Session Authentication is Insecure

[roadrunner]

Session Authentication is Insecure
Communication between the firewall and the Session Authentication Agent is cleartext by default. The same thing goes for User Auth for Telnet, FTP, HTTP, and rlogin and Session Auth—the password is not encrypted. If you are concerned with passwords being sniffed over the wire, use a one-time password scheme like S/Key or SecurID. This way, even if the password is captured over the wire, it will not be useful.

FireWall-1 4.1 SP1 and later support using Session Authentication over SSL. This requires the use of the Session Authentication Client version 4.1 or later.

In FireWall-1 NG FP1 and above, you can require Session Authentication to be encrypted with SSL by checking the "Accept only of connection is encrypted" option in the Session Authentication Action Properties for the rule.

In FireWall-1 4.1, it requires a change to $FWDIR/conf/objects.C. In the :props ( section, add or modify the line to read:


:snauth_protocol ("ssl")The snauth_protocol can be set to one of the following:


none: No encryption is performed.
ssl: Only SSL encryption is supported (i.e., unencrypted Session Authentication is not supported).
none+ssl: Both SSL and non-SSL versions are supported.
For hints on editing objects.C, see EditingObjectsDotC

-- PhoneBoy - 30 Dec 2003


FAQForm
FAQs.Class: AuthenticationFAQs
OperatingSystem?:
FAQs.Version: