Hi Everyone,
Summary:
Has anyone managed to get secureID authentication working through a
NAT'ing firewall ?
How do others on the list secure their extranets ?
Detail:
We're investigating an extranet solution. We have our internet servers on a
DMZ and are going to add an extranet server to the DMZ. We already have a
SSL Relay (Apache compiled with mod-ssl, mod-proxy and mod-rewrite) which we
use for our OWA server. We plan to use the SSL-Relay to encrypt our extranet
traffic and I don't expect to have any problems doing this. The platform for
the actual extranet will be IIS 4 on NT 4.
The area that is proving to be a bit difficult is authentication. We don't
want to have the extranet server on our internal network (which we would
have to do if we wanted to authenticate against domain accounts, or have a
huge hole in the firewall between the DMZ and the internal network ! (not an
option)).
We've come up with the following possible solutions:
1 - Have a generic username and password for access to the extranet
(this would just mean a user account on the Extranet box)
2 - Assign each extranet user a username and password (multiple
accounts on the extranet box)
3 - Some sort of proxy / replication of domain account information
to the extranet box
4 - secureid authentication
Of these options we've decided that the only one that provides good security
4. To issue secureid tokens to our extranet users and to use the ACE IIS
plugins to authenticate them. We can successfully set everything up on the
internal network, but as soon as we put a firewall in between it all stops
working. We're opening up port 5500 UDP from the DMZ to the internal
network, but there's no joy. We've used a sniffer to check that this (port
5500 UDP) is the only port being used.
I think that problem is our Firewall using MAT / NAT. Unfortunately we are
unable to use anything but NAT when coming from the DMZ to the internal
network. It's my guess that the secureID agent includes it's IP Address in
the information being sent to the ACE server, and of course the IP Address
that the information comes from is actually the firewall's internal
interface.
I'm looking for suggestions on:
1 - Anything that I can try to get the secureID authentication
working through a firewall
2 - How other people on the list secure their extranet (pros/cons of
methods that have been chosen and relevant network design / structure)
3 - Anything else that maybe relevant
Looking forward to the responses,
Alex
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
