8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Size:
6.79 Mb
Download

CHAPTER1: INTRODUCTIONFILTERING ELEMENTS

NOTE: If the minimum filtering level is not set up, global (default) filtering settings will apply instead.

Filter Settings

Categories and service ports use the following settings to specify how filtering will be executed:

block - if a category or a service port is given a block setting, users will be denied access to the item set up as “blocked”

open - if a category or the filter segment detected on the network is given an open (pass) setting, users will be allowed access to the item set up as “opened”

always allowed - if a category is given an always allowed setting, the category is included in the user’s white list and takes precedence over blocked categories

filter - if a service port is given a filter setting, that port will use filter settings created for library categories (block or open settings) to determine whether users should be denied or allowed access to that port

ignore - if the filter segment detected on the network has a service port set up to be ignored, that service port will be bypassed

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

19

CHAPTER1: INTRODUCTIONFILTERING ELEMENTS

Filtering Rules

Individual User Profiles - A user in an NT or LDAP domain can have only one individual profile set up per domain.

Filtering Levels Applied:

1.The global (default) filtering profile applies to any user under the following circumstances:

the user does not belong to a master IP group

the user has not been assigned a domain default profile from an NT or LDAP authentication domain

2.If a minimum filtering level is defined, it applies to all master IP groups (and their members) and NT/LDAP groups who have been assigned filtering profiles after authenticating. The minimum filtering level combines with the user’s profile to guarantee that categories blocked in the minimum filtering level are blocked in the user’s profile.

3.For master IP group members:

a. A master IP group filtering profile takes precedence over the global profile.

b. A master IP group time profile takes precedence over the master IP group profile.

4.For IP sub-groupmembers:

a. An IP sub-groupfiltering profile takes precedence over the master IP group’s time profile.

b. An IP sub-grouptime profile takes precedence over the IPsub-groupprofile.

5.For individual IP members:

a. An individual IP member filtering profile takes precedence over the IP sub-group’stime profile.

b. An individual IP member time profile takes precedence over the individual IP member profile.

20

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER1: INTRODUCTIONFILTERING ELEMENTS

6.For NT/LDAP users, if a user is authenticated, settings for the user’s group or individual profile from the NT/ LDAP domain are applied and take precedence over any IP profile.

a.If the user belongs to more than one group in an authentication domain, the profile for the user is determined by the order in which the groups are listed in the Group Priority list set by the global administrator. The user is assigned the profile for the group highest in the Group Priority list.

b.If a user has an individual profile set up, that profile supercedes all other profile levels for that user. The user can have only one individual profile in each domain.

7.An override account profile takes precedence over an authentication profile. This account may override the minimum filtering level—ifthe override account was set up in the master IP group tree, and the global administrator allows override accounts to bypass the minimum filtering level, or if the override account was set up in the global group tree.

NOTE: An override account set up in the master IP group section of the R3000 console takes precedence over an override account set up in the global group section of the console.

8.A lock profile takes precedence over all filtering profiles. This profile is set up under Filter Options, by enabling the X Strikes Blocking feature.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

21

CHAPTER1: INTRODUCTIONFILTERING ELEMENTS

Fig. 1-4Sample filtering hierarchy diagram

22

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Authentication Operations

R3000 Authentication Protocols

The R3000 supports two types of authentication protocols: Windows NT LAN Manager (NTLM), and Lightweight Directory Access Protocol (LDAP).

NTLM authentication supports NTLM authentication running on any of the following servers: Windows NT 4.0, Windows 2000 Mixed Mode, and Windows 2003 Mixed Mode.

LDAP authentication supports all versions of LDAP, such as Microsoft Active Directory, Novell eDirectory, Sun ONE, and OpenLDAP.

R3000 Authentication Tiers

The R3000 authentication architecture for NTLM and LDAP authentication protocols is comprised of three tiers. When using NT and/or LDAP authentication with the R3000, one of these three tiers is selected for use on the network, depending on the server(s) used on the network and the preferred authentication method(s) to be employed.

Tier 1: Single sign-on,net use based authentication for NT or Active Directory domains.

Tier 2: Time-based,Web authentication for NT and LDAP authentication methods.

Tier 3: Session-based,Web authentication for NT or LDAP authentication method.

When using Tier 2 or Tier 3, the 8e6 Authenticator should be enabled to ensure the end user is authenticated when logging into his/her workstation. Or if using a Novell eDirec-

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

23

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

tory server, the Novell eDirectory Agent can be used instead to authenticate end users.

NOTE: See 8e6 Authenticator and Novell eDirectory Agent for information on setting up these types of authentication on the network.

24

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Tier 1: Single Sign-OnAuthentication

Net use based authentication process

The following diagram and steps describe the operations of the net use based user authentication process:

Fig. 1-5Net use based authentication module diagram

1.The user logs on the network from a Windows workstation (also known as “client” or “machine”).

2.The authentication server on the network sends the user’s workstation a login script containing a net use command.

3.The execution of this net use command causes the Windows workstation to create an “IPC share” (command exchange) with the R3000 filter box as a shared network device.

NOTE: When the IPC share is created, no drives are mapped in this share.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

25

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

4.Upon creating the IPC share, the software in the R3000 queries the network authentication server with the user's login name and password sent by the workstation.

5.Once the user is successfully authenticated, the R3000 matches the user’s login name or group name with a stored list of profile settings in the R3000. As a result of this process, the user is assigned the appropriate level of filtering.

6.The matched profile is set for the user's IP address. The IPC connection is completed and maintained with periodic “keep-alives.”

7.When the user logs off, changes IP addresses, loses the network connection, or in any way causes the IPC connection to be altered or deactivated, the R3000 senses this change and returns the IP address to the configured global filtering level.

WARNING: Authentication will fail if a Network Address Translation (NAT) device is set up between the authentication server and end user clients. Authentication may also fail if network connections are overloaded, causing a severe delay in the transportation of SMB traffic. This can be a problem in any network, but is most prevalent in WAN links, or in trunk links that are overloaded.

Re-authenticationprocess

1.The user loses his/her user profile after one of the following incidences occurs:

the server is rebooted, or

the connection from the user’s machine to the server is dropped (as with a faulty network cable)

2.A block page displays for the user.

3.In order to re-accessthe Internet, the user must reauthenticate him/herself by clicking a link in the block page to generate a login script thatre-authenticatesthe user’s profile.

26

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Authentication methods

Tier 1 supports two server authentication methods: Server Message Block (SMB) and LDAP.

SMB protocol

SMB is a client/server protocol that requires the client to send a request to the server and receive an authentication response from the server, in order for the client to access resources on the network.

As the default protocol for NT 4.0 and earlier operating systems, SMB is supported by Windows 2000 and later OS versions.

SMB Signing

SMB Signing is a Windows security feature that prevents an active network session between a client and server from being tapped. While Microsoft has made this feature available since Windows NT 4.0, it was not a default setting. However, in Windows 2003, this feature is enabled by default.

Since SMB Signing is not currently supported by the R3000, 8e6 recommends disabling the requirement for this feature. This does not disable SMB Signing for machines that support it, but allows devices that do not support SMB Signing to connect. To disable the default setting that requires SMB Signing for all connections, follow the instructions in Appendix D: Disable SMB Signing Requirements.

Alternately, if you have an available Windows 2000 Server—oran earlier Windows NT 4.0Server—andare willing to establish the necessary trust relationships with the Windows 2003 Server, this earlier Windows server can be used as the primary authentication server for the R3000 instead of the Windows 2003 Server.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

27

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

NOTE: For information on SMB Signing compatibility with the R3000, refer to the chart in Appendix D: Disable SMB Signing Requirements.

LDAP protocol

LDAP is a directory service protocol that stores entries (Distinguished Names) in a domain’s directory using a hierarchical tree structure. The LDAP directory service is based on a client/server model protocol to give the client access to resources on the network.

When a client connects to a server and asks it a question, the server responds with an answer and/or with a pointer to the server that stores the requested information (typically, another LDAP server). No matter which LDAP server the client accesses, the same view of the directory is “seen.”

The LDAP specification defines both the communication protocol and the structure, or schema, to a lesser degree. There is an Internet Assigned Network Authority (IANA) standard set that all LDAP directories should contain. Novell and Microsoft both have additional schema definitions that extend the default setups.

Most server operating systems now support some implementations of LDAP authentication. The Microsoft Active Directory LDAP-basedmodel became available with the release of Windows 2000.

28

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE