Introduction

There are many reasons that your organization may decide to implement user authentication at your firewall. Perhaps you want to allow different departments access to various resources on your DMZ, or maybe you are using DHCP inside your network, and IP addresses are changing every week when their leases expire. If you want to keep track of who is going to what Internet web sites for whatever reason, then you could authenticate your users at the firewall, so that it can accurately log the user's login identity. Then you don't have to rely on IP addresses to determine who is going where.

VPN-1/FireWall-1 Next Generation provides you with several different authentication schemes and user authentication methods, and you should be able to choose one of them to suit your organization's needs. We will describe the various options you have, and provide some examples of how you might implement them into your current security policy structure.

Some of the options you have to authenticate your users are S/Key, SecurID, RADIUS, AXENT Pathways Defender, TACACS, OS password, and VPN-1/FireWall-1 authentication. You can choose to authenticate your users by one of these methods, and then you can pick from several authentication options in the policy, which we will cover in this chapter.

FireWall-1 Authentication Schemes

Authentication is a cornerstone of any firewall. Without authentication, we would not be able to distinguish authorized users from unauthorized users, and all other security policies would be of no use. FireWall-1 gives you the option...