Sunday, 18 November 2012

Security Policies - Firewall User Authentication

Firewall User Authentication is used to authenticate a user prior to accessing resources through the SRX firewall. There are two types of firewall user authentication;

  1. Pass-through Authentication
  2. Web Authentication

The diagram below outlines the basic topology used for the exercises in this post.



Pass-through Authentication
Pass-through Authentication works by intercepting the session and promoting the user for a username/password. This username/password is checked against a configured local database or remote database. If the username/password is successful the client is permitted to access the resource. The SRX needs to be able to read into the protocol the client is using to access the resource, for this reason pass-through authentication only works with FTP, Telnet and HTTP.



Web Authentication
Web authentication is a different process. The client must first browse to an IP address configured on the SRX for web authentication. The SRX will prompt for username/password in this http session. If the username/password is successful the client can than attempt to access the resources that were permitted in the security policy (this could be any application in the security policy). It should be noted that once the user is authenticated it is the users source IP address that is authenticated and allowed access. This is key to understand in environments where client source addresses may be NAT'ed and use shared IP addresses.



Configuring Pass-Though Authentication
1. Create Access Profile & Client
The screenshot below outlines the command to create the access profile of 'FIREWALL_AUTH' and a user with a username of 'FW_USER1'. A simple password is also configured for 'FW_USER1'.

2. Configure External Authentication (Optional)
External authentication is also configured under the access profile. When using local and external authentication the command 'authentication-order' can be used to choose order and preference. LDAP, RADIUS and SecureID are supported external authentication methods. The screenshot below outlines the commands to configure RADIUS authentication.

3. Create Firewall-Authentication Profile
The screenshot below outlines the commands to create a firewall-authentication profile. The default access profile of FIREWALL_AUTH will be used, also http banner has been configured.

4. Configure Host-Inbound Services
Host-inbound services need to be configured. In this example we will be authenticating an http session. Host-inbound services should have http enable at a minimum. In the output captures below all host-inbound services are enabled.

5. Configure Security Policy
The security policy is where the authentication is applied. It is an extension of the 'then permit' statement. In the screenshot below a new security policy is created to allow http traffic to www.cnn.com. Firewall user authentication is configured on this policy requiring users to authenticate prior to accessing http://www.cnn.com.

When I originally did this it did not immaterially work. This was because my newly created rule was at the end and after the main outbound internet access rule. A simple policy reorder fixed this.


Testing Pass-Though Authentication
1. Browse to www.cnn.com
To test http pass-through authentication a browser was opened to to cnn.com (157.166.248.11). The browser prompted for credentials. Once the credentials were entered the browser continued to the web page.

2. Show Authenticated Users
The command 'show security firewall-authentication users' will confirm that we have authenticated.

3. Show Authentication History
Past authentication attempts or failed authentication attempts can be viewed by running 'show security firewall-authentication history' command. In this case we do not have any past authentication attempts.



Configuring Web Authentication
1. Enable HTTP Protocol Under System Services
Web authentication uses an HTTP web page to authenticate users. For this reason http needs to be enabled and bound to an interface under system services.

2. Enable Web Authentication on Interface
Web authentication also needs a dedicated IP address for clients to browse to for authentication. The command output below outlines the configuration.

3. Create Access Profile & Client
The output below outlines the command to create the access profile of 'FIREWALL_AUTH' and a user with a username of 'FW_USER1'. A simple password is also configured for 'FW_USER1'.

4. Configure External Authentication (Optional)
The screenshot below outlines the commands to configure RADIUS authentication.

5. Create Firewall-Authentication Profile
The screenshot below outlines the commands to create a firewall-authentication profile. The default access profile of FIREWALL_AUTH will be used, also http banner has been configured.

5. Configure Host-Inbound Services
Host-inbound services need to be configured. In this example we will be authenticating an http session. Host-inbound services should have http enable at a minimum. In the output captures below all host-inbound services are enabled.

6. Configure Security Policy
In the screenshot below a new security policy is created to allow icmp ping traffic to www.bbc.com. Firewall user authentication is configured on this policy requiring users to authenticate prior to pinging http://www.bbc.com.



Testing Web-Authentication
1. Ping bbc.com (212.58.246.94)
This is expected as firewall user authentication has not been completed.

2. Browse to the web authentication interface of http://192.168.1.99 
The IP address of 192.168.1.99 is configured as the web-authentication IP address. On this page enter the username and password configured earlier.

Upon successfully entering in correct credentials the web page shows the login banner and confirms success. The browser can now be closed.

3. Re-test ping to bbc.com (212.58.246.94)
This time the traffic is permitted as the web-authentication was completed.

4. Show Authenticated Users
Successful firewall authentication can be confirmed by running the command 'show security firewall-authentication users'.

5. Show Authentication History
Now we also see past authentication attempts when running the command 'show security firewall authentication history'.




Client Groups
Multiple clients can also be configured in a access profile. The screenshot below outlines the commands to create multiple clients (USER1 and USER2) and adds them to a group (GROUP1).




Web Redirect
Web-redirect is a statement that can be used on http pass-through authentication. Users will be taken to the web-authentication web page instead of the browser pop-up window used in basic http pass-through authentication. I had a hard time thinking of why this would really be needed. One example I though of is that terms & conditions could be placed on the web-authentication page.




Conclusion
I create the diagram below to help remember the high level configuration structure.

Overall pass-through authentication is very limited (only 3 protocols) where as web-authentication can be used to authenticate a user attempting to access any service. In cases where using web-authentication with non-http protocols users must be aware that they need to authenticate first before gaining access.

I would be interested if anyone has cases where web-redirect was needed and for what reason. My next post will focus on Security Policy Logging.



No comments:

Post a Comment