|
|
| Previous | Table of Contents | Next |
At this point, it is important to note that the new account terrih is enabled, but there is no password. A password should be assigned as quickly as possible to prevent fraudulent use of the firewall, and potential loss of security of the network.
As an added measure of safety, it is advised to add a line to root’s crontab to make “backups” of the authentication database. The following shows a sample entry:
0 1 * * * /usr/local/etc/authdump > /usr/local/etc/auth.backup
The cron command will run the authdump command at 1:00 a.m. every day. This ensures a reliable backup of your database in ASCII format. If the information on your server does not change very often, you probably should adjust the timing of the cron execution of authdump.
You might now be interested in seeing how the authentication server operates. Each of the proxies has the option of being configured to operate with the authentication server. The example shown here focuses on the ftp proxy. The ftp proxy’s configuration can be found in the section “Configuring the FTP Gateway.”
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: authserver localhost 7777
ftp-gw: timeout 3600
ftp-gw: permit-hosts 206.116.65.* -log { retr stor } -auth { stor }
Recall from earlier discussions that the last line of this configuration is actually what causes the authentication to be performed. In fact, it is fairly specific in that any request to retrieve a file from the remote, or to store a file on the remote results in that operation being logged by the proxy. In addition, the store command to save a file on the remote system is not permitted until the user authenticates him- or herself to the proxy. This process is illustrated here:
pc# ftp pc Connected to pc.unilabs.org. 220-Welcome to the URG Firewall FTP Proxy 220- 220-To report problems, please contact Network Security Services at 220-555-1212 or by e-mail at security@org.com 220 Name (pc.unilabs.org:chrish): chrish@nds.fonorola.net 331-(----GATEWAY CONNECTED TO nds.fonorola.net----) 331-(220 nds.fonorola.net FTP server (Version A) ready.) 331 Password required for chrish. Password: 230 User chrish logged in. Remote system type is Unix. Using binary mode to transfer files. ftp> put /tmp/trace local: /tmp/trace remote: /tmp/trace 200 PORT command successful. 500 command requires user authentication ftp> quote authorize chrish 331 Enter authentication password for chrish ftp> quote response whisper 230 User authenticated to proxy ftp> put /tmp/trace local: /tmp/trace remote: /tmp/trace 200 PORT command successful. 150 Opening BINARY mode data connection for /tmp/trace. 226 Transfer complete. 2181 bytes sent in 0.0061 seconds (3.5e+02 Kbytes/s) ftp> quit 221 Goodbye.
For ftp clients that do not know which proxy is used for authentication, the ftp quote command must be used to “speak” with the authentication server on the firewall. During this process, the password that is submitted by the user is echoed on-screen, and is therefore visible to anyone in the immediate vicinity.
This is just one example of authentication use with proxies; countless more examples could be used. Hopefully, the information and examples you have seen so far on proxies and the authentication server should help you design a secure firewall.
The applications you have read about so far cover about 80 percent of the network traffic. What about TIS Toolkit support for the Network News Transport Protocol (NNTP) or even the Post Office Protocol (POP)? Both of these services, and many others, are available through the plug-gw application. This application provides plug-board type connections; that is, it connects a TCP/IP port on the firewall to another host using the same or a different TCP port number. This functionality makes it easy to provide other services through the firewall. The next few sections examine the operation and configuration of plug-gw by looking specifically at their services.
plug-gw reads the configuration lines that start with plug-gw: from the netperm-table file—just like the other Toolkit applications. The clauses listed in table 6.17 are used with the plug-gw application.
| Rule | Description |
|---|---|
| timeout seconds | Specifies a timeout value, after which inactive connections are disconnected. If no timeout is specified, the default is to remain connected until one side or the other closes its connection. |
| port portid hostpattern [options] | Specifies a connection rule. When a connection is made, a match is searched for on the port-id and calling host. The port-id may be either a numeric value (such as 119) or a value from /etc/services (such as “nntp”). If the calling port matches, then the host-pattern is checked for a match following the standard address matching rules employed by the firewall. If the rule matches, the connection will be made based on the remaining options in the rule, all of which begin with “-”. |
| -plug-to host | Specifies the name or address of the host to connect to. This option is mandatory. |
| -privport | Indicates that a reserved port number should be used when connecting. Reserved port numbers must be specified for protocols, such as rlogin, which rely on them for “security.” |
| -port portid | Specifies a different port. The default port is the same as the port used by the incoming connection. |
The purpose of plug-gw is to allow for other services to be passed through the firewall with additional logging to track the use of these services. The availability of this service means that additional service specific applications do not need to be created unless required. Some applications do not have extended authentication mechanisms in them; plug-gw makes their use with firewalls much less of a bother.
The rules available for plug-gw, when used on a POP connection, look like this:
plug-gw: port 110 206.116.65.* -plug-to 198.53.64.14
| Previous | Table of Contents | Next |