Forgive me, but where would I find this?  Is it a setting in objects.c or
> is
> it accessible via the GUI?  (FYI, I am using NT)
>
> I found the user auth timeout, but I couldn't find where to set the
number
> of connections.
>
> I tried the same thing the other gentleman tested and experienced the
same
> behaviour on NT 4.0 FW-1 4.0 where the user auth would keep coming up and
> keep coming up and
> keep coming up and keep coming up and, well, maybe you get the idea. ;)
>
> -----Original Message-----
> From: Dameon D. Welch [mailto:dwelch@hotmail.com]
> Sent: Tuesday, April 27, 1999 8:31 PM
> To: jake.rog@ttcmail.com; FW1 Mailing List
> Subject: Re: [FW1] Firewall-1 4.0 and Implicit Authentication
>
>
>
> I have a feeling it's because your client auth properties are not set
> correctly. Check to see that the timeout is set adequately and that the
> number of connections allowed is "infinite" (or a really high number).
>
> -- PhoneBoy
>
> > Thank you. I have tried to reverse the order:
> >
> > All@any     any     http     ClientAuth   Long     GW
> > All@any     any     http     UserAuth     Long     GW
> >
> > No luck, the client is still being asked to authenticate on every
> request,
> > just like the ClientAuth Rule is NOT working?  I have also tried the
> > ImplicitAuth with SessionAuth with the same result. Back in the same
> court.
> > What else I can check for?
>
>
> ==================================================================
> =========
> =
> ====
>      To unsubscribe from this mailing list, please see the instructions
at
>                http://www.checkpoint.com/services/mailing.html
> ==================================================================
> =========
> =
> ====
>
>
> ==================================================================
> =========
> =====
>      To unsubscribe from this mailing list, please see the instructions
at
>                http://www.checkpoint.com/services/mailing.html
> ==================================================================
> =========
> =====
>
>
>
>
>
> ==================================================================
> ==============
>      To unsubscribe from this mailing list, please see the instructions
at
>                http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
>


    [ Part 2, Application/OCTET-STREAM (Name: "winmail.dat")  1.7KB. ]
    [ Unable to print this part. ]

Prev by Date: RE: [FW1] Microsoft Routing and Remote Access Service
Next by Date: Re: [FW1] Macintosh
Prev by thread: RE: [FW1] Firewall-1 4.0 and Implicit Authentication
Next by thread: RE: [FW1] Firewall-1 4.0 and Implicit Authentication
Index(es):
- Date
- Thread