The Gauntlet Firewall supports several different strong authentication systems. The steps to create users is slightly different for each system.
The following sections explain how to configure the authentication systems supported by the Gauntlet Firewall:
This appendix also explains how to configure your Gauntlet Firewall to use these systems. Refer to Chapter 6, “Users and User Groups,” for an explanation of how the Gauntlet Firewall user authentication system works.
Your Access Key system includes a set of hand-held authenticators that you can use for authenticating to the Gauntlet Firewall.
The Access Key II system, from VASCO Data Security, uses a random challenge password. When the firewall prompts for authentication, Access Key II provides a challenge. The user enters a PIN (if one is required) and the challenge into the Access Key II. The Access Key II responds with a password. The user enters this value at the Gauntlet prompt, and the Gauntlet authentication server verifies this value.
To configure the Access Key II:
Create a key for the Access Key II according to the documentation included with the key.
This creates a file (keyfile.log) that contains the key. Place this file into a location accessible from the firewall.
To add users, log into the firewall console or use TELNET to log in remotely.
To add an Access Key II user:
Log into the firewall and become root.
Copy the Access Key II keyfile (keyfile.log) to a temporary directory (such as /tmp/vasco) on the firewall.
Load the key information into the user authentication management system using the key initialization tool (/usr/etc/vasco_init):
# cd /usr/etc # ./vasco_init /tmp/vasco/keyfile.log
This tool creates a user in the authentication management system and loads the key for this user. It creates the user name by prepending the letter i to the serial number for that Access Key II. The user is initially disabled.
The key initialization tool reads only the first record in the file. If you need to create multiple Access Key II users, consider writing a script to create individual key files and run the key initialization tool.
Make a note of the user name that the initialization program displays so you can change it to something easier for the user to remember.
Record loaded for user: i2-0005899-4
Use the Authentication Manager tool to change the name of the user to something easier to remember:
# /usr/etc/authmgr authmgr-> rename i2-0005899-4 jnolan 'John Nolan'
Enable the new user:
authmgr-> enable jnolan
Make the information active by exiting the authentication manager.
Provide the user with their Access Key II and user name.
This section first lists the steps for authenticating with Access Key II, then provides an example.
To authenticate to the Gauntlet Firewall using Access Key II:
Access a proxy that requires authentication:
telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'
Enter your user name:
Username: jnolan
Note the challenge the proxy displays:
Challenge 9683-5263:
On the Access Key II, press P. Note that the Access Key II displays 0000.
On the Access Key II, enter your PIN to enable the Access Key II.
On the Access Key II, enter the challenge that the proxy displays (without the dash). Note that the proxy displays a response:
9683-5263
At the response prompt, on your keyboard enter the response that the Access Key II displays (with or without the dash) and press Enter.
Challenge: 9683-5263 eh5ce3
This example shows a sample TELNET session from a system outside the firewall to a system inside the firewall.
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. Username: jnolan Challenge: 9683-5263 eh5ce3 Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com IRIX 6.5 (dimension) (ttyp5) login: jnolan Password: guess#me$now (password does not display) Welcome to dimension.yoyodyne.com 3:57PM up 16 days, 5:35, 4 users, load averages: 0.03, 0.01, 0.00 dimension-26: |
Your CRYPTOCard RB-I system includes a set of hand-held authenticators (called CRYPTOCards) that you can use for authenticating to the Gauntlet Firewall.
The CRYPTOCard system uses a shared-secret key. You enter the key into the CRYPTOCard when you initialize it, and into the Gauntlet authorization database when you configure that user. When the proxies want to authenticate, they ask the authentication server. The authentication server uses the shared secret to generate a challenge, which the proxy displays. You enter the challenge into your CRYPTOCard, which uses the shared secret to create a response. You enter the response at the prompt. The proxy passes it back to the authentication server, which compares what you entered with what it expected and allows or denies access.
Configuring the CRYPTOCard involves generating a shared secret and initializing the CRYPTOCard.
To generate the shared secret:
Log in to the firewall and become root.
Run the key program that generates random keys for CRYPTOCards (/usr/local/etc/ccardkey):
# cd /usr/local/etc # ./ccardkey
Enter a random seed string and press Enter, as in this example:
Enter a line of random text as a seed: alid oe02 I -01 [2qpqdk 9
Use any random set of nonsense words or characters.
Make note of the set of eight three-character groups (the shared secret) and the checksum that the program displays (you need these to configure the CRYPTOCard and the authentication database), as in this example:
Enter into CRYPTOCard:044 346 000 315 035 171 045 011 Checksum: 412-7559
To initialize the CRYPTOCard:
Turn on the brand new, unprogrammed unit.
Within half a second enter 225371 and press Enter. The display shows locked.
Press Enter. The display shows Options?
Enter 111 and press the right arrow key to set the Pin Entry Feedback to on, Decimal Display to on, and Telephone Display to on (consult your CRYPTOCard documentation for other options).
Enter 003 and press the right arrow key to set the UserID to none, Tries to unlimited, and Minimum PIN Length to 3 (consult your CRYPTOCard documentation for other options).
Enter 001 and press the right arrow key to set the TimeOut Length to 30 seconds, Language choice to English, and Number of Keys to one (consult your CRYPTOCard documentation for other options).
Press Enter. The display shows Key1?
Enter the first group of three characters from the shared secret and press the right arrow key.
Enter the second through eighth set of characters, pressing the right arrow key after each set.
The display goes blank after the last set.
Press Enter. The display shows a number (the checksum).
Compare the checksum the CRYPTOCard created with the one the key initialization program on the firewall created.
If the checksums match, press Enter.
If the checksums do not match, press Clear (note that display shows Key1?) and then reenter the shared secret. The display shows New PIN?
Enter a three- to eight-digit PIN and press Enter. The display shows Verify.
Enter the three- to eight-digit PIN again and press Enter. The display shows Card OK.
Make note of the PIN you entered so that the user can change the PIN once you give them the unit.
Use the Gauntlet Firewall Manager to add users.
To add a CRYPTOCard user:
From the Users tab, click Add.
The Add User window displays.
Provide information about the user.
UserID
User name. Remember that this user ID does not need to match any other user IDs for this user.
Name
Descriptive information about this user.
Status
Select Enabled to activate the account.
Group
If you want to make this user a member of a group, select the name of the group.
Authentication Method
Select CRYPTOCard as the authentication method.
Password
Eight three-character groups (shared secret), including spaces, you used for the CRYPTOCard:Passwd: 044 346 000 315 035 171 045 011The display uses XXXs to hide the password
Verification
The same eight three-character groups, including spaces, that you entered as the password.
Click OK to make your changes take effect.
Provide the user with their user name.
This section discusses using the CRYPTOCard in the following sections:
To use the CRYPTOCard for the first time:
Turn on the CRYPTOCard. Note that the display shows PIN?
Enter your PIN and press Enter. Note that the display shows New Pin?
Enter a new three to eight digit PIN and press Enter. Note that the display shows Verify.
Enter the new three to eight digit PIN again and press Enter. Note that the display shows Ready.
To authenticate to the Gauntlet firewall using a CRYPTOCard:
Access a proxy that requires authentication.
telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'
Enter your user name.
Username: jbigboot
Note the challenge the proxy displays:
Challenge 817-8618:
Turn the CRYPTOCard on.
On the CRYPTOCard, enter your PIN and press Enter. Note that the display shows Ready.
On the CRYPTOCard, press Enter then enter the challenge the proxy displays (without the dash) and press Enter. Note that the proxy displays a response:
195-3454
At the response prompt, enter the response the CRYPTOCard displays (with or without the dash) and press Enter.
Challenge 817-8618: 195-3454
Consult your CRYPTOCard documentation for information on changing the PIN on a CRYPTOCard. You do not need to make any changes to the Gauntlet Firewall authentication database when you change the PIN on an CRYPTOCard.
This example shows a sample TELNET session from a system outside the firewall to a system inside the firewall.
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. Username: jbigboot Challenge: 817-8618: 195-3454 Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com IRIX 6.5 (dimension) (ttyp5) login: jbigboot Password: guess#me$now (password does not display) Welcome to dimension.yoyodyne.com 3:57PM up 16 days, 5:35, 4 users, load averages: 0.03, 0.01, 0.00 dimension-26: |
Your Digipass system includes a set of hand-held authenticators (called Digipasses) that you can use for authenticating to the Gauntlet Firewall.
The Digipass system uses a time-based password. The Digipass card generates a passcode. You enter a secret password into the Gauntlet user authentication system when you configure that user. When the firewall prompts for authentication, the user selects the appropriate authentication application and enters a PIN on the card. The card displays a passcode, which the user enters at the Gauntlet prompt. The Gauntlet authentication server verifies this value to allow or deny access.
To configure the Digipass:
Create a key for the Digipass according to the documentation included with the key. This creates a file (cinit_a.dgp) that contains the token secret for that key. It also creates a 14-digit decryption key.
Place this file in a location accessible from the firewall.
To add users, log into the firewall console or use TELNET to log in remotely.
To add a Digipass user:
Log into the firewall and become root.
Copy the Digipass key file (cinit_a.dgp) to the same directory on the firewall in which the initialization tool is located (/usr/etc).
View the key file and make note of the 14-digit encryption key.
Load the key information into the user authentication management system using the key initialization tool (/usr/etc/digi_init) and the 14-digit decryption key:
# cd /usr/etc # ./digi_init 12345678901234
This tool creates a user in the authentication management system and loads the key for this user. It creates the user name by prepending the letter i to the serial number for Digipass. The user is initially disabled.
 | Note: The key initialization tool reads only the first record in the file. If you need to create multiple Digipass users, consider writing a script to create individual key files and run the key initialization tool. |
This tool also creates a PIN file (ipin.txt), which lists the user names and PINs for each Digipass. View the PIN file and note the user names in this file so that you can change it to something easier for the user to remember.
Token
PIN
1000000
1234
1000001
6789
Use the Authentication Manager tool to change the name of the user to something easier to remember:
# /usr/etc/authmgr authmgr-> rename i1000000 jgant 'John Gant'
Enable the new user:
authmgr-> enable jgant
Make the information active by exiting the authentication manager.
Provide the user with their Digipass and user name, and the PIN listed in the PIN file for that Digipass.
This section first lists the steps for authenticating with Digipass, then provides an example.
To authenticate to the Gauntlet Firewall using Digipass:
Access a proxy that requires authentication:
telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'
Enter your user name:
Username: jgant
Turn the Digipass on.
On the Digipass, press I. The display shows PIN?
On the Digipass, enter your PIN and press =.
Your PIN displays as asterisks (*). The display shows “…” as it performs the calculation.
At the response prompt, enter the response that the Digipass displays and press Enter.
Code: 0190302588
This example shows a sample TELNET session from a system outside the firewall to a system inside the firewall:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. Username: jgant Code: 0190302588 Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com IRIX 6.5 (dimension) (ttyp5) login: jgant Password: guess#me$now (password does not display) Welcome to dimension.yoyodyne.com 3:57PM up 16 days, 5:35, 4 users, load averages: 0.03, 0.01, 0.00 dimension-26: |
The SafeWord Authentication Server is compatible with a group of hand-held authenticators that you can use for authenticating to the Gauntlet Firewall.
| Note: SafeWord authentication is supported only by Gauntlet Firewalls running on Solaris systems. |
SafeWord is compatible with:
ActivCard
CryptoCard
DES Gold card
DES Silver card
Digipass (outside the U. S. only)
SafeWord AccessCard
SafeWord MultiSync
SecureNet Key
Softoken
WatchWord
This system, from Enigma Logic, provides an interface to the SafeWord Authentication Server for Gauntlet authentication. The Gauntlet authentication server users the authentication information registered for a user with the SafeWord Authentication Server.
To configure the SafeWord Authentication Server, create user accounts for your users on the SafeWord Authentication Server.
You must modify one file on the firewall so it knows where the SafeWord Authentication Server is (typically on a system other than the firewall).
To configure your firewall for use with a SafeWord Authentication Server:
Log into the firewall and become root.
Edit the SafeWord configuration file (/usr/local/etc/mgmt/swec.cfg). Set the SafeWord Authen. Server Name to the name of the system on which the SafeWord Authentication Server is running:
02 SafeWord Authen. Server Name:dimension 0 0 7482
You can create two types of users in the Gauntlet Firewall for use with SafeWord Authentication Server: individual users or a default user. Individual users are unique user names for each user in your SafeWord Authentication Server system.
Creating a default user allows you to authenticate users without manually creating entries for every user in the Gauntlet authentication database. When a user logs in and the authentication server does not find the information in the Gauntlet authentication database, the authentication server sends the user information to the SafeWord Authentication Server. The authentication server also creates a record for that user in the Gauntlet authentication database.
For example, suppose you create an account for jparrot on your SafeWord Authentication Server. You create an account for default on the Gauntlet Firewall. When Jamie Parrot authenticates, she still uses the user name jparrot, and the authentication server sends the information to the SafeWord Authentication Server.
To add a user using SafeWord:
From the Users tab, click Add.
The Add User window displays.
Provide information about the user.
UserID
Enter the user name. Remember that this user ID does not need to match any other user IDs for this user.
Name
Enter descriptive information about this user.
Status
Click enable to activate the account.
Group
If you want to make this user a member of a group, select the name of the group.
Authentication Method
Select SafeWord as the authentication method.
Password
Leave this field blank. The Gauntlet authentication system uses the value registered with the SafeWord Authentication Server.
Verification
Leave this field blank.
Click OK to make your changes take effect.
Provide the user with the selected token and user ID.
This section first lists the steps for authenticating with SafeWord, then provides an example.
To authenticate to the Gauntlet Firewall using SafeWord Authentication Server:
Access a proxy that requires authentication.
telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]' - - Safeword® Security Check V4.30.000 - -
Enter your user name:
ID: jparrot
Note the challenge the proxy displays for example:
Challenge: 17
On the selected token, enter the challenge the proxy displays.
At the response prompt, enter the response the token displays and press Enter.
Enter Password: 12HAAF
The following example shows a sample TELNET session from a system outside the firewall to a system inside the firewall:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. - - Safeword® Security Check V4.30.000 - - ID: jparrot Challenge: 17 Enter Password: 12HAAF Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com IRIX 6.5 (dimension) (ttyp5) login: jparrot Password: guess#me$now (password does not display) Welcome to dimension.yoyodyne.com 3:57PM up 16 days, 5:35, 4 users, load averages: 0.03, 0.01, 0.00 dimension-26: |
The Gauntlet Firewall includes support for the SecurID system, which you can use for authenticating with your firewall.
The SecurID system is a synchronous authentication system. The Gauntlet Firewall includes client code that is capable of communicating with a separate SecurID ACE/Server to authenticate users.
The SecurID tokens generate and display unpredictable codes that change at a regular time interval (typically every 60 seconds). When a user attempts to log in using the SecurID system, the ACE/Server can independently verify the code that the user enters and either allow or deny login.
To configure the ACE/Server:
Make sure that your ACE/Server is using DES encryption and not SDI encryption. Use the sdinfo or sdsetup programs on your ACE/Server to determine which type of encryption your ACE/Server is using.
Create user accounts for your users using the ACE/Server.
Register the firewall as a client system on your ACE/Server. Any users that will authenticate from the firewall must be registered on the ACE/ Server showing the firewall as one of their clients.
Be sure to use the IP address or hostname for the inside address of the firewall if your ACE/Server is running on a system on your inside network.
Look at the /etc/services file on the system running the ACE/Server and make note of the service name and port on which the ACE/Server is listening. For example:
securid 755/udp # securid ACE services securidprop 5510/tcp
Place the ACE/Server configuration file (/var/ace/sdconf.rec) onto a floppy diskette or into a location accessible from the firewall.
To configure the firewall:
Log in to the firewall and become root.
Look at the /etc/services file on the firewall. Make sure that the service name and port number specified for the SecurID service on the firewall are the same as the ones in the /etc/services file on the ACE/Server.
Copy the ACE/Server configuration file (/var/ace/sdconf.rec) to the same directory on the firewall (/var/ace/sdconf.rec).
Use the Gauntlet Firewall Manager to add information about the ACE/Server:
From within the Gauntlet Firewall Manager, select Environment.
Click the Authentication tab. The Authentication window displays.
Click the SecurID button on the left side of the window. The SecurID Server window displays.
Enter the hostname or IP address of the Gauntlet Firewall as you registered it the ACE/Server. For example, Yoyodyne might enter: fire-in.yoyodyne.com.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
You can create two types of users in the Gauntlet Firewall for use with SecurID: individual users or a default user. Individual users are unique user names for each user in your SecurID system. For example, if you create an account for jyaya on your ACE/Server, you must also create an account for jyaya on the Gauntlet Firewall.
Creating a default user allows you to authenticate users without manually creating entries for every user in the Gauntlet authentication database. When a user logs in and the authentication server does not find the information in the Gauntlet authentication database, the authentication server sends the user information to the ACE/Server. The authentication server also creates a record for that user in the Gauntlet authentication database.
For example, suppose you create an account for jyaya on your ACE/Server. You create an account for default on the Gauntlet Firewall. When John Yaya authenticates, he still uses the user name jyaya, and the authentication server sends the information to the ACE/Server.
Use the Gauntlet Firewall Manager to add users.
To add a SecurID user:
From the Users tab, click Add.
Provide information about the user.
UserID
User name. This must match the user name you have registered with the ACE/Server.
Name
User name.
Status
Click Enable to activate the account.
Group
If you want to make this user a member of a group, select the name of the group.
Authentication Method
Select SecurID as the authentication method.
Password
Leave this field blank. The Gauntlet authentication system uses the value registered with the ACE/Server.
Verification
Leave this field blank.
Click OK to make your changes take effect.
Provide the user with the user name.
You can only have one default user. If you are also using the SafeWord Authentication Server, you can only use the default user for one of the two authentication systems.
To add a default SecurID user, follow the steps listed under “Adding Individual SecurID Users.” Enter default as the UserID.
This section first lists the steps for authenticating with SecurID, then provides an example.
To authenticate to the Gauntlet firewall using SecurID:
Access a proxy that requires authentication:
telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'.
Enter your user name and press Enter:
Username: jyaya
At the response prompt, enter the response appropriate for the type of SecurID token you have:
Standard Token or Key Fob: Enter your PIN (if enabled) followed by the SecurID code displayed on your token, with no spaces in between. Then press Enter:
Enter PASSCODE: 1234481283
PINPAD Token: With the PINPAD token, enter your PIN into the card itself, and press the diamond key. The PASSCODE is simply the SecurID code displayed on the token.
Enter PASSCODE: 429162
Press the Enter key.
On occasion, the system prompts you to enter the next code that appears on your token to resynchronize your SecurID token with the ACE/Server:
Enter the next cardcode:
Wait until the code changes on your token, and then enter the new code (without your PIN) at the prompt and press Enter.
Enter the next cardcode: 617325
This example shows a sample TELNET session from a system outside the firewall to a system inside the firewall:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. Username: jyaya Enter PASSCODE: 429162 Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com IRIX 6.5 (dimension) (ttyp5) login: jyaya Password: guess#me$now (password does not display) Welcome to dimension.yoyodyne.com 3:57PM up 16 days, 5:35, 4 users, load averages: 0.03, 0.01, 0.00 dimension-26: |
The Gauntlet Firewall includes support for the S/Key system, which you can use for authenticating with your Gauntlet Firewall. You can use both S/Key and S/Key5 with the Gauntlet Firewall.
The S/Key system is a one-time password authentication system. You enter a secret password into the Gauntlet authentication database when you configure that user. When the proxies want to authenticate, they use the secret password to generate a series of nonsense words and a sequence number. The proxy displays the sequence number. You enter the secret password and the sequence number into a key generation program, which provides a series of nonsense words. You enter the series of nonsense words at the proxy prompt. The proxy passes it back to the authentication server, which compares what you entered with what it expected and allows or denies access.
Use the Gauntlet Firewall Manager to add users.
To add an S/Key user:
From the Users tab, click Add.
Provide information about the user:
UserID
Enter the user name. Remember that this user ID does not need to match any other user IDs for this user.
Name
Enter descriptive information about this user.
Status
Click Enable to activate the account.
Group
If you want to make this user a member of a group, select the name of the group.
Authentication Method
If you are using S/Key or S/Key4, select Skey as the authentication method. If you are using S/Key5, select Skey5 as the authentication method.
Password
Enter a random string, for example:
Passwd: try!and@guess#this$oneThe display uses XXXs to hide the password
Verification
Enter the same random string again.
Click OK to make your changes take effect.
Provide the user with the user name. If you are creating the user's one-time passwords, provide a set of passwords. If you want users to create their own one-time access passwords, provide them with their random string and instructions on how to generate one-time access passwords.
You can generate one-time access passwords yourself and provide them to users all together. You can also allow your users to generate their own one-time passwords themselves as they need them. Using tools on the firewall, you can generate lists of one-time passwords and give them to each user. This involves determining the key value and generating the one-time passwords.
To determine the key value, search the key value file for the user's information:
fire-in# grep jparker /etc/skeykeys |
This displays information about the user:
jparker 0664 fi19289 a6eb4adfeec9bad9 Jul 17,1996 15:57:49 |
The first number is the sequence number and the last string is the key. You need these numbers to generate the one-time passwords.
This section discusses using the firewall to generate keys for users. You are urged to install the key program on another trusted host inside the firewall and generating the keys on that system.
To generate the one-time passwords:
Log in to the firewall and become root.
Run the key program (/usr/bin/key) to generate a limited number of one-time passwords, specifying the number of passwords, the sequence number, and the key. Redirect it to a file so that you can provide the passwords to the user.
S/Key
# cd /usr/bin # ./key -n 5 664 fi19289 > /tmp/jparker.key
S/Key5
# cd /usr/bin # ./key -m 5 -n 5 664 fi19289 > /tmp/jparker.key
Enter the secret password for the user for whom you are creating one-time passwords:
Reminder - Do not use key while logged in via telnet or dial-in. Enter secret password: try!and@guess#this$one
View the list of one-time passwords you have created:
660: RIME SLUM DRY MYRA GORE ELBA 661: LUCY DISK MOSS BACH TUSK BODE 662: JANE HURT SELF RING MILE HOB 663: GOWN BOLT YET BEAD LYON PIT 664: PAR HOOK FLUE BIAS TANK WEEK
Send this file to a system on your trusted network using FTP, print it and give it to the user. Be sure to delete all copies of this file (on the firewall and on the trusted host) as soon as you have the printout.
There is an alternative to the administrator using the key program on the firewall to generate one-time passwords for each user. You can obtain the key program for a variety of platforms from the Bellcore FTP site (see ftp://ftp.bellcore.com/pub/nmh/skey for more information). You can install the key program on trusted hosts within your network, allowing users to generate their own passwords all at once or as they need them. There are also versions for the Microsoft Windows family and the Macintosh, allowing users to generate keys from their desktops or laptops.
Be sure to:
Provide each user with the secret password that you created when you created that user's entry in the Gauntlet authentication database.
Remind users not to use the key program from hosts on the untrusted networks.
This section first lists the steps for authenticating with the S/Key system, then provides an example.
To authenticate to the Gauntlet Firewall using S/Key:
Access a proxy that requires authentication:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'.
Enter your user name:
Username: jparker
Note the challenge the proxy displays:
Skey Challenge: s/key 663 fi19289
Locate the one-time password with the corresponding sequence number from your list:
663: GOWN BOLT YET BEAD LYON PIT
Or use your key program to generate the one-time password.
Respond with a one-time password:
Skey Challenge: s/key 663 fi19289GOWN BOLT YET BEAD LYON PIT Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw>
This example shows a sample TELNET session from a system outside the firewall to a system inside the firewall:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. Username: jparker Skey Challenge: s/key 663 fi19289GOWN BOLT YET BEAD LYON PIT Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com IRIX 6.5 (dimension) (ttyp5) login: jparker Password: guess#me$now (password does not display) Welcome to dimension.yoyodyne.com 3:57PM up 16 days, 5:35, 4 users, load averages: 0.03, 0.01, 0.00 dimension-26: |
The Gauntlet Firewall includes support for the RADIUS authentication protocol, which you can use to authenticate to your firewall.
RADIUS stands for Remote Authentication Dial-In User Service, an authentication protocol specified by the IETF. Many different authentication vendors, including SecurID, Safeword, VASCO, and CRYPTO, support RADIUS.
| Note: The Gauntlet Firewall uses RADIUS in a way that differs slightly from the standard use. RADIUS is normally used as a dial-in authentication service. The Gauntlet Firewall uses it as an authentication method. |
RADIUS authentication can be used with your Gauntlet Firewall in conjunction with a strong authentication method such as Safeword or CRYPTO, or by itself using a plain RADIUS password.
| Note: It is important that if you use RADIUS authentication in conjunction with a strong authentication method, you should explain to your users how your strong authentication method works and how to use it. |
To use RADIUS with your Gauntlet Firewall, the user connects to the firewall in order to access the trusted network. The firewall prompts the user for a user name and RADIUS password, and then, acting as the RADIUS client, encrypts the authentication information with the RADIUS shared secret and sends it to the RADIUS authentication server.
| Note: If you are using a strong authentication method, your use of RADIUS may be somewhat different. |
The RADIUS authentication server decrypts the authentication information with the shared secret and begins the authentication process. The RADIUS authentication server authenticates the user, and sends this information to the Gauntlet Firewall, which grants access permission to the user.
| Note: You must have a RADIUS authentication server up and running, know its shared secret, and have the user configured on the server before you can use the Gauntlet Firewall to support a RADIUS user. |
To configure the RADIUS authentication server, create user accounts for your users on your RADIUS authentication server.
Use the Gauntlet Firewall Manager to enable RADIUS support.
To enable RADIUS support:
From within the Gauntlet Firewall Manager, select Environment.
Click the Authentication tab.
The Authentication window displays.
Click the RADIUS button on the left side of the window.
The RADIUS Authentication Servers window displays.
Make the appropriate entries:
Shared Secret for the Primary RADIUS Server
Shared secret string for your primary RADIUS server.
Host
IP address or host name of your primary RADIUS server.
Port
Port to be used to access your primary RADIUS server. The default is 1645.
Shared Secret for the Secondary RADIUS Server
Shared secret string for your secondary RADIUS server. Make an entry in this field only if you are using a secondary RADIUS server.
Host
IP address or host name of your secondary RADIUS server. Make an entry in this field only if you are using a secondary RADIUS server.
Port
Port to be used to access your secondary RADIUS server. Make an entry in this field only if you are using a secondary RADIUS server.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
Use the Gauntlet Firewall Manager to add a RADIUS user.
To add a RADIUS user:
From within the Gauntlet Firewall Manager, select Firewall Rules.
Click the Users tab.
The Users window displays.
From the Users tab, click Add.
The Add/Modify window displays.
Provide information about the user.
UserID
User name. Remember that this user ID does not need to match any other user IDs for this user.
Name
Descriptive information about this user.
Status
Click Enable to activate the account.
Group
If you want to make this user a member of a group, select the name of the group.
Authentication Method
Select RADIUS as the authentication method.
Plain Password
Check this box to tell the RADIUS server to use a plain password for this user; leave blank to use a strong authentication method.
Click OK.
Provide each user with a user ID.
The examples shown in this section use plain RADIUS passwords. If you are using a strong authentication method, the text will vary depending on the method you are using.
To authenticate to the Gauntlet Firewall using a plain RADIUS password:
Access a proxy that requires authentication:
telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'
Enter your user name and press Enter.
Username: jnolan
Enter your RADIUS password and press Enter. The password itself does not display; an X appears when each character is typed:
RADIUS Password: XXXXXXX
If the user is a valid user, the login is accepted and the Gauntlet Firewall permits access to the trusted network.
Login Accepted
This example shows a sample TELNET session from a system outside the firewall to a system inside the firewall using a plain RADIUS password:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. Username: jnolan RADIUS Password: ######## Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com |
The Gauntlet Firewall includes support for reusable passwords. The reusable password system does not include support for password aging, minimum characters, or other security features of some reusable password systems.
 | Caution: Do not use the reusable passwords option for authentication from untrusted networks. You should not use reusable passwords. Reusable passwords are vulnerable to password sniffers and are easy to crack. This feature is provided for convenience and audit capability only. |
You enter a secret password into the Gauntlet user authentication system when you configure that user. When an application on the firewall needs to authenticate you, they ask the Gauntlet authentication system. You enter the secret password at the prompt. The application passes it back to the authentication system, which compares what you entered with what it expected and allows or denies access.
Use the Gauntlet Firewall Manager to add users.
To add a user using reusable passwords:
From the Users tab, click Add.
Provide information about the user.
UserID
Enter the user name. Remember that this user ID does not need to match any other user IDs for this user.
Name
Enter descriptive information about this user.
Status
Click Enable to activate the account.
Group
If you want to make this user a member of a group, select the name of the group.
Authentication Method
Select Password as the authentication method.
Password
Enter a random string as the password.
Verification
Enter the same random string you entered as the password.
Click OK to make your changes take effect.
Provide each user with a user ID and password.
This section first lists the steps for authenticating with reusable passwords, then provides an example.
To authenticate to the Gauntlet Firewall using reusable passwords:
Access a proxy that requires authentication:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'.
Enter your user name:
Username: jgomez
Enter your password:
Password: try!and@guess#this$one Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw>
This example shows a sample TELNET session from a system outside the firewall to a system inside the firewall:
blaze.clientsite.com-28: telnet fire-out.yoyodyne.com Trying 204.255.154.100... Connected to fire-out.yoyodyne.com Escape character is '^]'. Username: jgomez Password: try!and@guess#this$one (password does not display) Login Accepted fire-out.yoyodyne.com telnet proxy (Version 4.0a) ready: tn-gw> c dimension Trying 10.0.1.120 port 23... Connected to dimension.yoyodyne.com IRIX 6.5 (dimension) (ttyp5) login: jgomez Password: guess#me$now (password does not display) Welcome to dimension.yoyodyne.com 3:57PM up 16 days, 5:35, 4 users, load averages: 0.03, 0.01, 0.00 dimension-26: |