[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Securid and users behind proxy servers

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] Securid and users behind proxy servers
From: Michael Seaman <mjs@cncdsl.com>
Date: Fri, 01 Oct 1999 09:48:47 -0700


All,

Problem description:
We have a web server that we want to allow our partners to access.  It has 
been mandated that we use token base security to authenticate user access 
to the web server.  This configuration works fine for most of our user 
population.  The problem arise when the user is using @home or aol which 
use proxy servers for all of their users.  At first glance this should not 
be an issue but...user authenticates on one connection and is allowed.  The 
web connection request orginates from a different proxy server and is of 
course rejected.


Use points the browser to the port 900 on the fw and authenticate.  Next 
the user goes to the web site.

The rules is
(below is formatted using tabs)
Source		Dest	 	services 	action
All users@any 	secure_web 	http/https 	client auth
any			secure_web	http/https	reject

client auth is set to secure id with 60 minute timeouts and 3 simi logins.
FW4.0 p4053 (sp3) solaris 2.6 with patch kit.

The question are:

a. is how do I a secure the web server from the outside users (I can't rely 
on the web folks to keep the server current with the latest IIS security 
patches).

I like the idea of using the fw to provide gatekeeper access to the site.

b. authenticate the user in such a manner that I know that are who they say 
they are regardless of which ISP they are using.  The response of the the 
user/partner should use a real isp was not recieved well.

c.  Aside from mailing a securid card I don't want to worry about 
supporting the remote desktop (ie. vpn).  User has a browser requirment and 
that is it.

The over all thoughts I have are that I like using securid for the have 
something, know something to authenticate.  I thought about the use of 
digital cert for the client/partners but getting cert for users oversea is 
problematic, expensive and time consuming difficult for us to manage.

I
---------------------------------------------------------------------------- 
------------------------------------
Michael
mjs@cncdsl.com
---------------------------------------------------------------------------- 
------------------------------------


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] DJ
Next by Date: RE: [FW1] V4.0 SP4 stable on Solaris?
Prev by thread: Re: [FW1] Expected Rule 0 Error
Next by thread: [FW1] Certficate authentication with smart card
Index(es):
- Date
- Thread