High Availability Firewalls (Active / Active or Active /Passive )
When we consider high availability or firewall clustering configuration, both firewalls having same IP address and one is in online mode and the other one is in standby mode. The online firewall become as the primary firewall and the standby firewall become as the secondary firewall. This primary and secondary relationship is dynamic relationship. Because either first firewall or second firewall can be the primary firewall as well as the secondary firewall. No matter what, they are in fail over configuration and so each firewall can easily switched with the process.
As I mentioned earlier, in fail over configured network , the secondary or standby firewall always take care of the status of primary or online firewall. If it detect the primary firewall is no longer active , standby firewall become the primary firewall. While the fail over occurs , the standby firewall will take the responsibility of active firewall duty and will handover
www.firewalltips.bloggspot.com
Firewall Authentication Methods
Most
of firewalls can support more than one authentication servers such as :
• Internal
firewall database
•
RADIUS
•
SecurID
•
VASCO
•
Generic LDAP (Lightweight Directory Access Protocol)
•
Active Directory
Further
if you use an authentication server , you must have the accessibility from the
firewall to the authentication server. That is the main requirement of
configuring it correctly.
Use the Firewall Authentication Server
Most
of firewalls can maintain its own user credential database within it. Therefore
no need to have a separate authentication server here and according to the urgency
you can implement separate secondary database. Moreover, you should follow these
steps to implement firewall authentication server.
• Divide your company into groups
according to tasks people do and information they need
• Create users for the groups
• Assign groups and users to policies
Third-party Authentication Servers
The
procedure to configure the device to use
a third-party authentication server is similar for each of the supported server
types. Before you configure your authentication server:
• You must have the configuration
information for your server such as server port, IP address, and shared secret.
If you use Active Directory or LDAP, you must also know the group membership attribute
and Distinguished Name (DN) of the Organizational Unit (OU) that contains the
user accounts.
• If it is available, you can configure
the device with a backup authentication
server to contact if it cannot connect to the primary authentication server.
• The device must be able to connect to the
authentication server(s).
RADIUS Authentication Servers
Remote
Authentication Dial-In User Service (RADIUS) authenticates the local and remote
users on a company
network. RADIUS is a client/server system that keeps the authentication
information for users,
remote access servers, VPN gateways, and other resources in one central
database.
The
authentication messages to and from the RADIUS server always use an
authentication key. This authentication key, or shared secret, must be the same
on the RADIUS client and server. Without this key, hackers cannot decrypt the
authentication messages. Note that RADIUS sends a key, and not the password the
user typed, during authentication. For web and MUVPN authentication, RADIUS supports
only PAP (not CHAP) authentication. For authentication with PPTP, RADIUS
supports only MSCHAPv2. To use RADIUS server authentication with the firewall device,
you must:
•
Add the IP address of the device to the RADIUS server, as described in the RADIUS
vendor
documentation.
•
Enable and specify the RADIUS server in your device configuration.
•
Add RADIUS user names or group names to the policies in Policy Manager.
VASCO
server authentication also uses the RADIUS configuration user interface.
SecurID Authentication Servers
To
use SecurID authentication, you must configure both the RADIUS and ACE/Server
servers correctly. Each user must also have an approved SecurID token and a PIN
(personal identification number). Refer to the RSA SecurID instructions for
more information.
LDAP Authentication Servers
You
can use an LDAP (Lightweight Directory Access Protocol) authentication server
to authenticate your
users to the device. LDAP is an open standard protocol for using online
directory services, and
it operates with Internet transport protocols, such as TCP. Before you
configure your device for LDAP
authentication, make sure you check your LDAP vendor documentation to see if
your installation
-sensitive
attributes.
When
you configure the device to use LDAP authentication, you must set a search base
to limit the server
directories in which the device searches for an authentication match. The
standard format for the
search base setting is: ou=organizational unit,dc=first part of distinguished
server name,dc=any part
of the distinguished server name appearing after the dot. For example, if your
user accounts are in an OU (organizational unit) you refer to as accounts
and your domain name is example.com, your search base is:
ou=accounts,dc=example,dc=com.
Active Directory Authentication Servers
Configuring
the device to use Active Directory authentication is similar to the process for
LDAP authentication.
You must set a search base to limit the server directories in which the device
searches for an authentication match. The standard format for the search base
setting is the same as the LDAP format. You can add multiple Active Directory
domains for user authentication, and add a primary and a backup Active
Directory server for each domain.
If
you use Active Directory for your authentication server, you can also configure
Single Sign-On (SSO). SSO is a method of network access control that allows a
user to enter credentials once to gain access to many resources.
Users
log in to the Windows domain controller, which then passes the credentials to
the SSO Agent. The device automatically sends authentication requests to the
SSO Agent when users try to connect to resources outside their own network.
No comments:
Post a Comment