Assume that you have configured your firewall to allow users to access the Internet without restriction. Because of a change in corporate security policy, you must now place some restrictions on the services employees can use and the times during which they can use them. The Gauntlet Firewall includes the ability to restrict certain services by user, time of day, and destination.
This chapter discusses user restrictions concepts and explains how to set up user restrictions in the following sections:
The Gauntlet Firewall allows you to control access by:
user
group
time of day
destination
The following proxy services support creating user restrictions:
Circuit
FTP
Rlogin
Rsh
TELNET
Using the user restrictions, you can control which users can access a particular proxy service. For example, you can deny access to the rlogin or rsh proxy to a particular user. You can also control access by time of day. For example, you can permit access to FTP and TELNET only between 11:00 am and 1:00 pm.
When the proxy services receive the request from the firewall, they check the user restriction rules. The proxy services read the user restriction rules from top to bottom. The firewall uses the first rule that matches. If the user name in the request matches one of the user restriction rules, and that rule indicates the service is denied, the firewall denies the request and logs the attempt. If the user name matches a rule that explicitly permits a proxy service, the firewall passes the request on to the destination host.
User restriction rules follow the rule “That which is not expressly permitted is denied.” This is an important concept to remember, especially when creating access rules that deny access. For example, suppose you want to deny access to the FTP proxy service for Robert, so you create one user restriction rule that denies this access for him. This rule has the effect of denying access to the FTP proxy to everyone, not just Robert. You have not created a rule that expressly permits access to the FTP proxy for everyone else, so the firewall denies these requests.
To have the firewall use user restriction rules, you must enable authentication. You must also create user IDs in the Gauntlet user authentication system.
Order of precedence is extremely important when dealing with user restriction rules. The proxy services read tables from top to bottom. They use the first rule that applies for a particular attribute. If there are multiple rules in the table that could apply for an attribute, the first one found is the one used. Any subsequent conflicting rules are ignored.
Rules that are higher in the list have a higher order of precedence than rules that are lower in the list. In other words, a higher rule will be interpreted by the firewall before rules further down, and if two rules are encountered that match a given situation but contradict each other, the first one encountered will apply. In general, the more specific rules need to be listed first.
For example, consider the following list of user restriction rules in Table 7-1.
Table 7-1. User Restriction Rules Example 1
Rule | Name | Access | Service | Start Time | End Time |
|---|---|---|---|---|---|
1 | Robert | Deny | ftp-gw |
|
|
2 | * | Permit | ftp-gw |
|
|
Rule 1 denies access to the ftp-gw configuration of the FTP proxy service for Robert. Rule 2 permits access to this service for everyone else.
If rule 2 were not included, access to the ftp-gw configuration of the FTP proxy service would also be denied to every other user. There would be no other rule that explicitly permits this access.
Consider what happens if the rules are reversed (see Table 7-2).
Table 7-2. User Restriction Rules Example 2
Rule | Name | Access | Service | Start Time | End Time |
|---|---|---|---|---|---|
1 | * | Permit | ftp-gw |
|
|
2 | Robert | Deny | ftp-gw |
|
|
Everyone has access to the ftp-gw configuration of the FTP proxy service. Because the firewall reads the rules from top to bottom, and stops when it reaches the first match, it would never use rule 2 in this situation.
You can access destination restriction configuration from two areas of the Gauntlet Firewall Manager.
To access user restriction rules configuration:
From within the Gauntlet Firewall Manager, select Firewall Rules.
Click the Users tab.
The Users window displays.
Click Restrictions.
The User Restrictions window displays.
Here is an alternative procedure:
From within the Gauntlet Firewall Manager, select Services.
Select the tab for one of the services that supports user restrictions.
Click Add to create a new configuration set or click Modify to modify an existing configuration set.
Click Restrictions.
The User Restrictions window displays.
This section discusses configuring user restriction rules in the following sections:
When planning user restriction rules:
Remember that user restriction rules follow the rule “That which is not expressly permitted is denied.” Once you create a user restriction rule for a service, make sure you are not unintentionally denying that service to other users.
Be sure to turn on authentication for the service groups or proxies that you want to follow user restriction rules.
To create user restriction rules:
In the User Restriction window, enter information about the user for whom this rule applies.
Name
Name of the user or group for whom this rule applies. Use the wildcard * to indicate all users.
Indicate whether you are creating a rule to permit or deny use.
Permit
Specifies that you are explicitly permitting access through this service, during these hours, to this destination.
Deny
Specifies that you are explicitly denying access through this service, during these hours, to this destination.
Enter information about the service, time, and destination.
Click Add.
Order the new user restriction rule, as described below, so the firewall uses the new rule in the right order.
To modify user restriction rules:
Select the user restriction rule that you want to modify.
Modify the information.
Click Modify to change the rule.
Reorder the rules if necessary.
To delete user restriction rules:
Select the user restriction rule you want to delete.
Click Delete.
Reorder the remaining rules if necessary.
Remember that the order in which you place user restriction rules is very important. The firewall reads them from top to bottom and applies the first one that matches. You generally want to place the most restrictive rules first.
To change the order of precedence:
Select the user restriction rule you want to move.
Click Move Up or Move Down as many times as necessary to move the rule to the desired position.