Firewall Authentication Types
A firewall can support various authentication methods. Authentication in basic definition means a user is claiming to be who they say they are and are allowed access to the resources they are authenticating for. This is just like when we log into our Microsoft Windows computer and let Windows know our identity by specifying our username and then by specifying our password we are proving our identity. Finally Windows gives us access only to the resources we are allowed access to.
Firewall authentication can be used by various features. Two of the most common are for SSL VPN and web filtering.
Below are some of the common methods of authentication supported by most firewalls;
Built in database authentication
With a built in database for authentication a firewall contains a built in authentication database. A user can authenticate against this database for access. The database is usually configured with multiple usernames and passwords. Using built in database authentication is easy to configure and very effective, however this method is not scalable. If changes are required often such as users join and leave often, the firewall database will need to be continuously updated.
You can use Lightweight Directory Access Protocol (LDAP) to query and authenticate against your directory server. Commonly this would be Active Directory, although this can be any directory service that supports LDAP such as Novell directory Open LDAP and others. This is a scalable method because a directory service is typically always kept up to date. We do not need to update the local firewall because it is querying the directory server.
With most firewalls you can use a public signed certificate or a self signed certificate for firewall authentication. If a firewall is public facing to anyone from the outside world it should be setup with a publicly recognisable certificate to authenticate itself to anonymous users. A publicly recognisable certificate is issued by someone like VeriSign, Go Daddy or Thawte and are known to common browsers such as Internet Explorer and Mozilla Firefox and so automatically trusted.
However if a firewall is authenticating itself to known clients which are in its control, it can easily be configured with a self signed certificate. A self signed certificate is freely issued by the vendor of the firewall and because you’re in control of the clients you can install the related certificate on the client browsers. You need to do this because browsers do not know this certificate by default as it is self signed. You can deploy certificates on many client systems at once using Active Directory group policy or something similar. A common use case here is for SSL VPN users. As SSL VPN is a secure browser based application you can use self signed certificates which would prevent the error page stating “The security certificate presented by this website was not issued by a trusted certificate authority”.
Two Factor Authentications
Two factor authentications is referred to as requiring two different factors in order to authenticate before you are allowed access. It is usually in form of something you know (password) and something you have (software or hardware token). It can also optionally be something you are (finger print). A very common method is to configure your firewall to require authentication using hardware token as well as your personal password. In an SSL VPN scenario you would log in to the SSL portal with your personal password as well as the 6 digit number displayed on your hardware token. Without a combination of the two you will not be allowed access. This enables far better security than relying on a single password. After all if someone did steal your password they have access to your company’s corporate network. There are a number of two factor authentication vendors such as RSA, CryptoCard and more which can be integrated with most firewalls.
Single sign on
Single sign on ensures a user is transparently authenticated to a firewall without them having to manually log in. An example of a firewall integrated with Active Directory is when a user logs into the network a firewall agent polls this information from Active Directory and forwards this information to the firewall. So when a user challenges a policy that the firewall requires authentication for, the firewall knows this user is already authenticated to the network. It then decides weather the user is allowed access or not depending on who the user is. If the user is allowed access, the firewall will let them access the required resources without the end user noticing anything. So the user has authenticated without manually having to specify a password again.
For further reading, there's some excellent electronic ebooks available for download from eBooks.com