In the firewall world, authentication originally was a catchword to describe how outsiders identified themselves (securely) to access selected internal services. While this use is still important, authentication more and more has come to describe how internal users identify themselves to get access to Internet services. All the firewalls have some way of letting users authenticate themselves to create a passage through the firewall. This authentication can occur in-band as part of the protocol, so users see the authentication request when they try to connect to the resource, or out-of-band.
Authentication can also occur out-of-band, in which a program requires users to run a different program or special application to open the firewall before they can use the application they want. Out-of-band authentication can be as simple as pointing a browser to a URL or as complex as having a special client-side shim loaded, with varying levels of security and difficulty. For example, Check Point Software Technologies, Ltd.'s FireWall-1 intercepts outgoing File Transfer Protocol, telnet and HTTP queries and optionally requires authentication to let the connection proceed. However, once the authentication has occurred - IP address-based access is fairly risky, as Check Point is quick to point out.
CyberGuard Corp.'s CyberGuard Firewall and Watchguard Technologies, Inc.'s Watchguard Security System have a more comforting strategy: The client must bring up a connection to the firewall, and access is allowed only as long as the connection remains live.
Other vendors have more restricted authentication options. For example, NetGuard, Inc.'s Guardian requires a special Windows-only client application, as does Elron Software, Inc.'s Elron Firewall, and neither links to external user authentication databases. Microsoft Corp.'s Proxy Server also has a Windows-only client, but this is not required if you only wish to authenticate Web transactions -those can be done with any Web browser.
Proxy Server, of course, integrates with the NT user authentication database, as do the products from Watchguard Technologies, Ukiah Software, Inc., CyberGuard and Check Point. Ukiah also integrates with Novell, Inc.'s Novell Directory Services. Some products also support one-time password schemes, either directly or through a network-based authentication system such as Remote Authentication Dial-In User Service or TACACS+. Check Point, Cisco Systems, Inc., CyberGuard and NetGuard offer one-time passwords.
RELATED LINKS
Interactive firewalls buyer's guide
Find a firewall that meets your needs.
Snyder, a member of the Network World Test Alliance, is a senior partner at Opus One in Tucson, Ariz., where he specializes in networks and communication systems. He can be reached at jms@ opus1.com.
