What is Firewall Authentication?

Before we go further about the firewall authentication, lets have a quick recap about what is firewall and how it works.

A firewall is a network security device which helps the organisation to monitor incoming and outgoing network traffic and it also allows or disallows data packets according to a set of security rules. The main goal for a firewall is to create a barrier between our internal network and incoming traffic from other sources (such as the internet) so that malicious traffic like viruses and hackers can't get in.

How does a firewall work?

To prevent attacks, firewalls carefully evaluate incoming traffic using pre-defined rules and filter traffic from unsecured or suspect sources. Firewalls protect traffic at a computer's ports, which are the points where data is shared with external devices. "Source address 172.18.1.1 is allowed to communicate with destination 172.18.2.1 through port 22," in the case of allowed permission.

For example the one who owns the networks has each and every right to use any of the devices attached to it or any of the port for the transfer of data , but someone from outside the network is not allowed to do so until and unless it is permitted by the organisation or network owner.

What is Firewall Authentication?

Various authentication techniques can be supported by a firewall. In its most basic form, authentication means that a user is claiming to be who they say they are and is granted access to the resources for which they are authenticating.

This is similar to how we prove our identity when we connect into our Microsoft Windows computer and tell Windows who we are by entering our username and then our password. Finally, Windows restricts our access to only those resources to which we have permission.

Various functionalities can employ firewall authentication. SSL VPN and web filtering are two of the most prevalent applications.

The following are some of the most frequent authentication methods supported by most firewalls:

Database authentication is built-in.

A firewall with a built-in authentication database has a built-in authentication database. Multiple users and passwords are frequently set up in the database.

The use of built-in database authentication is simple to set up and very effective, but it is not scalable. And the database must be updated on frequent basis in order to keep the record of the users and there authentication.

Certificate authentication

For firewall authentication, most firewalls allow us to utilize either a public signed certificate or a self-signed certificate. There are certain public identifiable certificate to authenticate the anonymous users. If the firewall is open for all to use, then it must be configured accordingly.

A publicly recognized certificate is one that is issued by a company like VeriSign, GoDaddy, or Thawte and is recognized by popular browsers like Internet Explorer and Mozilla Firefox, making it instantly trustworthy.

The firewall provider can freely issue a self-signed certificate, and because we have control over the clients, we can install the certificate on their browsers.

Using Active Directory group policy or something similar, we can deliver certificates to a large number of client systems at once.

SSL VPN users are a common use case here. Because SSL VPN is a safe browser-based tool, we can utilize self-signed certificates to avoid the error message "This website's security certificate was not issued by a trustworthy certificate authority."

LDAP authentication

We can query and authenticate against our directory server using the Lightweight Directory Access Protocol (LDAP). Active Directory is the most common example, however any directory service that supports LDAP, such as Novell Directory Open LDAP, and others, can also be used.

A more scalable method is to keep the record in the directory up to date. Because if the local firewall is querying the directory server, we don't need to update it. But if the query is made through any other server, then directory must be updated for it to perform the query.

Two Factor Authentications

Two-factor authentication means that we must authenticate with two separate factors before being granted access. It usually takes the form of a combination of something we know (password) and something we have (key) (software or hardware token). It could possibly be something we're interested in (finger print).

Configuring our firewall to require authentication using both a hardware token and our personal password is a standard way. We will not be permitted access unless we have a combination of the two.

This provides significantly more security than simply using a single password. And even after all the security if our password is stolen and used by someone else or lost and we are afraid that the person who has stolen the password can hard the organisation using the network. Then in this case one can use two-factor authentication and there are some famous manufacturers, such as RSA, CryptoCard, and others, which can be easily integrated with most firewalls in order to provide full security.

Single sign on

A single sign on method ensures that a user is transparently authenticated to a firewall or a network even without having to actively log in.

A firewall agent queries Active Directory for information and transmits it to the firewall when a user logs into the network.

As a result, when a user challenges a policy that requires authentication, the firewall recognizes that the person is already logged in to the network.

Because of which the user is automatically authorized even without asking for the login password.

Administrators can limit and allow firewall users access to protected resources (various zones) behind a firewall depending on their originating IP address and other credentials using Junos OS.

We can build a policy that requires users to authenticate themselves using one of two most common authentication techniques after we define firewall users:

Pass-through authentication

This type of authentication occurs when a host or user from one zone attempts to access resources in a different zone. In order to access the IP address of the protected resource and be authorized by the firewall, we must use an HTTP client, FTP client, a Telnet client or an HTTPS client.

The device collects username and password information via FTP, Telnet, HTTP, or HTTPS, and future traffic from the user or host is allowed or refused based on the result of this authentication. If the authentication is not successful, following communications from the user is always terminated when the device is utilizing an HTTPS server and it will only pass through after the authentication is completed.

Web-redirect authentication with pass-through

For HTTP or HTTPS client requests, we use this authentication mechanism. We can use the web-redirect functionality to direct user queries to the device's internal webserver when we setup firewall authentication to use pass-through authentication for HTTP and HTTPs client requests.

The redirect response is provided to the same interface that the client's request is received on.

NOTE: We advocate using web-redirect rather than direct pass-through authentication on security rules that we setup for HTTP pass-through authentication for security reasons.

This feature enables for a more personalized user login experience. In this feature the users are directly redirected to the login page where he will fill his credentials and login simply, instead of popup prompt asking for the login credentials. When we enable web-redirect, it's as though the user input the web authentication IP address into a client browser.

So, this is the mechanism behind the logic that how web-redirect delivers a seamless authentication experience. Where the user only has to know the IP address of the resource they want to access. And even there is no need for the user to know the IP address of the web authentication provider.