One of the key concepts behind Advanced Firewall is that user access should be controlled on the basis of user identity, not simply which computer they are using. Typically network managers and administrators require unrestricted access to the Internet, local servers and user PCs, whereas ordinary users require web browsing, email and access to the application systems required for their job function. Most firewalls fail to adequately differentiate between administrators and users, often relying upon simplistic rules based on the computer's IP address.
Advanced Firewall supports a wide variety of authentication schemes in order to establish user identity so that access can be controlled accordingly.
Verification of usernames and passwords against the organization's primary authentication system is the preferred mode of operation. Integration with RADIUS, Microsoft Active Directory®, Novell eDirectory™ or other LDAP authentication systems avoids the need to replicate or maintain user details on the system. Group membership on the authentication system is mapped to security policies so that authentication system changes are immediately reflected on the system. Security policies control if and when users are allowed to access to particular categories of web sites, and if they are allowed to download files etc.
User identification also makes reports far more meaningful and useful, in that reports containing actual user names are far more comprehensible that lists of IP addresses. However, if no central authentication system is available, a user database can be maintained on the system itself.
Advanced firewall works with all major browsers and operating systems including Microsoft Windows, Mac OSX and Linux. The use of NTLM and Internet Explorer provides seamless single sign-on without the need for users to log into the system or enter their Windows ID/password again.
Click here for a full list of user authentication mechanisms:
- User credentials (username and password), are passed to the authentication system using encrypted communications to avoid usernames and passwords being sent "in the clear".
- The authentication server checks that the username and password combination is valid and returns the user's group membership information to the SmoothWall system.
- The SmoothWall system parses the list of groups of which the user is a member, and determines which access control policy to apply. Adding a new user or changing a user's group membership on the authentication system is automatically recognized by the SmoothWall system, & the appropriate security policies are applied.
- NTLM authentication with IE provides transparent authentication with no additional login screen (login names and passwords are automatically passed to the SmoothWall system).
- 2-Factor Authentication with RADIUS or a different LDAP user database such as Microsoft Active Directory®.
- The SSL Login Page provides secure encrypted transmission of the username and password from the user computer to the SmoothWall system (works in both transparent and non-transparent proxy mode).
- Proxy mode authentication can be used when operating in non-transparent proxy mode. Upon initial web access the user is presented with a login page for entry of their username and password.
- An Ident client can be run on Windows PCs to provide user identification, where the SmoothWall system interrogates the client for the Windows login name. The information is cached to avoid repeated interrogation of the Ident client.
- Ident (Windows User Identification) can be enforced so that any user that has not been identified from Ident information (i.e. their PC is not running an Ident client) will be assigned the "non authenticated" user profile. This will typically deny all web access or restrict to a captive portal of web sites and services.
- Ident by IP allows group policies to be applied according to IP or machine.
- The user of an external authentication server avoids the need for any routine user management on the SmoothWall system.
|
|
» FAQ & Knowledge Base
» Hardware Compatibility 
