September 7, 2010

HTS Doha Qatar: SonicWALL User Level Authentication Methods

SonicWALL UTM appliances provide a mechanism for user level authentication that gives user’s access to Company’s Internal network resources from remote locations on the Internet and also enforce or bypass content filtering policies, security services (IPS, GAV, Anti-Spyware, and Application Firewall) inclusion/exclusion lists. you can also permit only authenticated users to access VPN tunnels and send data across the encrypted connection. The SonicWALL authenticates all users as soon as they attempt to access network resources in a different zone (such as WAN, VPN, WLAN, etc.), which causes the network traffic to pass through the SonicWALL. Users who log into a computer on the LAN, but perform only local tasks are not authenticated by the SonicWALL.
User level authentication can be performed using the methods listed below:

  • By using a local user database
  • RADIUS, LDAP or a combination of a local database with either LDAP or RADIUS
  • Single Sign-On (SSO) capability in conjunction with LDAP.

The section below describes the Single Sign-On User level authentication method:

What is Single Sign-On?

Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged access to multiple network resources with a single workstation login. SonicWALL security appliances provides SSO functionality using the SonicWALL Single Sign-On Agent (SSO Agent) which identifies user activity based on the workstation IP address using a protocol compatible with SonicWALL ADConnector and NDConnector and automatically determines when a user has logged out to prevent unauthorized access. Based on data from SonicWALL SSO Agent, the SonicWALL security appliance queries LDAP or the local database to determine group membership. Memberships are optionally checked by firewall policies to control who is given access, and can be used in selecting policies for Content Filtering and Application Firewall to control access levels and user/ group in and exclusions for Intrusion Prevention and Anti-Spyware service signatures/ categories. User names learned via SSO are reported in logs of traffic and events from the users.

There are six steps involved in SonicWALL SSO authentication, as illustrated in the figure below:


Benefits of SSO

SonicWALL SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWALL SSO is transparent to end users and requires minimal administrator configuration. By automatically determining when users have logged in or out based on workstation IP address traffic. SonicWALL relies on Windows APIs for Windows hosts in a non-eDirectory environment and polling is required to determine a user is logged off. SonicWALL SSO is secure and hands-free. SSO authentication is designed to operate with an agent that can return the identity of a user at a specific IP address using a SonicWALL ADConnector-compatible protocol. SonicWALL SSO works for any service on the SonicWALL security appliances that uses user-level authentication, including Content Filtering Service (CFS), Firewall Access Rules, group membership and inheritance, and security services (IPS, Anti-Spyware and Application Firewall) inclusion/exclusion lists.

Other benefits of SonicWALL SSO include:

  • Ease of use — Users only need to sign in once to gain automatic access to multiple resources.
  • Improved user experience — Windows domain credentials can be used to authenticate a user for any traffic type
  • Transparency to users — Users are not required to re-enter user name and password for authentication.
  • Secure communication — Shared key encryption for data transmission protection.
  • SonicWALL SSO Agent can be installed on any Windows server on the trusted network. Avoid installing agents on LDAP/AD servers due to resources limitations and scalability requirements
  • Multiple SSO Agents — up to 8 agents are supported to provide capacity for large installations
  • Login mechanism works with any protocol, not just HTTP.

Single Sign-on Support of various clients:

Novell Support: SonicWALL NDConnector SSO Agent is compatible with Novell eDirectory versions up to version 8.7 only and is not compatible with the current eDirectory 8.8

Linux Support: Linux clients can be setup to use Single Sign-on authentication using Samba version 3.5 or higher,click here for more details.

Mac Clients: Mac clients do not support the Windows networking requests that are used by the SonicWALL SSO Agent, and hence do not work with SonicWALL SSO. Mac users can still get access, but will need to log in to do so using manual firewall authentication. they can be redirected to the login prompt if policy rules are set to require authentication.

Terminal Services: The SonicWALL TSA is supported on SonicOS Enhanced version 5.6.0 and higher running on
SonicWALL NSA Series and TZ 210 Series appliances and the SonicWALL TSA must be installed on any terminal servers in the domain.

SonicWALL recommends using the latest versions of Directory Services Connector version 3.2.2 and Terminal Services Agent version 3.0.28

HTS Doha Qatar: SonicWALL User Level Authentication Methods