Your Gauntlet Firewall is an integral part of your corporate network. Follow the same maintenance and management practices for the firewall as you do for any other mission-critical application or machinery. You also need to manage the Gauntlet specific elements of the firewall. The Gauntlet Firewall includes a graphical user interface, called the Gauntlet Firewall Manager, that allows you to configure the firewall easily.
This chapter explores considerations for managing your Gauntlet Firewall, and explains how to use the Gauntlet Firewall Manager in the following sections:
Consider the Gauntlet Firewall to be another IRIX system you must maintain. For most activities, you can continue to use the tools you are familiar with. The exceptions are noted in the sections that follow:
If you need to create user accounts on the firewall for yourself or another administrator, work with the tools you would normally use, such as the addUserAccount command or the System Manager from the Toolchest. Remember that you only need to create one account on the firewall: the account for the administrator. You do not need to create any user accounts on your firewall.
Consider using the login shell included with the Gauntlet Firewall as the shell for the administrator accounts you create on the firewall. This login shell requires that you configure a user in the Gauntlet user authentication system, allowing users to use strong authentication to log in.
Back up your firewall. In most cases, you can use the same backup scheme for your firewall as you use for other IRIX systems on your network.
Remember that the firewall includes a hardened version of the IRIX operating system. You cannot use NFS to make the drives on the firewall visible to a backup system on another system.
To manage Gauntlet Firewall settings you must use the tools included with the firewall. These include a graphical and a text-based interface.
The graphical interface, the Gauntlet Firewall Manager, is the recommended interface and allows you to configure your firewall easily. The Gauntlet Firewall Manager provides flexibility by allowing you to manage your firewall from a variety of locations. The ability to configure your firewall from remote locations is especially useful when your office is located across campus, across town, or across the country from your firewall.
The text-based interface allows you to configure most features of the Gauntlet Firewall. However, the Gauntlet Firewall Manager is still the recommended interface. Consider using the text-based management interface only if your security policy requires you to manage the firewall from the console. You may also need to modify configuration files manually if you have a particularly complex configuration, such as when using four network interface cards.
The Gauntlet Firewall Manager allows you to configure your firewall quickly and easily. Because of its graphical nature, you can easily view your current configuration.The Gauntlet Firewall Manager consists of two parts: the interface and the firewall server.
The graphical interface to Gauntlet that you see in your Web browser is an applet written in Java. You do not need to install any additional software on your client to use the Gauntlet Firewall Manager; your Web browser includes the necessary code to run the applet.
The server on the firewall that serves the graphical interface is a modified version of the Gauntlet Information Server. This server is written with security in mind. The server portion of the Gauntlet Firewall Manager runs as a daemon listening for requests on TCP port 21000. When the firewall receives requests for services on this port, the server checks its configuration information and determines whether the initiating host has permission to use the Gauntlet Firewall Manager as a server. If the host does not have permission, the server logs the connection and displays the error message Unauthorized to use gateway.
If the host has permission, the server displays a user authentication page. The server authenticates the user. If the user does not provide the proper authentication, the server logs the connection and displays an error message.
If the user provides the proper authentication, the server stops listening on port 21000 and begins listening on a random port. The server now displays the interface.
The server portion of the Gauntlet Firewall Manager implements your configuration by taking the values you enter into the interface and placing them into the appropriate configuration files.
Using the Gauntlet Firewall Manager involves planning, configuring the firewall, configuring your system, configuring your Web browser, and accessing the Gauntlet Firewall Manager.
Choose the host from which you will manage the firewall. You can access the Gauntlet Firewall Manager from any qualified host running a supported Web browser. These hosts include:
Carefully consider your choice of the host from which you manage the firewall. Remember that, by default, the traffic between the Web browser and the firewall is not encrypted.
Consider whether the host from which you manage the firewall will be a dedicated management workstation. With a dedicated management host, you can physically secure the system to help avoid unauthorized access to the firewall.
Consider whether you wish to use PC Extender for Windows 95 on the host from which you manage the firewall. PC Extender helps protect the confidentiality on the link. Refer to the PC Extender documentation for more information on the benefits of PC Extender.
You must tell the firewall which hosts can use the Gauntlet Firewall Manager. To configure the firewall:
Log in to the firewall and become root.
Start the text-based Gauntlet administrative tool:
# /usr/local/etc/gauntlet-admin
Select "Fast Setup for GUI admin tool".
Enter the information about your inside network interface. You can use the Tab key and the Up and Down arrows to navigate in the text-based interface.
Select "Next Screen" to move to the next screen.
Enter the IP address of the host or hosts from which you will manage your Gauntlet firewall. The wildcard * is valid, so for example you could enter 10.0.1.*.
Select "Add New User".
Configure a user with a user ID of fwadmin and select "Save these Changes".
Select "Quit", then "Return" to return to the Main Menu of the Gauntlet administrative interface.
Select "Update Configuration Menus".
Select "Quit and Update Configuration Database". When the administrative interface asks you if you wish to rebuild system. configuration files, type "y".
The Gauntlet Firewall Manager daemon starts when you boot the firewall. You do not need to explicitly start the Gauntle Firewall Manager.
To use the Gauntlet Firewall Manager, you must be using certain configuration settings on your system.
To configure your system:
To use the Gauntlet Firewall Manager, you must configure your Web browser as follows:
Make sure you have a browser which supports Java. Recommended browsers are Netscape Communicator version 4.0 or later, and Internet Explorer version 4.0 or later.
Add the IP address of the internal interface of your firewall to the list of hosts for which the browser should not use a proxy. This ensures that your browser doesn't try to send your requests to the HTTP proxy on the firewall.
Enable Java access. The Gauntlet Firewall Manager is written in Java. Therefore, your Web browser must support Java.
To access the Gauntlet Firewall Manager:
Open the following URL:
http://firewall:21000/auth/gui.html
firewall is the hostname or IP address of the inside interface of the firewall.
Authenticate using the account you created in the text interface.
Wait as the Web browser starts the Gauntlet Firewall Manager. This process can take several minutes. Note that the Netscape Navigator logo is not animated while the Web browser is loading the configuration.
Verify that the hostname or IP address of your firewall is shown as the Selected Firewall.
Click the Gauntlet logo to load the configuration settings for your firewall.
This loads the Gauntlet Firewall Manager with your configuration.
Minimize your Web browser.
 | Note: Do not close your browser, because this also closes the Gauntlet Firewall Manager. |
| Note: Make sure you exit the Gauntlet Firewall Manager properly (using the Exit button in the upper left corner of the Manager window, not the Close or Exit functions of your web browser). If you do not exit properly, you may lose any changes you have made and your Firewall Server may need to be restarted. |
To exit the Gauntlet Firewall Manager:
Click Exit.
If you have made any changes to your configuration you have not saved, answer the Gauntlet Firewall Manager prompt before exiting.
If you have not made any changes to your configuration, click Quit.
The Gauntlet Firewall Manager allows you to choose when your changes take effect. When you save your changes, you have several options:
The Save command writes the changes you have made to the Gauntlet Firewall. However, when you save your changes, the Gauntlet Firewall Manager does not make your configuration changes take effect. In other words, the next time you use the Gauntlet Firewall Manager, you will see your changes reflected in the screens and setting. However, the firewall will not use these changes until you apply them.
For example, suppose you make a number of changes to the firewall's configuration. However, you do not want to reboot your firewall in the middle of the day while there are many users using the services of the firewall. You save your changes and exit the Gauntlet Firewall Manager. After your office has closed, you start the Gauntlet Firewall Manager to displays your changes. You apply your changes and reboot the firewall to make your configuration take effect. This delayed application of changes is also useful if you are making changes and need to leave your workstation to attend a meeting or go to lunch.
Choosing Save and Apply writes the changes you have made to the Gauntlet Firewall and makes them take effect. Most types of changes take effect immediately when you save and apply. For example, a destination access rule takes effect as soon as you choose Save and Apply from the Gauntlet Firewall Manager Exit window.
Choosing Save, Apply, and Reboot saves your changes, and makes them take effect immediately by rebooting the firewall and restarting all services. You must reboot your firewall to make some changes take effect, including:
Enabling or disabling proxy services
Starting or stopping virtual private networks (VPNs)
Making changes to an interface
Adding or deleting packet screening rules
The Gauntlet Firewall Manager includes an online help system. This system provides information about all of the screens and options in the Gauntlet Firewall Manager.
The Gauntlet Firewall Manager displays the online help in a separate browser screen.
To access the main help page, click the Help button from within the Gauntlet Firewall Manager.
To access help for a specific screen, click the question mark in the lower right corner on the screen where you need help.