Silicon Graphics Gauntlet Administrator's Manual

For irix

page of 306

/ 306
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

Gauntlet

™

for IRIX

™

Administrator's Guide

Document Number 007-2826-004

Table of Contents

Need help?

Do you have a question about the Gauntlet and is the answer not in the manual?

Questions and answers

Summary of Contents for Silicon Graphics Gauntlet

Page 1 Gauntlet ™ for IRIX ™ Administrator’s Guide Document Number 007-2826-004...
Page 2 Mountain View, CA 94043-1389. Silicon Graphics and the Silicon Graphics logo are registered trademarks, and IRIX and InPerson are trademarks, of Silicon Graphics, Inc. Gauntlet and the TIS logo are trademarks of Trusted Information Systems, Inc. Netscape Navigator and Netscape Proxy Server are trademarks of Netscape Communications Corporation.
Page 3: Table Of Contents
Mailing Lists xxiii Frequently Asked Questions Lists xxiv White Papers xxiv How to Get Latest Security Patches xxv PART I Understanding the Gauntlet Internet Firewall Understanding the Gauntlet Firewall 3 Understanding Gauntlet Firewall Concepts 3 Design Philosophy 3 Security Perimeter 4...
Page 4 Contents How a Firewall Works 10 Dual-Homed Bastion Host 12 Processing Packets and Requests 14 PART II Conﬁguring and Using Proxies Managing SMTP Services 19 Understanding the Proxy 19 How It Works 20 Configuring the Firewall for SMTP 20 Planning 21 Configuring the Firewall 21 Configuring Network Services 22 Configuring the Proxy Rules 22...
Page 5 Contents Managing Terminal Services 31 Understanding the Proxies 31 How the Proxies Work 32 Using the TELNET and Rlogin Proxies Without Network Access Control 33 Configuring the Firewall for Terminal Services 33 Planning 33 Configuring the Firewall 34 Configuring Network Services 34 Configuring the Proxy Rules 34 Creating Authentication User Entries 35 Verifying Your Setup 35...
Page 6 Contents Managing Rsh Services 47 Understanding the Rsh Proxy 47 How It Works 48 Configuring the Firewall for Rsh Services 48 Planning 48 Configuring Network Services 48 Configuring the Proxy Rules 49 Verifying Your Setup 49 Using Rsh Services 49 Configuring the Remote Machine 49 Managing Gopher and WWW Services 51 Understanding the Proxy 51...
Page 7 Contents Managing RealAudio Services 61 Understanding the RealAudio Proxy 61 How It Works 62 Configuring the Firewall to Use the RealAudio Proxy 62 Planning 63 Configuring Network Services 63 Configuring the Proxy Rules 63 Verifying Your Setup 63 Using the RealAudio Proxy 63 To configure the RealAudio player: 64 Managing MediaBase Services 65 Understanding the MediaBase Proxy 65...
Page 8 Configuring Network Services 81 Configuring the Proxy Rules 81 Configuring Sybase Clients 82 Verifying Your Setup 82 PART III Administering General Gauntlet Firewall Services Managing NNTP and General TCP Services 85 Understanding the Proxy 86 How It Works 87 viii...
Page 9 Contents Configuring the Firewall for NNTP 87 Planning 87 Configuring the Firewall 88 Configuring Network Services 88 Configuring the Proxy Rules 88 Informing Your News Feed 88 Configuring Your News Server 88 Verifying Your Setup 89 Using NNTP 89 Configuring the Firewall for Other Protocols 89 Planning 89 Configuring Network Services 90 Configuring the Proxy Rules 90...
Page 10 The Graphical Management Interface 115 First Time User Tips 116 Help Links 116 Hide and Unhide Buttons 116 Gauntlet Default Settings 117 When to Use Configure All 117 Using the Gauntlet Management Interface 117 Configuring Gauntlet Locally 118 Introductory Management Form 118...
Page 11 Proxy Servers Configuration Form 131 Remote (Network) Connections 131 Enabling Transparent Proxies 132 Enabling Individual Proxy Services 132 Domain Name Service (DNS) and Gauntlet 139 DNS Configuration Form 140 Configuring Fully Populated DNS Server 140 Configuring a Split DNS Server 142...
Page 12 Contents Managing User Authentication 173 Understanding the User Authentication Management System 173 How the Firewall Uses This Information 174 How Other Services Use This Information 174 The Pieces 175 Understanding Strong Authentication 176 Access Key II 176 APOP 176 SecurID 177 EnigmaLogic SafeWord 177 S/Key 177 Reusable Passwords 177...
Page 13 Contents Using the Login Shell 189 Understanding the Login Shell Program 189 How It Works 189 Configuring the Firewall to use the Login Shell Program 190 Planning 190 Enabling Remote Login 190 Adding Support for the Login Shell 190 Creating User Accounts 191 Configuring the Proxy Rules 191 Configuring the Shell 191 Creating User Authentication Records 192...
Page 14 Protecting the Integrity Database 205 Verifying System Integrity 205 Understanding the Results 205 PART IV Appendixes Gauntlet System Files 209 Viewing the Gauntlet File List 209 Netperm Table 215 Policy Rules 215 Application-Specific Rules 216 Proxies 216 Applications 217 Using This Information 217...
Page 15 How It Works 273 Encrypting the Data 273 Decrypting the Data 273 Routing the Packet 274 Conﬁguring SSL on the Gauntlet Firewall 275 Getting Ready for SSL Configuration 275 SSL Configuration Procedure 276 Supplementary Instructions for Generating a Key Pair 277...
Page 17: List Of Figures
Figure 10-2 Hide Button 116 Figure 17-1 Unhide Button 117 Figure 17-2 Gauntlet Introductory Management Form (1 of 3) 120 Figure 17-3 Gauntlet Introductory Management Form (2 of 3) 121 Figure 17-4 Gauntlet Introductory Management Form (3 of 3) 122...
Page 18 List of Figures Authorizing Users Form 165 Figure 17-22 Add User Form 166 Figure 17-23 User Authentication 167 Figure 17-24 Yoyodyne Virtual Private Network 270 Figure C-1 xviii...
Page 19: About This Guide
• Chapter 2, “Managing SMTP Services,” explains what the SMTP proxy does and how it works. It presents instructions for conﬁguring the Gauntlet ﬁrewall, as well as required and potential conﬁguration steps for mail applications. • Chapter 3, “Managing POP3 Services,” explains what the POP3 proxy does and how it works.
Page 20: About This Guide
• Chapter 10, “Managing X Window Services,” explains what the X11 proxy does and how it works. It presents instructions for conﬁguring the Gauntlet ﬁrewall, as well as required and potential conﬁguration steps for the X11 applications. •...
Page 21 • Chapter 19, “Using the Login Shell,”explains what the login shell does and how it works. It presents instructions for conﬁguring the Gauntlet ﬁrewall for more secure access. • Chapter 20, “Logging and Reporting,” explains how the system logs activity. It explains the different types of reports, how to conﬁgure them, and how to interpret...
Page 22: Conventions Used In This Guide
About This Guide • Appendix D, “Conﬁguring SSL on the Gauntlet Firewall,” explains the Secure Socket Layer protocol and how to conﬁgure it to protect remote administration sessions of the Gauntlet ﬁrewall. The Glossary presents deﬁnitions of terms used in this document.
Page 23: Installation And System Requirements
About This Guide Installation and System Requirements Refer to the release notes with your Gauntlet ﬁrewall product for information regarding software and hardware requirements as well as installation information. Additional Resources This collection of resources is presented as a starting point for your information. It is not an endorsement of any of the products or organizations.
Page 24: Frequently Asked Questions Lists
About This Guide Frequently Asked Questions Lists The Internet Firewalls Frequently Asked Questions list is maintained by Marcus J. Ranum and located at: http://www.v-one.com/pubs/fw-faq/faq.htm White Papers Application Gateways and Filtering Gateway: A Comparison of Firewall Designs Avolio, Frederick M. and Sebes, J. Data Security Letter, Number 59. http://www.tis.com/Home/NetworkSecurity/Firewalls/FWComp.html Firewalls Are Not Enough Avolio, Frederick M.
Page 25: How To Get Latest Security Patches
About This Guide How to Get Latest Security Patches The CD-ROM containing the Gauntlet ﬁrewall software contains necessary security patches (if any) at the time of product release, so be sure to install those patches. Stay in touch with the WWW site for Silicon Graphics Security Headquarters at http://www.sgi.com/Support/Secur/security.html for new security patches and...
Page 27: Understanding The Gauntlet Internet Firewall
PART ONE Understanding the Gauntlet Internet Firewall...
Page 29: Understanding The Gauntlet Firewall
If the paragraph above does not make any sense, do not despair. This chapter provides an overview of the Gauntlet Firewall and how it works. However, it is not a thorough discussion of ﬁrewalls or security practices. Consult “Additional Resources” on page xxiii for a list of other resources that provide excellent introductory and advanced discussions of ﬁrewalls.
Page 30: Security Perimeter
Gauntlet ﬁrewall is provided so anyone can examine and conﬁrm the programs operation. They are also examinable by any Gauntlet customer, not hidden away in some sort of black box. The security of the Gauntlet Internet ﬁrewall does not depend on secret algorithms or source code.
Page 31 Understanding Gauntlet Firewall Concepts Trusted Networks Trusted networks are the networks inside your security perimeter. Trusted networks are usually the ones that you are trying to protect. Often, you or someone in your organization administers the machines on these networks. Your organization controls the security measures for these networks.
Page 32: Policy
Internet are now unknown networks and cannot pass requests through the ﬁrewall. Policy Just as you have a general security policy for your organization, the Gauntlet Internet Firewall uses policies to summarize its rules. The policies are collections of rules about what the ﬁrewall can and cannot do in particular situations.
Page 33: Understanding Gauntlet Firewall Components
118 for information on minimizing exposure while implementing the Gauntlet software.) All known security holes are patched as of the release of the Gauntlet product (refer to “How to Get Latest Security Patches” on page xxv for information on security patches.) As part of the ﬁrewall, the operating system has been tailored to provide...
Page 34 Chapter 1: Understanding the Gauntlet Firewall Application-Level Security Services (Proxies) The software on the Gauntlet ﬁrewall includes security services on a per-application protocol basis. As noted above, all packets, and therefore all application requests, go to the ﬁrewall. On the ﬁrewall, proxy software relays information from one side of the ﬁrewall to the other.
Page 35 (for example, address and protocol) and processes or rejects the packets. It detects spoofed packets claiming to be from one network that are actually from another network. This software also allows Gauntlet to be transparent to your users for most activities. Management Utilities In addition, the Gauntlet ﬁrewall also contains several programs that ease the job of...
Page 36: How A Firewall Works
Consider a company, Yoyodyne, that has a connection to the Internet via an Internet service provider (ISP). They have installed a Gauntlet Internet Firewall to protect their corporate network (yoyodyne.com) from all other hosts on the Internet. They are using...
Page 37 The Yoyodyne network is ﬁrst separated from the rest of the Internet by a router. The router only passes trafﬁc from the Internet to the Gauntlet ﬁrewall when that trafﬁc is bound for some part of the Yoyodyne internal network. More sophisticated routers can additionally strengthen a companies security perimeter by implementing certain security functions such as “IP spooﬁng ﬁlters”.
Page 38: Dual-Homed Bastion Host
Chapter 1: Understanding the Gauntlet Firewall The ﬁrewall is helping to establish a security perimeter to protect the internal network. It screens all requests that need to pass from one side of the ﬁrewall to the other. Using rules Yoyodyne created based on their security policies, the ﬁrewall determines whether to accept or pass requests through (at the application level) to the other side.
Page 39: Figure 1-2 Dual-Homed Bastion Host
How a Firewall Works Internet Gauntlet Internet Firewall e c 0 e c 1 Router Internal network Figure 1-2 Dual-Homed Bastion Host All outside network trafﬁc enters and exits the ﬁrewall through one network interface, such as ec0. Similarly, all inside network trafﬁc enters and exits through a network interface, such as ec1.
Page 40: Processing Packets And Requests
Chapter 1: Understanding the Gauntlet Firewall You can also use two ﬁrewalls to create a virtual private network (or a virtual Note: network perimeter), exchanging encrypted information across an untrusted network. Because of United States government export regulations, this feature is generally not available outside the United States and Canada.
Page 41 How a Firewall Works proxy conﬁgured to accept a packet, the ﬁrewall drops the packet and drops the failed access. Next, the ﬁrewall examines the source address of the packet and the interface on which it received the packet. This process veriﬁes the information against conﬁguration tables, which prevents the ﬁrewall from accepting IP spoofed packets.
Page 42 Chapter 1: Understanding the Gauntlet Firewall documents. Requesting applications think they are talking to an actual server, not a proxy. The proxies also check to determine if the request is permitted for the destination. For some services, the proxies can perform the additional step of authenticating the user.
Page 43: Conﬁguring And Using Proxies
PART TWO Conﬁguring and Using Proxies...
Page 45: Managing Smtp Services
Our design philosophy of reductionism frowns upon the direct use of sendmail as a critical security component of the Gauntlet Firewall. The Gauntlet Firewall includes a two-part proxy that securely handles the transfer of SMTP mail between the inside and outside networks.
Page 46: How It Works
(mail.yoyodyne.com), in which case sendmail will transfer the mail to the mail hub using SMTP. Conﬁguring the Firewall for SMTP Conﬁguring the Gauntlet ﬁrewall involves planning, conﬁguring the ﬁrewall, conﬁguring the proxies to enforce your policy, advertising your mail exchanger, and conﬁguring your internal mail hub.
Page 47: Planning
Conﬁguring the Firewall If you wish to allow SMTP trafﬁc through the ﬁrewall, conﬁgure the ﬁrewall using the gauntlet-admin interface. The interface stores this information using conﬁgmail in conjunction with the auto-conﬁguring version of the sendmail.cf conﬁguration ﬁle. To conﬁgure the ﬁrewall for SMTP, follow these steps: 1.
Page 48: Configuring Network Services
You do not need to modify the IRIX conﬁguration ﬁles on the ﬁrewall to support SMTP trafﬁc. This is a standard service, and you can use gauntlet-admin to modify the conﬁguration ﬁles. If you need to, you can instruct gauntlet-admin to not make modiﬁcations so you can make the customizations for your site.
Page 49: Verifying Your Setup
Mail -v bouncer@bbnplanet.com Subject: Test Configuring Mail and the Gauntlet Firewall This is a test. The verbose mode ensures that you see the details of the delivery. The bouncer service sends you a return message shortly.
Page 51: Managing Pop3 Services
The POP3 proxy included with the Gauntlet Firewall allows administrators to selectively allow outside hosts to exchange mail with a POP3 mail server through the ﬁrewall. The POP3 server must use APOP for authenticating the user.
Page 52: How The Pop3 Proxy Works
POP3 servers outside the perimeter. However, in most security policies (including the Gauntlet Firewall default), this is not considered a good idea. The POP3 protocol assumes that the SMTP proxy has already checked the formatting in the headers of incoming mail messages.
Page 53: Planning
Conﬁguring the Proxy Rules If you are using the Gauntlet Firewall default conﬁguration, you need to modify the proxy rules for POP3 services. This involves accessing the gauntlet-admin Proxies form, where you can enter the name of the destination POP3 server and modify the timeout value if you desire.
Page 54: Setting Apop Passwords On The Firewall
Chapter 3: Managing POP3 Services Setting APOP Passwords on the Firewall Use the authentication management system to add users to the Gauntlet user authentication database for any users who need to authenticate when using POP3 services. See Chapter 18, “Creating Users” on page 181 for details.
Page 55 Using POP3 to Exchange Mail Figure 3-1 Eudora Pro Conﬁguration for APOP John, working on his laptop (cavalier.yoyodyne.com) at home, conﬁgures his mail reader to connect to the ﬁrewall (ﬁrewall.yoyodyne.com) to get his mail. Next, John retrieves his mail. As part of the connection, the proxy requests authentication information from the user agent, which prompts him.
Page 57: Managing Terminal Services
Terminal service access to other computers can be a vital part of many network activities. The TELNET and rlogin protocols are used for making these terminal connections, and they are not without risk. The Gauntlet Firewall includes proxies for both the TELNET and rlogin protocols, which securely handle terminal services between the inside and outside networks.
Page 58: How The Proxies Work
Chapter 4: Managing Terminal Services Used together, these access controls and log ﬁles allow you to have much more control over the connections to and from your system than you have when you use the standard IRIX TELNET and rlogin programs. Note that you can use the TELNET proxy without the rlogin proxy, or rlogin without TELNET.
Page 59: Using The Telnet And Rlogin Proxies Without Network Access Control
Conﬁguring the Firewall for Terminal Services Conﬁguring the Gauntlet ﬁrewall involves planning, conﬁguring the ﬁrewall, indicating which daemons the system will run, conﬁguring the proxies to enforce your policy, and adding the users who will need to authenticate to the Gauntlet user authentication database. Planning 1.
Page 60: Configuring The Firewall
TELNET or rlogin trafﬁc. Conﬁguring the Proxy Rules If you are using the Gauntlet Firewall default conﬁguration, you do not need to modify the proxy rules for TELNET, rlogin and TN3270services. If you have chosen different welcome or other messages, you must modify /usr/gauntlet/conﬁg/template.netperm-table to reﬂect your conﬁguration.
Page 61: Creating Authentication User Entries
Using Terminal Services Creating Authentication User Entries Use the authentication management system to add users to the Gauntlet user authentication database for any users who need to authenticate when using TELNET and rlogin services. See Chapter 18, “Creating Users” on page 181 for more information.
Page 62: Telnet And Rlogin With Authentication
Chapter 4: Managing Terminal Services TELNET and Rlogin With Authentication If you have conﬁgured any terminal services to require authentication, users must follow different procedures to use TELNET or rlogin. For example, to TELNET using authentication, follow these steps: 1. TELNET to the ﬁrewall itself. 2.
Page 63: Tn3270 With Authentication
Using Terminal Services In this example, Scooter, working at a client site (blaze.clientsite.com), needs TELNET access to the dimension.yoyodyne.com system behind the ﬁrewall. He ﬁrst telnets to the ﬁrewall for Yoyodyne (ﬁrewall.yoyodyne.com). The TELNET proxy on ﬁrewall prompts him to authenticate. Scooter provides his authentication user ID (scooter). When the proxy prompts, he enters the response to the authentication challenge.
Page 65: Managing Ftp Services
Sometimes the easiest way to transfer information from one machine to another is to actually transfer the relevant ﬁles. The ﬁle transfer protocol (FTP) is one of several protocols that make this possible. The Gauntlet ﬁrewall includes a proxy that securely allows the transfer of ﬁles between trusted and untrusted networks.
Page 66: How The Ftp Proxy Works
The default policy does not allow either inside or outside hosts to FTP directly to the ﬁrewall itself. If you conﬁgure your Gauntlet ﬁrewall to allow anonymous FTP to the ﬁrewall, hosts connect to the ﬁrewall with an FTP request. The ﬁrewall starts the netacl daemon.
Page 67: Configuring The Firewall For Ftp Services
Conﬁguring the Proxy Rules If you are using the Gauntlet Firewall default conﬁguration, you do not need to modify the proxy rules for FTP services. Use the gauntlet-admin Proxies form if you want to enable FTP or anonymous FTP. If you have chosen a different denial message, you must modify /usr/gauntlet/conﬁg/template.netperm-table to reﬂect your conﬁguration.
Page 68: Verifying Your Setup
Chapter 5: Managing FTP Services Verifying Your Setup Verify your conﬁguration by transferring ﬁles to an inside host from an outside host. For example, connect to your favorite FTP site and download their README ﬁle. See the section below for instructions. Using FTP Services The idea behind the FTP proxy is that most users working on the trusted networks behind the ﬁrewall will not see a change in their daily FTP activities.
Page 69: Using Authentication With Some Gui Ftp Tools
Using FTP Services ftp> user clancy@dimension 331- (-----GATEWAY CONNECTED TO dimension----) 331- (220 dimension FTP server ready.) 331 Password required for clancy. Password: ######### 230 User clancy logged in. ftp> In this example, the user Clancy, working at a client site (blaze.clientsite.com), needs FTP access to a machine behind the ﬁrewall (dimension.yoyodyne.com).
Page 70: Running An Anonymous Ftp Server
Gauntlet for IRIX allows you to run the standard IRIX FTP server (ftpd) in an isolated chrooted environment as an anonymous FTP server (but you give up the ability to allow authenticated users from untrusted networks to use ftp-gw to access trusted networks).
Page 71 Use checksums to watch for ﬁle changes. • Back up frequently. You can also use the Info Server included with the Gauntlet ﬁrewall as an anonymous FTP server on the ﬁrewall itself. See “FTP Server” on page 102 for more information.
Page 73: Managing Rsh Services
The Rsh service allows users to do this. The Rsh program is not without risks: it runs programs on another machine and requires some privileges to login. The Gauntlet ﬁrewall includes a proxy that securely handles the execution of Rsh requests from machines inside the network to machines outside the network.
Page 74: How It Works
Rsh requests. Conﬁguring the Firewall for Rsh Services Conﬁguring the Gauntlet ﬁrewall involves planning, indicating which daemons the system will run, conﬁguring the Rsh proxy to enforce your policy, turning on the proxy, and rebooting your ﬁrewall.
Page 75: Configuring The Proxy Rules
Using Rsh Services Conﬁguring the Proxy Rules Conﬁgure the Rsh proxy to enforce your security policies. This involves modifying . See Appendix B for more information on rsh-gw options, /usr/local/etc/netperm-table netperm-table options and order of precedence. To conﬁgure the netperm-table: 1.
Page 76 Chapter 6: Managing Rsh Services For example, Penny, who works at Yoyodyne, needs to execute something remotely using her account at Big University. She adds a line to the ﬁle in her account at Big .rhosts University: penny@fire-out.yoyodyne.com...
Page 77: Managing Gopher And Www Services
ﬁle transfer mechanisms and require logging and access control consistent with FTP and terminal services. The HTTP proxy and authenticating HTTP proxy included with the Gauntlet Firewall securely handles requests for information via hypertext, Gopher, and ﬁle transfer. The proxy supports hypertext transfer via the HTTP, SHTTP, and SSL protocols; Gopher transfer via Gopher and Gopher+ protocols;...
Page 78: How It Works
The proxies log all successful and unsuccessful connection attempts, and the amount of data transferred. The Gauntlet authenticating HTTP proxy works in conjunction with the HTTP proxy to authenticate users. Using the authenticating HTTP proxy, you can conﬁgure the proxy to allow connections based on username.
Page 79: Authenticated Http
If the host has permission, ahttp-gw prompts the user to authenticate. It veriﬁes the information with Gauntlet authentication database. If the user provided proper authentication, ahttp-gw passes processing over to the HTTP proxy.
Page 80: Gopher And Ftp Services
ﬁrewall calls the SSL plug proxy for all requests on port 443. Conﬁguring the Firewall for WWW and Gopher Services Conﬁguring the Gauntlet ﬁrewall involves planning, indicating which daemons the system will run, and conﬁguring the proxies to enforce your policy. Planning 1.
Page 81: Configuring Network Services
SHTTP, SSL, Gopher, or FTP. Conﬁguring the Proxy Rules If you are using the Gauntlet Firewall default conﬁguration, you do not need to modify the proxy rules for HTTP and Gopher services. If you have chosen other options, you must modify /usr/gauntlet/conﬁg/template.netperm-table to reﬂect your conﬁguration. See Appendix B for more information on http-gw options, netperm-table options, and order of precedence.
Page 82: Using Proxy-Aware Browsers
Chapter 7: Managing Gopher and WWW Services If you are using the authenticating HTTP proxy, users must use a proxy-aware browser. It must support persistent connections if you wish to use strong authentication. Once you have conﬁgured their web browser, they are aware of the proxy because they must authenticate to access outside sites.
Page 83 Using Web Services 6. Specify the names of hosts for which you do not want to access the HTTP proxy in the No Proxy section. These are generally hosts on your trusted networks. These include: • inside IP address of your ﬁrewall (if you plan to use the graphical user interface to conﬁgure your ﬁrewall) •...
Page 84: Using Non-Proxy-Aware Browsers
Chapter 7: Managing Gopher and WWW Services If you have conﬁgured the proxies to block certain types of services (for example, no Gopher services) or to block certain destinations (for example, no educational [.edu] sites) users do see your denial messages. Accessing Web Services with Authentication Once conﬁgured, users are aware of the proxy.
Page 85: Using Gopher Services
Using Gopher Services The ﬁrewall conﬁguration for the http-gw proxy for Gopher services is transparent to the user if transparent proxies have been enabled using gauntlet-admin. Users can continue to point their Gopher clients to Gopher servers as they did before.
Page 86: Running A Www Server
Use checksums to watch for ﬁle changes. • Back up frequently. You can also use the Info Server included with the Gauntlet ﬁrewall as a WWW server on the ﬁrewall itself. See Chapter 15, “Managing Information Services on the Firewall,” for more information.
Page 87: Managing Realaudio Services
ﬁles is not without risk, so they require logging and access control, as with other services. The RealAudio protocol allows people to play and listen to audio material. The Gauntlet Firewall includes a RealAudio proxy that securely handles requests to listen to audio data.
Page 88: How It Works
RealAudio requests access the proxy. There is no way to start the RealAudio server daemon needed to service RealAudio requests. Conﬁguring the Firewall to Use the RealAudio Proxy Conﬁguring the Gauntlet ﬁrewall involves planning, indicating which daemons the system will run, and conﬁguring the RealAudio proxy to enforce your policy.
Page 89: Planning
ﬁles on the Gauntlet ﬁrewall. Conﬁguring the Proxy Rules If you are using the Gauntlet ﬁrewall default conﬁguration, you do not need to modify the proxy rules for the RealAudio server. To enable the RealAudio server, use the gauntlet-admin Proxies form to enable the server.
Page 90: To Configure The Realaudio Player
Chapter 8: Managing RealAudio Services If you are not using transparency or you have installed the ﬁrewall on the RealAudio default proxy port (1080), you need to conﬁgure your RealAudio player to know about the proxy and the other port. To conﬁgure the RealAudio player: 1.
Page 91: Managing Mediabase Services
MediaBase is a collection of multimedia and hypertext that allows users to select and play videos using their Web browser. The Gauntlet Firewall includes a MediaBase proxy that securely handles outside user requests to view video data on a MediaBase server inside the ﬁrewall.
Page 92: How It Works
MediaBase server on the ﬁrewall itself—there is no way to start a MediaBase server to accept such requests. Conﬁguring the Firewall to Use the MediaBase Proxy Conﬁguring the Gauntlet ﬁrewall involves planning, indicating which servers may be accessed, and conﬁguring the MediaBase proxy to enforce your policy. Planning Determine which internal users and hosts can use MediaBase, and determine whether you want to run the MediaBase proxy.
Page 93: Configuring Network Services
Note: Conﬁguring the Proxy Rules If you are using the Gauntlet ﬁrewall default conﬁguration, you do not need to modify the proxy rules for the MediaBase server. To enable the MediaBase server, use the gauntlet-admin Proxies form to enable the server.
Page 95: Managing X Window Services
Most sites do not want to provide this sort of free access to their machines, but administrators recognize that these services can be useful. The X11 proxy included with the Gauntlet Firewall allows administrators to selectively allow X11 services through their ﬁrewall.
Page 96: How The X11 Proxy Works
X requests and connections. How the X11 Proxy Works Unlike some of the other Gauntlet proxies, the ﬁrewall does not start the X11 proxy when it receives display requests. Instead, users must explicitly start the X11 proxy from either the TELNET or Rlogin proxy. The ﬁrewall denies all requests for services on the standard X port (6000).
Page 97: Configuring The Firewall For X11 Services
TELNET and Rlogin proxies are the only programs that can start the X proxy, and they read their conﬁguration information from the netperm-table ﬁle. Conﬁguring the Proxy Rules To enable the X11 proxy for TELNET and Rlogin users, use the gauntlet-admin Proxies form. Alternatively, you may modify /usr/gauntlet/conﬁg/template.netperm-table to conﬁgure the X11 proxy to enforce more speciﬁc security policies.
Page 98: Using X11 Services
Chapter 10: Managing X Window Services Using X11 Services Users need to follow slightly different procedures to use X11 services through a ﬁrewall. The minimal time needed for these additional steps outweighs the time and money you would spend to recover after someone hijacks your display and thereby penetrates security.
Page 99: Figure 10-1 Example X Window Port Information
Using X11 Services Clancy indicates he wants to start an X proxy. The ﬁrewall displays an X status window on Clancy’s display, showing the port (see Figure 10-1). Figure 10-1 Example X Window Port Information He then TELNETs to the client machine (blaze.clientsite.com). tn-gw>...
Page 100 Chapter 10: Managing X Window Services Figure 10-2 Example X Window Conﬁrmation Finally, Clancy views the results on his screen inside the ﬁrewall.
Page 101: Managing Lp Services
ﬁrewalls. Others might want to be able to print from a remote system, for example a mobile PC, to a printer behind a ﬁrewall. The Gauntlet Firewall includes an lp proxy that securely handles the transfer of print requests.
Page 102: How The Lp Proxy Works
The default policy does not allow any hosts to print to the ﬁrewall. Conﬁguring the Firewall for lp Services Conﬁguring the Gauntlet ﬁrewall involves planning, indicating which daemons the system will run, and conﬁguring the lp proxy to enforce your policy.
Page 103: Configuring Network Services
Configuring the Firewall for lp Services Conﬁguring Network Services To conﬁgure network services with the gauntlet-admin, enable lp in the Proxies form, and modify the idle timeout if desired. You can use the gauntlet-admin Proxies form to create virtual queues on the ﬁrewall, which will be translated to the real servers and queues you specify.
Page 104: Verifying Your Setup
Chapter 11: Managing LP Services Verifying Your Setup Verify your conﬁguration by printing a ﬁle from a host inside your ﬁrewall to a host outside your ﬁrewall. If you are conﬁgured to do so, print a ﬁle from a host outside your ﬁrewall to a host on the inside of your ﬁrewall.
Page 105: Managing Sybase Services
Database services are essential in most organizations. As with other services you offer, you want to securely conﬁgure database access. Sybase is a relational database management system in use in many organizations. The Gauntlet ﬁrewall includes a proxy that securely allows connections between Sybase clients on the inside network and servers on the outside network.
Page 106: How It Works
You can conﬁgure the Sybase proxy to allow Sybase clients on untrusted hosts to access Sybase servers on your trusted networks. According to most security policies, including the Gauntlet ﬁrewall default, it’s not a good idea. If you must allow this sort of service, consider using client-side password encryption. Consider limiting the databases and data to which users have access as all of the data is transferred unencrypted.
Page 107: Configuring The Firewall For Sybase Services
Conﬁguring Network Services You do not need to modify the IRIX conﬁguration ﬁles on the ﬁrewall to support NNTP. This is a standard service, included in the default versions of these ﬁles on the Gauntlet Firewall. Conﬁguring the Proxy Rules In most cases, you do not need to modify the proxy rules for NNTP.
Page 108: Configuring Sybase Clients
Chapter 12: Managing Sybase Services Conﬁguring Sybase Clients Add or modify the interfaces ﬁle on the client (using a tool like sybinit or SQLEdit) to provide information about the Sybase server: Specify the port number you selected for the Sybase proxy. 2.
Page 109: Administering General Gauntlet Firewall Services
PART THREE Administering General Gauntlet Firewall Services...
Page 111: Managing Nntp And General Tcp Services
The plug proxy included with the Gauntlet ﬁrewall allows administrators to tunnel NNTP-based news feeds through their ﬁrewall. The NNTP connections come from known sites (as opposed to the multitude of sites that may connect via SMTP to deliver mail).
Page 112: Understanding The Proxy
Chapter 13: Managing NNTP and General TCP Services Understanding the Proxy The Gauntlet plug proxy is a TCP gateway that provides conﬁgurable access control and logging mechanisms. The plug proxy, which runs on the ﬁrewall, passes NNTP or other application requests through the ﬁrewall, using rules you supply. It essentially tunnels information from a port on the ﬁrewall to a speciﬁc port on another machine.
Page 113: How It Works
For example, the ﬁrewall runs an instance of the plug proxy on port 119 to handle NNTP requests if you have enabled NNTP from gauntlet-admin. When the plug proxy receives a request on its port, it checks its conﬁguration information (in the netperm-table ﬁle) and determines whether the initiating host has...
Page 114: Configuring The Firewall
Conﬁguring Network Services You do not need to modify the IRIX conﬁguration ﬁles on the ﬁrewall to support NNTP. This is a standard service, included in the default versions of these ﬁles on the Gauntlet Firewall. Conﬁguring the Proxy Rules In most cases you do not need to modify the proxy rules for NNTP.
Page 115: Verifying Your Setup
If you have simple plug gateway needs, you can add custom plug gateways using Note: the gauntlet-admin proxies page. If you use that method, you may still need to modify /etc/services, but do not need to modify /etc/init.d/network.local or /usr/gauntlet/conﬁg/template.netperm-table.
Page 116: Configuring Network Services
Conﬁguring the Proxy Rules Conﬁgure the plug proxy to enforce your security policies. This involves modifying /usr/gauntlet/conﬁg/template.netperm-table. You may use the gauntlet-admin Proxies form. In the section called “Plug Gateways,” enter the source host, the ﬁrewall port, the destination host, and the destination port for each plug gateway.
Page 117: Configuring Your Service
Configuring Multiple Newsfeeds To conﬁgure the netperm-table ﬁle directly, follow these steps: 1. Create a plug proxy section for your service, specifying the inside host(s) that can use this service and destination servers and ports: qotd-gw: port qotd 10.0.1.* -desthost qotd.bigu.edu -destport qotd which indicates that any inside hosts can send Quote of the Day requests to the server at Big University.
Page 118: Configuring Your Nntp Proxy For Reading News
Chapter 13: Managing NNTP and General TCP Services For example, you have conﬁgured news.myisp.net as your primary news feed through the gauntlet-admin interface. To add support for a secondary news feed from news.bigu.edu (192.168.1.202) to your internal news machine news.yoyodyne.com (10.0.1.3), use the following lines in your netperm-table ﬁle:...
Page 119: Managing General Tcp Services With Authentication
Understanding the Circuit Proxy The Gauntlet circuit proxy is an authenticated TCP gateway that provides conﬁgurable access control and logging mechanisms. The proxy, which runs on the ﬁrewall, authenticates users and passes TCP-based application requests through the ﬁrewall, using rules you supply.
Page 120: How It Works
Chapter 14: Managing General TCP Services With Authentication This is not an exhaustive list. The circuit proxy is protocol neutral, so you can tunnel a variety of other stream-based applications. Weigh the risks carefully for each application. You can conﬁgure the circuit proxy to allow connections based on: •...
Page 121: Configuring The Firewall For Authenticated Tcp Services
Conﬁguring the Firewall for Authenticated TCP Services Conﬁguring the Gauntlet ﬁrewall involves planning, indicating which daemons the system will run, conﬁguring the proxies to enforce your policy, starting your proxy, rebooting your ﬁrewall, and conﬁguring your service.
Page 122: Configuring Network Services
Use the same service name or port number you speciﬁed in /etc/services. PORT=oracle VARIABLE name of the variable used to identify the service in the Gauntlet administration menus to turn the proxy on and off. VARIABLE=proxy_custom2...
Page 123: Configuring The Proxy Rules
ARGS=”-as qotd-gw” Do NOT use the -daemon option with the circuit proxy, as you would with other Gauntlet proxies. The circuit proxy automatically starts as a daemon. • Note that you do NOT need to add information about the service to the startup script.
Page 124: Verifying Your Setup
Chapter 14: Managing General TCP Services With Authentication 3. Indicate the authentication server the circuit proxy uses: hosts host port ck-gw: authtype [-authhost ] [-authport • where: authtype hosts indicates the hosts for which the circuit proxy authenticates. Specify individual machines, entire networks, or subnets. Use IP addresses or host names.
Page 125 Using the Circuit Proxy 5. Conﬁrm the client application connection. 6. Use your application. The example below shows a user working on the trusted network inside the defense perimeter. The company has a policy to authenticate the use of some outside services. He is accessing an Oracle database on a machine outside the perimeter at a client site.
Page 126 Chapter 14: Managing General TCP Services With Authentication Then he starts his client application. Because Yoyodyne is using transparency (the default conﬁguration), he indicates that the database server is on the remote host (db.clientsite.com). If Yoyodyne was not using transparency, Robert would tell the client that the database server was the inside address of the ﬁrewall (ﬁre-in.yoyodyne.com), allowing the ﬁrewall to connect to the database server on his behalf.
Page 127: Managing Information Services On The Firewall
• source hostname You would use the Gauntlet Info Server in place of another HTTP server (such as the CERN or Netscape HTTP servers), Gopher server (such as the University of Minnesota Gopher server), or the FTP server included with your operating system.
Page 128: How It Works
If the host has permission to use the service, the Info Server uses its internal database (by default in /usr/gauntlet/infodb) to ﬁnd the requested ﬁle or to go to the requested directory. The client thinks it is talking to a regular HTTP or Gopher server, even though it is not.
Page 129: How The Database Works
If the host has permission to use the service, the Info Server uses its internal database (by default in /usr/gauntlet/infodb) to ﬁnd the requested ﬁle or to go to the requested directory. The client thinks it is talking to a regular FTP server, even though it is not.
Page 130 Chapter 15: Managing Information Services on the Firewall looks for the directory D/D00/D00/Detc. Because the root directory of the database is actually /usr/gauntlet/infodb, the Info Server is actually looking for /usr/gauntlet/infodb/D/D00/D00/Detc. The Info Server always looks for ﬁles within its own directory tree. It does not and cannot move back out of its directory tree to other areas of the systems, as some HTTP, Gopher, or FTP servers might.
Page 131: Configuring The Firewall
ﬁles that you want anyone to view, even though you have other ﬁles in the directory. Conﬁguring the Firewall Conﬁguring the Gauntlet ﬁrewall to run an Info Server involves planning, indicating which daemons the system will run, conﬁguring the Info Server to enforce your policy, and verifying your setup.
Page 132: Planning
ﬁles on the Gauntlet ﬁrewall. Conﬁguring the Proxy Rules If you are using the Gauntlet ﬁrewall default conﬁguration, you do not need to modify the proxy rules for the info server. To enable the info server, use the gauntlet-admin Proxies form to enable the info server, select an idle timeout period, and specify an information directory.
Page 133: Planning
To set up your ﬁles for use with the Info Server on the ﬁrewall, follow these steps: 1. Create your directory structure under /usr/gauntlet/infodb/D. Preﬁx each directory with the letter D when you create the directory. For example, if you want to keep all...
Page 134 • cttext—Text header Consult /usr/gauntlet/infodb/tools for a list of currently available sample headers. Use these ﬁles as templates to create your own header ﬁles, if necessary. Repeat this process for every ﬁle you wish to have accessible via the Info Server.
Page 135: Creating Ftp List Files
Using the Info Server Consult /usr/gauntlet/infodb/tools for a list of currently available sample headers. Use these ﬁles as templates to create your own header ﬁles, if necessary. Repeat this process for every binary ﬁle you wish to have accessible via the Info Server.
Page 136: Advertising Your Server
Chapter 15: Managing Information Services on the Firewall To create Gopher menus, follow these steps: 1. Execute the list command and redirect it to a ﬁle that starts with G. You may wish to restrict the ﬁles that the command displays, so that it looks like a normal Gopher menu.
Page 137: Using The Network Access Control Daemon
Chapter 16 Using the Network Access Control Daemon The proxies included with the Gauntlet Internet Firewall allow you to determine whether or not you wish to allow certain hosts to access certain services. If you permit a particular host to use the TELNET proxy, they can TELNET from trusted networks to untrusted networks.
Page 138: How It Works
ﬁrewall. Consult the existing UNIX and Gauntlet ﬁrewall conﬁguration ﬁles for examples of the network access control daemon in use. This section describes using the network access...
Page 139: Planning
Conﬁguring Network Services You do not need to modify the IRIX conﬁguration ﬁles on the ﬁrewall to support NNTP. This is a standard service, included in the default versions of these ﬁles on the Gauntlet Firewall. Conﬁguring the Proxy Rules In most cases you do not need to modify the proxy rules for NNTP.
Page 141: The Graphical Management Interface
Chapter 17 The Graphical Management Interface The Gauntlet system uses a Web browser interface (“forms-based”) to make it easy for you to quickly conﬁgure and run the ﬁrewall system. The Gauntlet management interface supports all common Gauntlet administrative functions and is organized (like this chapter) into the following browser forms: •...
Page 142: First Time User Tips
Chapter 17: The Graphical Management Interface First Time User Tips Each section in this chapter describes a Gauntlet management form. The forms-based interface is designed to be self-sufﬁcient, and it may present enough information for you to make all appropriate conﬁguration decisions. While this chapter provides additional background information, it also duplicates much of the information that is available on the forms.
Page 143: Gauntlet Default Settings
Gauntlet remotely. Using the Gauntlet Management Interface To conﬁgure the Gauntlet ﬁrewall, you can start the management interface locally from the ﬁrewall itself or from a remote host (including a remote X display). You can also perform secure remote management.
Page 144: Configuring Gauntlet Locally
“Conﬁguring Gauntlet for Remote Administration” on page 168 or “Conﬁguring Gauntlet for Secure Remote Administration” on page 170. Conﬁguring Gauntlet Locally To start the management interface and conﬁgure Gauntlet locally, use this procedure on the ﬁrewall host: 1. Log in to the ﬁrewall as root.
Page 145 Introductory Management Form Caution: Do not select Conﬁgure All until you conﬁgure all forms appropriately— running “Conﬁgure All” interrupts all current connections! The introductory management form describes how to use the forms-based interface, and contains a list of form names. From this list, you can access any other form, go to the next form, or conﬁgure your system.
Page 146: Figure 17-3 Gauntlet Introductory Management Form (1 Of 3)
Chapter 17: The Graphical Management Interface Figure 17-3 Gauntlet Introductory Management Form (1 of 3)
Page 147: Figure 17-4 Gauntlet Introductory Management Form (2 Of 3)
Introductory Management Form Gauntlet Introductory Management Form (2 of 3) Figure 17-4...
Page 148: Figure 17-5 Gauntlet Introductory Management Form (3 Of 3)
Chapter 17: The Graphical Management Interface Gauntlet Introductory Management Form (3 of 3) Figure 17-5...
Page 149: Networks And Interfaces Configuration Form
ISDN Setup if you want to conﬁgure ISDN. Click PPP Setup if you want to conﬁgure PPP. To run the Network Setup tools directly from the Gauntlet forms-based interface, Note: you must be working at the Gauntlet host console. You can use the Network Setup tools without the Gauntlet interface from any location.
Page 150 Chapter 17: The Graphical Management Interface Figure 17-6 Networks and Interfaces Conﬁguration Form (1 of 2)
Page 151 Networks and Interfaces Configuration Form Figure 17-7 Networks and Interfaces Conﬁguration Form (2 of 2)
Page 152: Trusted Networks
ﬁrewall to guard against IP address spooﬁng, a ruse in which network packets are tagged with a falsiﬁed trusted network address. When you designate trusted interfaces, Gauntlet veriﬁes that packets tagged with a trusted network address actually arrived on a trusted interface.
Page 153: Untrusted Networks
Gauntlet ﬁrewall. Trusted ports can be conﬁgured only when the Gauntlet ﬁrewall is acting as the Note: router between internal and external networks.
Page 154: Routing Configuration Form
“hop” metric to each network you add. Use a metric of “0” if the gateway is an interface on the Gauntlet host, and a metric of “1” if it is anywhere else. Explicit routes are stored in /usr/gauntlet/conﬁg/explicit_routes.
Page 155 Routing Configuration Form Figure 17-8 Routing Conﬁguration Form...
Page 156: Additional Routing Information
Figure 17-9 If hosts on your internal network are running a routing daemon, they eventually acquire the default route from the Gauntlet host. The default route can also be explicitly assigned to those hosts by their administrators. Additional Routing Information For additional general routing information or information on routing using IRIX commands, refer to the section “Setting Up a Router”...
Page 157: Proxy Servers Configuration Form
Proxy Servers Conﬁguration Form The proxy server conﬁguration form (Figure 17-10 and Figure 17-11) allows you to control network services that are available through the Gauntlet ﬁrewall. You can enable and disable particular services, specify timeout values and port numbers, and so on.
Page 158: Enabling Transparent Proxies
ﬁrewall runs a daemon to support it. For example, enabling TELNET means that a proxy TELNET server will run on the Gauntlet ﬁrewall to mediate and enable TELNET connections. The proxy will be a transparent TELNET proxy if you have enabled transparent proxies.
Page 159 Proxy Servers Configuration Form You can select which services, if any, to offer untrusted network users on the FTP port: ftp-gw, anonymous FTP using IRIX ftpd, and anonymous FTP using Gauntlet the info server. TELNET If you enable the TELNET proxy, enter a timeout value (number of seconds) for idle connections;...
Page 160 This can be extremely useful if users are traveling, for example. Remote users must be using client software that supports POP3 APOP authentication. This allows users to authenticate themselves to the Gauntlet ﬁrewall, so the ﬁrewall can then “plug” the connection through to the internal POP3 server, performing the identical authentication exchange with the internal POP3 server.
Page 161 Custom Conﬁgured Plug Gateways Custom plug gateways allow you to create proxies for protocols that are not speciﬁcally included in the Gauntlet proxies group (see “Conﬁguring the Firewall for Other Protocols” in Chapter 11 for more information). If you conﬁgured custom plug gateways, click Enable to enable them.
Page 162 Chapter 17: The Graphical Management Interface Figure 17-10 Proxy Servers Conﬁguration Form (1 of 3)
Page 163 Proxy Servers Configuration Form Figure 17-11 Proxy Servers Conﬁguration Form (2 of 3)
Page 164 Chapter 17: The Graphical Management Interface Proxy Servers Conﬁguration Form (3 of 3) Figure 17-12...
Page 165: Domain Name Service (Dns) And Gauntlet
DNS server on the external host. In either case, the Gauntlet host is commonly chosen to run a DNS server, either as the external member of a dual-DNS conﬁguration, or as the single DNS server for the site.
Page 166: Dns Configuration Form
DNS server in this case. Enter the IP address of your DNS server: Enter the IP address which corresponds to the host name you gave above. If that’s your Gauntlet ﬁrewall, then enter one of the external IP addresses for the ﬁrewall.
Page 167 Sendmail (not DNS) page, and then consult IRIX Admin: Networking and Mail for details on how to get your Gauntlet ﬁrewall host to deliver all internal email through your separate domain-level mail hub.
Page 168: Configuring A Split Dns Server
/path/filename on the host hostname. The hostname “ﬁrewall” is used for the Gauntlet ﬁrewall host; “ns” is used for the internal DNS server host, assumed to be running the bind DNS server. (It is possible that various bind conﬁguration ﬁles are not located at the paths given below on your ns host;...
Page 169 DNS Configuration Form The conﬁguration you have set up is often known as split-DNS, and is commonly used at ﬁrewalled sites. Outside hosts cannot successfully query your internal DNS server for internal host names and IP addresses. However, on the ﬁrewall itself, applications can resolve internal host names;...
Page 170 Chapter 17: The Graphical Management Interface Figure 17-13 DNS Conﬁguration Form (1 of 2)
Page 171 DNS Configuration Form Figure 17-14 DNS Conﬁguration Form (2 of 2)
Page 172: Sendmail On Gauntlet Servers
MX record for domain_name pointing at your external mail hub machine. Unless you’re willing to let such email bounce, you’re going to have to be able to deal with email directly sent to your Gauntlet ﬁrewall anyway.
Page 173: Mail Relays
However, Gauntlet does not run sendmail to accept incoming email; rather, it runs a very simple program called smap that accepts and queues incoming email.
Page 174: Sendmail Configuration Form
Chapter 17: The Graphical Management Interface relay.corp.example.com. They are as much for informing internal sendmail or other analogous mail transfer agents as for informing sendmail on the ﬁrewall. • The mail hubs that resource records point to should be able to deliver email to domains ending in SUBDOMAIN.example.com for the corresponding subdomain.
Page 175 Sendmail on Gauntlet Servers Enter the host name of your ﬁrewall: The value in this ﬁeld is the hostname of the interface to the external network. For example, in Figure 17-9, this is hostname assigned to the interface whose address is 192.132.122.12.
Page 176 This behavior and the fact that the Silicon Graphics sendmail.cf.auto ﬁle tries to deliver email to username@sub_domain.DOMAIN_NAME to username@relay.sub_domain.DOMAIN_NAME if it can ﬁnd a host named relay.sub_domain.DOMAIN_NAME, makes it easy to support multiple subdomains for...
Page 177 Sendmail on Gauntlet Servers Sendmail Conﬁguration Form Figure 17-15...
Page 178: Swipe Configuration Form
Both peers in the VPN must be running Gauntlet software. See Appendix C for detailed information on swIPe and VPNs. Figure 17-16 illustrates two Gauntlet servers acting as peers in a VPN. Notice that in this ﬁgure the path connecting the peers is the Internet.
Page 179: Authentication And Encryption Schemes
Gauntlet host Internal network Figure 17-16 Gauntlet Hosts Using swIPe in a VPN Authentication and Encryption Schemes The swIPe protocol veriﬁes that IP packets contain authentic source and destination addresses. This veriﬁcation protects against IP address spooﬁng; it can be used in...
Page 180: Vpn Paths
Prepare to synchronize the ﬁrewalls as you conﬁgure them. You do not need to modify the IRIX conﬁguration ﬁles on the ﬁrewall to support encrypted trafﬁc. This is a standard service, included in the default versions of these conﬁguration ﬁles on the Gauntlet Firewall.
Page 181 swIPe Configuration Form Figure 17-17 illustrates the conﬁguration form for swIPe. Figure 17-17 swIPe Conﬁguration Form...
Page 182: Configuring A Server For Swipe
Chapter 17: The Graphical Management Interface Conﬁguring a Server for swIPe Perform the following procedure while the administrator of the remote network does the same at the remote peer site. It is important that both ﬁrewalls are conﬁgured at the same time because the encrypted packets must stay synchronized.
Page 183: Figure 17-18 Add Swipe Key Form
swIPe Configuration Form Add swIPe Key Form Figure 17-18 2. Enter the key ID for authentication and encryption. To create a trusted or private link, you must specify the key you wish to use by its Key ID. Enter a number from 1 to 99. Click Authenticate packets and Encrypt packets to put either or both of these protection schemes into effect on this peer connection.
Page 184: Figure 17-19 Add Swipe Path Form
Chapter 17: The Graphical Management Interface 3. Type an alphanumeric entry to create a key string. 4. Select Add to conﬁgure the path between this peer and its remote counterpart. After your selection, the Add swIPe Path Form is displayed: Figure 17-19 Add swIPe Path Form 5.
Page 185: Verifying Your Setup
Logﬁles and Reports Conﬁguration Form Use the reports and logﬁles form (Figure 17-20) to conﬁgure basic reporting mechanisms on the Gauntlet ﬁrewall. The system automatically generates reports, and you can specify yourself and other users (in a comma-separated list) to receive these reports by e-mail. You can select the ﬁrst three links on the Reports form at any time to view the most recently generated...
Page 186 You should assign either yourself or another trusted user as the system Postmaster. This user receives any generic mail addressed to “Postmaster” at the Gauntlet host. Example 17-2 contains an example of Gauntet log ﬁle entries (lines have been shortened for readability).
Page 187 Logfiles and Reports Configuration Form Figure 17-20 Reports and Logﬁles Form (1 of 2)
Page 188 Chapter 17: The Graphical Management Interface Reports and Logﬁles Form (2 of 2) Figure 17-21 Refer to Appendix A for command-line and ﬁle information on reports.
Page 189: Authorizing Users Form
Bellcore that uses a challenge-response model to implement authentication. S/Key is included “as is” with the Gauntlet ﬁrewall. The IRIX executable that users need for generating responses is /usr/bin/key; it can be copied to other IRIX 5.3 or later systems.
Page 190 The group ﬁeld lets you associate groups of users. Adding users and groups here does not create IRIX accounts or groups for the Note: users—just proxy server authorization. Figure 17-24 illustrates user authentication on the Gauntlet host.
Page 191 Authorizing Users Form Figure 17-22 Authorizing Users Form...
Page 192 Chapter 17: The Graphical Management Interface Figure 17-23 Add User Form...
Page 193 Authorizing Users Form Internet Gauntlet Firewall host p l i c a t i o p r o Internal network Hosts on local network User Authentication Figure 17-24 Example 17-3 shows an S/Key authentication session from the point of view of a user on a remote client.
Page 194: Configuring Gauntlet For Remote Administration
S/Key server challenge (662 in the previous example). Conﬁguring Gauntlet for Remote Administration To conﬁgure Gauntlet remotely, you must ﬁrst run the management interface locally on the ﬁrewall to set the remote management option on. After this option is set, you can conﬁgure the ﬁrewall from a remote host or an X display at any time.
Page 195 2. Access the Gauntlet administration interface and display the introductory management form. (See steps 1 through 3 of “Conﬁguring Gauntlet Locally” on page 118 if you need instructions.) Find the Proxy Servers Conﬁguration option on the introductory form (shown in Figure 17-4).
Page 196: Accessing The Administration Tool From A Browser
Web Browsers” on page 56 for instructions. Accessing the Administration Tool from an X Display You can also use remote X display from a remote host to run the Gauntlet administration interface. To run the administration interface on a remote X display, do this: 1.
Page 197 5. Access the Gauntlet administration interface and display the introductory management form. (See steps 1 through 3 of “Conﬁguring Gauntlet Locally” on page 118 if you need instructions.) Find the Proxy Servers Conﬁguration option on the introductory form (shown in Figure 17-4).
Page 198 Chapter 17: The Graphical Management Interface 10. Reset the port number and timeout value, if necessary. The default port for remote Gauntlet administration is 21001; normally, it is not necessary to change this port assignment. However, if port 21001 is unavailable (because another service is using it, for example), you can assign a different port for remote administration by entering a new port number in the port number ﬁeld.
Page 199: Managing User Authentication
Chapter 18 Managing User Authentication As discussed in other chapters, the Gauntlet ﬁrewall can permit or deny access based not just on hostname, but also on user name. In addition, your security policy may require that users use some form of strong authentication each time they access a particular host or service within their perimeter.
Page 200: How The Firewall Uses This Information
Using the default Gauntlet policies, this occurs any time a user from an untrusted network tries to access a service inside the perimeter. Recall that untrusted networks are those from which the ﬁrewall accepts requests only after authentication by the user.
Page 201: The Pieces
For example, you can conﬁgure the X11 proxy to permit service to everyone in group sales. Just as is the case with user names, the groups that you create in the Gauntlet user authentication management system are not the same as the groups you create on the ﬁrewall or on the internal network.
Page 202: Understanding Strong Authentication
ﬁrewall prompts for authentication it provides a challenge. The user enters their PIN (if one is required) and the challenge into the Access Key II. The Access Key II responds with a password. The user enters this value at the Gauntlet prompt, and the Gauntlet authentication server veriﬁes this value.
Page 203: Securid
Bellcore's S/Key Version 1 software. The OPIE package is available for FTP from ftp.nrl.navy.mil in /pub/security/nrl-opie/. Reusable Passwords This system, a part of the user authentication system included with the Gauntlet ﬁrewall, is a reusable password option. It is designed for administrator testing only. Every time...
Page 204: Configuring The User Authentication Management System
Conﬁguring Third Party Systems See the online conﬁguration help available for the third-party systems by clicking on the authentication system name on the gauntlet-admin Authentication page. File locations may verily from those specify in these procedures. To Note: Safeword Authentication Server You must create or modify one ﬁle on the ﬁrewall so it knows where the Safeword...
Page 205: Configuring Network Services
ACE/Server: firewall authsrv:securidhost • where ﬁrewall is the host name of the Gauntlet ﬁrewall that you registered as the client host name on the ACE/Server. authsrv:securidhost fire-in.yoyodyne.com Conﬁguring Network Services You do not need to modify the IRIX conﬁguration ﬁles on the ﬁrewall to support the authentication management system.
Page 206: Configuring Authentication Management System Rules
Conﬁguring Authentication Management System Rules If you are using the Gauntlet Firewall default conﬁguration, you do not need to modify the conﬁguration rules for the user authentication management system. If you have chosen a different port or a different location for your database, you must modify /usr/gauntlet/conﬁg/template.netperm-table to reﬂect your conﬁguration.
Page 207: Creating Groups
Managing Users Remember that the groups that you create in the Gauntlet system are not necessarily the same as the IRIX groups you create on the ﬁrewall or on your internal network. You can of course use the same names, for easier administration.
Page 208 6. Make the information active by saving these changes (in gauntlet-admin). Creating Default Users Creating a default user allows you to authenticate users without manually creating entries for every user in the Gauntlet authentication database. Note that this option is only available for: •...
Page 209: Creating Users With Access Key Ii
4. Leave the password for this user empty. The authentication server uses the value registered with the appropriate server. 5. Make the information active by saving these changes (in the gauntlet-admin and gauntlet-gui menuing systems) or exiting the authentication server.
Page 210: Changing User Names
You must create a new user name, assign appropriate groups and privileges, and delete the old user name. You can, however, change the long name information for a user using the gauntlet-admin interface To change the long name information, follow these steps: 1.
Page 211: Changing Protocols
Managing Users Changing Protocols To change protocols, follow these steps: 1. Conﬁgure the user information in the third party authentication system if you want the user to use that system. 2. Select the record for the user name you wish to modify. 3.
Page 212: Enabling Users
Chapter 18: Managing User Authentication The example below shows a sample S/Key password change from the TELNET proxy: dimension-83: telnet firewall Trying... Connected to firewall.yoyodyne.com Escape character is ‘^’. tn-gw-> password Changing passwords Username: john Skey Challenge: s/key 644 fi58297 LOAM WOOD BOIL VASE TELL TINY New Password: ############## Retype New Password: ############## ID john s/key is 664 fi582901...
Page 213: Deleting Users
Managing Users Deleting Users Deleting users removes them from the user authentication management system. It does not remove users from your ﬁrewall or from your internal network. To delete a user, follow these steps: 1. Select the delete option for the record for the user name you wish to delete. 2.
Page 215: Using The Login Shell
One way of doing this is to login to the ﬁrewall using some form of strong authentication that uses one-time passwords or time-based responses. The login shell program included with the Gauntlet ﬁrewall allows you to use the same strong authentication scheme for logging into the ﬁrewall itself as you do for activity between opposite sides of your security perimeter.
Page 216: Configuring The Firewall To Use The Login Shell Program
Enabling Remote Login You must conﬁgure the ﬁrewall to allow remote login from other hosts. To enable remote login, use the gauntlet administration tools to turn on remote login to allow the ﬁrewall to run the TELNET daemon. Adding Support for the Login Shell You must add support for the login shell so that the operating system recognizes the login shell as a valid shell.
Page 217: Creating User Accounts
4. Add the user to group wheel so that they can su to root. Use vi to edit /etc/groups. Conﬁguring the Proxy Rules If you are running the Gauntlet ﬁrewall default conﬁguration, you do not need to modify conﬁguration rules for the login shell. If you have chosen a different authentication server or a different location for your shell ﬁle information, you must modify...
Page 218: Creating User Authentication Records
Chapter 19: Using the Login Shell To conﬁgure the shell: • Edit the shellﬁle ﬁle (/usr/etc/login-shellﬁle) and add information about the ﬁnal shell for that user: username executable parameters where username same user name that you speciﬁed when you created the user's account on the ﬁrewall.
Page 219: Verifying Your Setup
Using the Login Shell Program not recommended), changing ﬁle permissions will prevent them from changing their shell. 2. Verify that the su command is not aliased to 'su -m' in your account (.cshrc, .login, etc.) on the ﬁrewall. The -m option attempts to retain the current environment. This causes your login shell (in this case, login-sh) to be executed by user root.
Page 220: Changing Password For User Account
Chapter 19: Using the Login Shell Changing Password for User Account When you are using the login shell, the password is actually the strong authentication password, not the standard UNIX password. Do not use the passwd or chpass programs on your UNIX system. To change your password, you must follow the instructions for changing your strong authentication information as described on page 135.
Page 221: Logging And Reporting
Disk space is a lot cheaper than spending many hours debugging a problem that a program would have written to the logs. For these reasons, the components of the Gauntlet Firewall log a wide variety of activities and attributes.
Page 222: Creating Logs
ASCII text. People and shell scripts can easily parse the information. Every night the cron daemon runs a shell script that rotates, compresses, truncates, and removes the log ﬁles. The Gauntlet script /usr/gauntlet/bin/daily rotates the reports and compresses (using gzip) older log ﬁles.
Page 223: Configuring Logs
ﬁles and summarize the information. The ﬁrewall automatically generates the reports that are selected in gauntlet-admin. The cron daemon is used to run a set of shell scripts that parse the information in /var/adm/SYSLOG. You do not need to do anything special to create the reports;...
Page 224: Service Summary Reports
100 clients by amount of trafﬁc, and the top 100 denied clients. Each night the cron daemon on the ﬁrewall runs the daily script (/usr/gauntlet/bin/daily). When the daily report option is turned on (it is on by default), this script calls a daily report script (/usr/gauntlet/bin/daily-report) which calls other shell scripts to summarize the logs for each service.
Page 225: Configuring Reports
Configuring Reports Conﬁguring Reports The default reporting options included with the Gauntlet Firewall meet the needs of most security policies. You do not need to set or modify any options if you wish to use the default conﬁguration, which e-mails weekly Service Summary reports and the Exception report to root as the default recipient of email sent to ﬁrewalladmin.
Page 226: Reading Logs And Reports
Chapter 20: Logging and Reporting Reading Logs and Reports The logs and reports that the ﬁrewall writes are in ASCII, easy for you and reporting scripts to read. This section presents a brief overview of what the logs and reports look like, and what the items indicate.
Page 227: Service Summary Reports
The example below shows the information for a ﬁfteen-minute interval on the ﬁrewall: Security Alerts --------------- Dec 12 10:18:35 gauntlet kernel: securityalert: tcp from 10.0.1.17 on unserved port Dec 12 10:19:13 localhost authsrv[2190]: securityalert: repeated bad auth attempts penny (rlogin-gw unknown/10.0.1.17)
Page 228 Dec 12 10:19:10 localhost authsrv[2190]: BADAUTH penny (rlogin-gw unknown/10.0.1.17) Dec 12 10:19:13 localhost authsrv[2190]: BADAUTH penny (rlogin-gw unknown/10.0.1.17) Dec 12 10:19:14 localhost authsrv[2190]: BADAUTH penny too many tries (rlogin-gw unknown/10.0.1.17) Dec 12 10:20:00 gauntlet kernel: uid 0 on /: file system full...
Page 229: Backups And System Integrity
To back up the data on your ﬁrewall, use standard IRIX backup procedures as described in the IRIX Advanced Site and Server Administration Guide. In particular, you should be sure to back up the following: • /usr/gauntlet/cgi-data • /usr/gauntlet/conﬁg •...
Page 230: Restoring The Firewall
Even though you’ve created only one account on the ﬁrewall for the administrator, you still want to ensure that no person or process has modiﬁed your system. The Gauntlet Internet ﬁrewall is designed to make it easy to verify system integrity.
Page 231: Protecting The Integrity Database
Review the changes noted in the weekly report and ensure that they are acceptable changes. For example, you may have changed the root password on the Gauntlet ﬁrewall during the past week, resulting in the report of a change in /etc/passwd. This would be an...
Page 233: Appendixes
Appendixes...
Page 235: Gauntlet System Files
GUI. Viewing the Gauntlet File List If you want to see a list of the ﬁles that the Gauntlet software manipulates, click the view link in the “Managing Your Firewall” portion of the introductory form. If you do not want to use the forms-based interface, you can directly edit these ﬁles, although that is...
Page 236 Appendix A: Gauntlet System Files The online list of Gauntlet ﬁles is always the most current list. Use the online view Note: link to see the current Gaunlet ﬁle list. Table A-1 The Gauntlet File List Filename Safe? Description /*/*.old.12345 To save copies of certain conﬁguration...
Page 237 The Gauntlet File List Filename Safe? Description conﬁg/subdomain Subdomains which will be accepted by the ﬁrewall for mail delivery if you have selected to let Gauntlet rewrite sendmail.cf. conﬁg/explicit-routes Lists explicit (static) routes to be installed into the routing tables via /etc/gated.conf. conﬁg/frequentcheck.ignore Lists egrep-style regular expressions which will be used to ﬁlter the system...
Page 238 Sendmail conﬁguration ﬁle. It is safe to modify this ﬁle only if you have selected preserving sendmail.cf on the sendmail page. /etc/aliases Gauntlet modiﬁes the alias for root on the ﬁrewall machine, and adds a ﬁrewalladmin alias. /etc/group Gauntlet may need to add groups to this ﬁle for various application...
Page 239 “minimize_exposure” more than once, afterwards you may tweak this ﬁle to suit your needs. /etc/inetd.conf Gauntlet will comment out all but a few IRIX-speciﬁc services which it itself needs to run. /etc/skeykeys If you add or edit a user’s...
Page 240 DNS conﬁguration ﬁle. It is safe to modify this ﬁle only if you have selected preserving your DNS conﬁguration on the DNS page. /var/spool/cron/crontabs/root Gauntlet adds various jobs to run at regular intervals. /usr/etc/resolv.conf Maybe DNS conﬁguration ﬁle. It is safe to modify this ﬁle only if you have...
Page 241: Netperm Table
Netperm Table The network permissions table (/usr/gauntlet/conﬁg/netperm-table) contains conﬁguration information for the Gauntlet Internet Firewall. The kernel, proxies and other applications read their conﬁguration information from this table. The rules in the table include two types of information: policy rules and application-speciﬁc rules.
Page 242: Application-Specific Rules
Appendix B: Netperm Table describing what these hosts can and cannot do. The default Gauntlet conﬁguration deﬁnes two policies: an inside policy and an outside policy. The inside policy deﬁnes the general policies for requests from the inside (trusted) networks. This policy indicates that proxies can send requests to any destination. By default it permits some of the more commonly used proxies for inside requests: TELNET, rlogin, FTP, NNTP, HTTP, and X11.
Page 243: Applications
ﬁle, the FTP proxy uses the restrictive rule and denies requests to ftp.bigu.edu. Applications Other Gauntlet applications such as the authentication server also read conﬁguration information from the netperm-table ﬁle. Using This Information As part of the startup process a proxy or application reads the netperm-table ﬁle looking...
Page 244: Modifying The Netperm Table File
Modifying the Netperm Table File Modify the /usr/gauntlet/conﬁg/template.netperm-table ﬁle using your favorite text editor. Be sure to make a backup copy. You do not need to restart the proxies to make the changes take effect.
Page 245: Format
Netperm table Syntax Format Each line in the netperm-table ﬁle contains a separate conﬁguration rule in the format: keyword: attribute valuelist where • keyword indicates the application to which the rule on that line applies. The wildcard (*) indicates that the rule is valid for all applications and proxies. Comma-separated lists of multiple keywords indicates that the rules apply to the proxies or applications listed.
Page 246: Keywords
Appendix B: Netperm Table Keywords This table lists some default and common keywords for policies, proxies and other applications. You can create your own keywords. Be sure that the keyword matches the value for the -as name ﬂag you used when starting any custom proxies. Table B-1 Default and Common Keywords Keyword...
Page 247: Attributes
4. Place the policy lines above or below the generic policies as appropriate. For example, the generic policy for Yoyodyne uses the default Gauntlet inside policy. The security policy for Yoyodyne calls for restricting a particular group of machines (and set...
Page 248 Note that this type of policy may not prevent users on this inside network from reading news and sending e-mail. The recommended setup for the Gauntlet ﬁrewall calls for central mail and news servers on the inside networks. The news readers and mail agents on the restricted subnet communicate directly with the news and mail servers.
Page 249: Adding Proxy Services
Adding Proxy Services Adding Proxy Services You can add or remove proxy services at any point as your security policies change. This section addresses the changes you must make to the netperm-table ﬁle to use the proxy. Consult the chapter for each proxy for more information on other conﬁguration requirements.
Page 250: Controlling Services By User, Group Or Time
Appendix B: Netperm Table For example, Yoyodyne does not want anyone on a host at Big University to have TELNET access to Yoyodyne: tn-gw: deny-hosts *.bigu.edu Later, Yoyodyne determines they only need to deny access from the dialin machines at Big University: tn-gw: deny-hosts dial*.bigu.edu...
Page 251: User Or Group
* These commands prevent any other users who are not members of group developer (in the Gauntlet authentication database) from using the Rlogin proxy. Operation You can permit or deny access to certain proxies by time of day: To control access by time of day: 1.
Page 252: Denying Access To A Host Or Network
Appendix B: Netperm Table 3. Add the attribute to the appropriate policy or proxy, indicating extended-permissions that the authentication server should check information speciﬁed by the operations keyword. For example, Yoyodyne wants to deny TELNET between 5:00 pm and 11:00 pm: authsrv: deny-operation user * tn-gw * * time 17:00 23:00 authsrv:...
Page 253: Attribute Reference
Attribute Reference To deny access for all applications:, add a line to the appropriate deny-destination policy. Note that the smap proxies do not use the policy rules, so you can still send mail to the denied host or network. For example, Yoyodyne does not want anyone on the inside network to communicate with Big University: policy-inside: deny-destination *.bigu.edu...
Page 254 Appendix B: Netperm Table Syntax authenticate * Provided for future extensibility. Example This example requires all requests from hosts on the outside network to authenticate: policy-outside: authenticate * authserver • ftp-gw • policy-policy • pop3-gw • rlogin-gw • tn-gw Speciﬁes the host running the authentication server that the proxies use for authenticating users.
Page 255 Attribute Reference authtype • ck-gw Speciﬁes the host running the authentication server that circuit proxy uses. The attribute takes precedence over the attribute. authtype authserver Syntax authtype hosts [-authhost host ] [-authport port host Speciﬁes indicates the hosts for which the circuit proxy authenticates. Specify individual machines, entire networks, or subnets.
Page 256 Appendix B: Netperm Table Example This example indicates that the authenticating HTTP proxy passes processing to /usr/local/etc/http-gw: ahttp:backend /usr/local/etc/http-gw badadmin • policy-policy • smapd Speciﬁes the user name to which the smapd server forwards mail that it cannot deliver. Syntax badadmin user user Speciﬁes the name of a user or alias.
Page 257 Attribute Reference Example This example places the undelivered mail in the /var/spool/smap/badmail directory: smapd: baddir /var/spool/smap/badmail badsleep • authsrv Speciﬁes the amount of time the authentication server disallows logins from a user who has attempted (and failed) to login ﬁve times in a row. Syntax badsleep seconds seconds...
Page 258 Appendix B: Netperm Table • plug-gw • pop3-gw • • rlogin-gw • rsh-gw • syb-gw • tn-gw • policy-policy Speciﬁes the maximum number of child processes that each daemon allows to run at a given time. Syntax child-limit processes processes Speciﬁes the maximum number of child processes that each daemon allows to run at a given time.
Page 259 Attribute Reference Syntax circuitexec programs programs Speciﬁes the location and name of the program that the circuit proxy runs once it allows a connection from the client program. Example This example indicates that the circuit proxy is in /usr/local/etc ck-gw: circuitexec /usr/local/etc/circuit circuitsperuser •...
Page 260 Appendix B: Netperm Table Syntax circuit-timeout minutes minutes Speciﬁes the number of minutes that there is no client/server activity before disconnecting. Example This example indicates that the client/server activity can be idle for 15 minutes before disconnecting: ck-gw: circuit-timeout 15 client •...
Page 261 Attribute Reference lpcommands Speciﬁes the lp commands that the clients can issue when sending jobs through the proxy. The space between the "{" and "}" and the list entries is required. Valid keywords, which correspond to the ﬁrst level lp protocol commands, are: restart, print, status_sh, status_ln, remove Indicates that the deny or log command applies to all lp commands.
Page 262 Appendix B: Netperm Table Example This example indicates that the authentication server uses the authentication database in /usr/local/etc/fw-authdb: authsrv: database /usr/local/etc/fw-authdb denial-msg • ftp-gw • policy-policy • rlogin-gw • tn-gw Speciﬁes the ﬁle that the proxy displays when it denies access to a user because they do not have permission to use the proxy.
Page 263 Attribute Reference Speciﬁes the ﬁle that the proxy displays when it denies access to a user because they are trying to access a destination they are not permitted to access. Syntax denydest-msg file ﬁle Speciﬁes the name of the ﬁle the proxy displays when it denies access to a user because they are trying to access a destination that they are not permitted to access.
Page 264 Appendix B: Netperm Table Syntax [permit |deny]-destination destination-list permit Indicates hosts to which the proxies and applications can send requests. deny Indicates hosts to which the proxies and applications cannot send requests. destination-list Speciﬁes single hosts, entire networks, or subnets. Specify by IP address or hostname.
Page 265 Attribute Reference Speciﬁes the directory that the proxy makes its root directory before providing service. This option is equivalent to the -chroot option in previous versions. Syntax directory directory directory Speciﬁes the directory that the proxy makes its root directory before providing service.
Page 266 Appendix B: Netperm Table exec • netacl Speciﬁes a program that the proxy invokes to handle the service. This option is equivalent to the -exec option in previous versions. Syntax exec program [ options ] program Speciﬁes the name of the program to invoke. options Speciﬁes the command line options for the program.
Page 267 Attribute Reference Example This example indicates that the proxies check for extended permissions when authenticating users from the outside network: policy-outside: extended-permissions feature • http-gw Allows the proxy to control general features rather than speciﬁc portions of the HTTP protocol. Syntax 1 Speciﬁes particular features of that are explicitly permitted or denied.
Page 268 Appendix B: Netperm Table force_source_address • plug-gw Speciﬁes that the plug proxy uses the IP address of the originating host as the source address of the packet when sending the request on to the destination host. Syntax force_source_address true If this option is not speciﬁed, the ﬁrewall uses its IP address as the source address of the packet, causing all packets to look like they originated on the ﬁrewall.
Page 269 Attribute Reference Syntax forward pattern -protocol protocol -tohost host:port pattern Speciﬁes the pattern in the URL for which the HTTP uses this rule. Quotes are not required. protocol Speciﬁes the protocol that the HTTP proxy uses when talking to the remote host. Valid values are: FTP, GOPHER, HTTP host:port Speciﬁes the host and port to which the HTTP proxy forwards requests and the...
Page 270 Appendix B: Netperm Table • FTP—FTP Requests • GOPHER—Gopher Requests • HTTPREQ—HTTP Requests • PLUS—Gopher+ Commands • TEXT—Read Files • UNKNOWN—Unknown Requests • WAIS—Search Commands • WRITE—Write Data Example This example indicates that the FTP proxy does not allow people to retrieve (RETR) ﬁles: ftp-gw: deny-function RETR This example indicates that the HTTP proxy does not allow people to perform FTP requests through the HTTP proxy:...
Page 271 Attribute Reference • smapd • tn-gw • x-gw Speciﬁes the group ID the proxy uses when running. Syntax groupid group group Speciﬁes the name of the group as either a name or numeric id from the /etc/group ﬁle. Example This example indicates that the Info Server runs using the group ID of uucp: info-gw: groupid uucp...
Page 272 Appendix B: Netperm Table Example This example indicates the HTTP proxy on the ﬁrewall inside the network (fw-engineering.engineering.yoyodyne.com) hands all requests to the ﬁrewall between the corporate network and the Internet (ﬁrewall.yoyodyne.com): http-gw: handoff firewall.yoyodyne.com header • http-gw Speciﬁes HTTP headers that the proxy permits or denies. Denying a header causes the HTTP proxy to remove that information from the request when it sends it to the destination host.
Page 273 Attribute Reference help-msg • ftp-gw • policy-policy • rlogin-gw • tn-gw Speciﬁes the ﬁle that the proxy displays when the user accesses the help command. Syntax help-msg file ﬁle Speciﬁes the name of the ﬁle the proxy displays when the user accesses the help command.
Page 274 Appendix B: Netperm Table • tn-gw • x-gw Speciﬁes the hosts for which the proxy uses a particular policy, or the hosts that can use the proxy. Speciﬁes the hosts that cannot use the proxy. Syntax permit-hosts hosts -policy policy deny-hosts hosts permit Indicates hosts for which the proxy uses a particular policy, or the hosts that can...
Page 275 Attribute Reference authsrv: permit-hosts 127.0.0.1 • ftp-gw • http-gw • info-gw • lp-gw • policy-policy Speciﬁes that proxies log only the operations listed, rather than all operations (the default). This option is equivalent to the -log command in previous versions. Syntax log operations operations...
Page 276 Appendix B: Netperm Table Valid values for the HTTP proxy are: • BINARY Read Files • List Directories • EXEC Exec Commands • FTP Requests • GOPHER Gopher Requests • HTTPREQ HTTP Requests Example This example requests that the trusted policy log only retrieve (RETR) and storage (STOR) activities: policy-inside: RETR STOR...
Page 277 Attribute Reference nobogus authsrv Speciﬁes that the authentication server indicates when a userid does not exist when users attempt to login and fail. Syntax nobogus true If this option is not speciﬁed and a user enters a non-existent user name, the authentication server always responds with a bogus challenge.
Page 278 Appendix B: Netperm Table service Speciﬁes the name of a service for which this rule applies. Valid values are: ftp-gw—FTP proxy rlogin-gw—Rlogin proxy rsh-gw—Rsh proxy tn-gw—TELNET proxy *—all of these proxies destination Speciﬁes the hosts to which the proxies can or cannot send requests. Specify individual machines, entire networks, or subnets.
Page 279 Attribute Reference Syntax ourname hostname hostname Speciﬁes the name of the host that the HTTP proxy uses when prepending URLs. Specify an individual interface. Use an IP addresses or host name. Example This example indicates that the HTTP proxy (if needed) prepends ﬁrewall.yoyodyne.com (the inside interface of the ﬁrewall) to all URLs when attempting to access them: http-gw:...
Page 280 Appendix B: Netperm Table This example allows users to change their passwords using the TELNET proxy. If this is the only permit-password change rule in the netperm-table ﬁle, users can only change their password from the TELNET proxy (not from the Rlogin proxy). tn-gw: permit-password change pop-server...
Page 281 Attribute Reference hosts Speciﬁes hosts from which connections can originate. Speciﬁes single hosts, entire networks, or subnets. Specify by IP address or hostname. The wildcard * is valid desthost Indicates hosts to which the plug proxy connects. hosts Speciﬁes single hosts, entire networks, or subnets. Specify by IP address or hostname.
Page 282 Appendix B: Netperm Table printer Indicates the printer queue name. serverqueue Speciﬁes the name of the remote printer queue to which proxy sends the print jobs. If server queue is not speciﬁed, the client's queue name will be used as server queue name.
Page 283 Attribute Reference Syntax [permit | deny]-proxy proxy-list permit Indicates proxies that this policy allows to run. deny Indicates hosts that this policy does not allow to run. Including a deny-proxy rule has the same effect as not including those proxies in a permit-proxy rule. proxy-list Speciﬁes the name of the proxy.
Page 284 Appendix B: Netperm Table sendmail • smapd Speciﬁes an alternate path for sendmail, or another mail delivery program you are using to deliver your mail inside your perimeter. Syntax sendmail program program Speciﬁes an alternate path for the sendmail executable or other program you are using to deliver mail.
Page 285 Attribute Reference -timeout minutes Speciﬁes the number of minutes the client/ server connection is idle before disconnecting for this service -nookay Speciﬁes that the proxy does not prompt the user to conﬁrm before listening on the service port for a connection. Example This example indicates that the circuit proxy provides service for an Oracle server on the host db.clientsite.com:...
Page 286 Appendix B: Netperm Table • policy-policy • pop3-gw • rap-gw • rlogin-gw • rsh-gw • smap • smapd • tn-gw • x-gw Speciﬁes the amount of time the proxy is idle (with no network activity) before disconnecting. Syntax timeout seconds seconds Speciﬁes the number of seconds the proxy is idle before disconnecting.
Page 287 Attribute Reference Syntax permit-unknown names names Speciﬁes a list of names, separated by spaces. The wildcard * is valid. If the user name is not in the authentication database, or in the list of names, the authentication server logs the attempt and indicates that the user is not valid. If the user name is found in the list of names, the authentication server assigns the user name to the group “unknown.”...
Page 288 Appendix B: Netperm Table unknown • authsrv Speciﬁes a list of additional names that the authentication server checks (in addition to the authentication database) when checking for extended permissions on a per user basis. If the user name is not in the authentication database, or in the list of names, the authentication server logs the attempt and indicates that the user is not valid.
Page 289 Attribute Reference Example This example indicates that you do not want to see the carriage return / line feed characters in any URLs: http-gw: url-filter %0D%0A userid • ftp-gw • http-gw • info-gw • lp-gw • netacl • plug-gw • policy-policy •...
Page 290 Appendix B: Netperm Table Example This example indicates that the smap and smapd processes run as the uucp: smap, smapd: userid uucp user-servers • ck-gw Speciﬁes the servers a particular user can access. Also speciﬁes which services a particular users sees when they use the circuit proxy menu. Syntax user-servers { user user | group group } [-deny] service user user...
Page 291 Attribute Reference Syntax user-timeout minutes minutes Speciﬁes the number of minutes the proxy is active with no client connections before disconnecting. Example This example indicates that the proxy waits 10 minutes without an active client connection before disconnecting: ck-gw: user-timeout 10 wakeup •...
Page 292 Appendix B: Netperm Table Speciﬁes the ﬁle that the proxy displays as a welcome banner upon successful connection to the proxy. Syntax welcome-msg file ﬁle Speciﬁes the name of the ﬁle the proxy displays as a welcome banner upon successful connection to the proxy. If no ﬁle is speciﬁed, the proxy generates a default message.
Page 293 Attribute Reference xgateway • policy-policy • rlogin-gw • tn-gw Speciﬁes X11 proxy permissions. Syntax [permit | deny]-xgateway * permit Indicates that the TELNET and Rlogin proxies can accept requests to start the X11 proxy. deny Indicates that the TELNET and Rlogin proxies do not accept requests to start the X11 proxy.
Page 295: Virtual Private Networks
Virtual Private Networks This appendix explains how you can use your Gauntlet Internet Firewall to exchange encrypted trafﬁc with other Gauntlet Firewalls. This feature is only available in the Unites States domestic version of the Gauntlet Note: product. Packets on the Internet ﬂow through a variety of wires and ﬁbers owned and managed by a variety of organizations.
Page 296 Appendix C: Virtual Private Networks California office 10.0.6.* Gauntlet host Encrypted traffic Internet Gauntlet host Maryland office 10.0.1.* Figure C-1 Yoyodyne Virtual Private Network...
Page 297: Privacy With Trust (Trusted Link)
Understanding Virtual Private Networks A VPN is considered private because all of the trafﬁc that passes through the ﬁrewall to another part of the virtual private network, is encrypted. Any program watching the packets ﬂow by would simply see a stream of encrypted data. Without the key used to encrypt the data, snoopers cannot make much use of the information.
Page 298: Privacy Without Trust (Private Link)
Appendix C: Virtual Private Networks Privacy Without Trust (Private Link) A VPN without trust does not expand the concept of trust to include the machines within the remote defense perimeter. In this case, the trafﬁc between the two networks is encrypted, providing the privacy.
Page 299: How It Works
How It Works You can create passthrough links for host-to-host, network-to-network, or host-to-network communications. The most common use of a passthrough link speciﬁes a host-to-host link for two ﬁrewalls. How It Works The Firewall handles VPNs by examining all outbound trafﬁc and encrypting any trafﬁc between hosts that are marked as encrypted peers.
Page 300: Routing The Packet
Appendix C: Virtual Private Networks Routing the Packet If the VPN between the two networks uses privacy with trust, the routing layer forwards the packet on to the appropriate host on the inside network. If the VPN between the two networks uses just privacy with no trust, the routing layer hands the packet to the appropriate service or proxy.
Page 301: Conﬁguring Ssl On The Gauntlet Firewall
Getting Ready for SSL Conﬁguration You conﬁgure SSL on the Gauntlet ﬁrewall using the Netscape administration utility. If you perform this procedure on a host other than the ﬁrewall, you can use a Netscape browser to access the ﬁrewall after you start the administration utility.
Page 302: Ssl Configuration Procedure
Appendix D: Configuring SSL on the Gauntlet Firewall type on both entries lines unless you have changed the defaults. admin 2. Go to the Netscape Server Selector page. This page lets you choose the Netscape server that you want to conﬁgure. If you are conﬁguring the ﬁrewall from a remote host, use this URL to access the Netscape...
Page 303: Supplementary Instructions For Generating A Key Pair
4. Save your entries in the key pair ﬁle in the correct location. Use this full pathname as the keyﬁle location when you save it: /usr/ns-home/httpd-gauntlet/conﬁg/ServerKey.db Supplementary Instructions for Generating a Certiﬁcate After you generate the key pair (see “Supplementary Instructions for Generating a Key Pair”...
Page 304: Saving The Email Reply From Your Certificate Authority
Help screens for the install certiﬁcate procedure: 1. Choose Request Certiﬁcate from the sidebar menu on the Encryption page. 2. In the Certiﬁcate Name ﬁeld, enter the fully qualiﬁed hostname of the Gauntlet ﬁrewall.
Page 306 Tell Us About This Manual As a user of Silicon Graphics products, you can help us to better understand your needs and to improve the quality of our documentation. Any information that you provide will be useful. Here is a list of suggested topics: •...

Silicon Graphics Gauntlet Administrator's Manual

List of Figures

About this Guide

Understanding the Gauntlet Internet Firewall

1 Understanding the Gauntlet Firewall

Conﬁguring and Using Proxies

2 Managing SMTP Services

3 Managing POP3 Services

4 Managing Terminal Services

5 Managing FTP Services

6 Managing Rsh Services

7 Managing Gopher and WWW Services

8 Managing Realaudio Services

9 Managing Mediabase Services

10 Managing X Window Services

11 Managing LP Services

12 Managing Sybase Services

Administering General Gauntlet Firewall Services

13 Managing NNTP and General TCP Services

14 Managing General TCP Services with Authentication

15 Managing Information Services on the Firewall

16 Using the Network Access Control Daemon

17 The Graphical Management Interface

18 Managing User Authentication

Quick Links

Need help?

Questions and answers

Summary of Contents for Silicon Graphics Gauntlet