The employees of your company want to engage in secure communications with other people. The mail, file encryption, and other types of applications they are using use certificates as part of the authentication and encryption process. Before communicating with someone, they need the appropriate certificate. The Lightweight Directory Access Protocol (LDAP) is a commonly used protocol for providing this sort of information. The Gauntlet Firewall includes a proxy that allows connections between LDAP clients and servers.
This chapter explores the concepts behind the LDAP proxy and explains how it works, how to configure the proxy, and how to use LDAP services. The chapter consists of these sections:
The LDAP proxy is an application-level proxy that provides configurable access control and logging mechanisms. The LDAP proxy, which runs on the firewall, passes LDAP requests through the firewall (at the application level), using rules you supply.
You can configure the proxy to allow connections based on:
source IP address
source hostname
source port
destination IP address
destination hostname
destination port
Using these options, you can configure the firewall to allow LDAP clients on certain trusted hosts to access an LDAP server on an untrusted host. Employees working behind the firewall can access LDAP servers at customer sites.
You can configure the LDAP proxy to allow LDAP clients on untrusted hosts to access LDAP servers on the trusted networks. According to most security policies, it is not a good idea to allow unlimited access to the inside network. If you have to offer LDAP services to other hosts on the Internet, consider running the LDAP server on the outside network.
The proxies log all successful and unsuccessful connection attempts, and the amount of data transferred. These access controls allow you to have much more control over the connections to and from your system than you would without a firewall. The logging capabilities are also much more extensive.
The firewall runs the LDAP proxy as a service listening for requests on the standard LDAP port. Whenever the firewall receives an LDAP request on this port, the LDAP proxy checks its configuration information and determines whether the initiating host has permission to initiate this type of request. If the host does not have permission, the LDAP proxy logs the unsuccessful connection.
If the host has permission, the proxy logs the transaction and passes the request to the destination host. The LDAP proxy remains active until either side closes the connection or the connection times out.
The recommended configuration allows trusted hosts to access LDAP servers on untrusted networks. The recommended configuration does not allow untrusted hosts to access LDAP servers on trusted networks.
Determine which LDAP servers users need to access. Determine whether you want to limit access to a particular server or not. Obtain host name or IP address information for each server.
For each server, determine the port(s) on which the server accepts connections.
Determine which internal hosts can use these services.
You can configure LDAP clients with or without transparency.
If you are using transparency on the firewall (the default configuration) and you have installed the LDAP proxy on the default port (TCP port 389), you do not have to change the way that inside hosts access LDAP servers on the outside network.
To configure LDAP settings:
From within the Gauntlet Firewall Manager, select Services.
Click the LDAP tab.
The LDAP window displays.
Configure the LDAP proxy settings.
LDAP Service Is
Select Enabled or Disabled.
Port
The default port number will work if you are using a standard LDAP port. If your LDAP services are using a non-standard port, enter the port number.
Use a reserved Port
Check if you are using a reserved port, one with a port number less than 1023.
Source Address
Enter the IP addresses of hosts from which connections can originate. Specify single hosts, entire networks, or subnets. Specify by IP address or host name. The wildcard * is valid in hostnames.
Remote Host
Enter the IP addresses of the host to which the LDAP proxy connects. Specify single hosts, entire networks, or subnets. Specify by IP address or host name. The wildcard * is valid.
Remote Port
Enter the port on the remote host to which the LDAP proxy connects.
Use IP of originating host source
Check to use the IP address of the originating host as the source address. Leave blank otherwise.
Child Limit
Enter the maximum number of child processes the LDAP proxy allows to run at a given time.
Timeout
Enter the number of minutes the connection can be idle before it is disconnected.
