ScreenOS Firewalls (NOT SRX)
Reply
Visitor
simonzabala
Posts: 6
Registered: ‎12-07-2009
0

Best practices for Internet (Untrust) access control

Greetings everyone,

 

I would like to have some guidance and advice regarding best practices for controling access to the Internet. I have a Windows domain environment (trust), an SSG-140-SH as a border firewall, Two-different-ISP internet conections connected to the firewall as Untrust.

 

Right now I am controlling access via IP addresses, so I configure a policy that allows a certain group of addresses to initiates connections trust/untrust. But I find it hard to maintain when you have more than 300 users (IPs) to control.

 

Is there a way to control access by username/password and MAC address??

 

Well I hope you guys can help me out!

 

Best regards,

 

SimonZAbala

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Best practices for Internet (Untrust) access control

Hi,

 

You can only control through IP addresses. For better management please use the Address Object , Address Group and service group.

 

Thanks

Atif 

Contributor
link2ali
Posts: 104
Registered: ‎06-19-2009
0

Re: Best practices for Internet (Untrust) access control

Yes,you can authenticate based on username password. This can be enable thru an Option called Web or Firewall authentication.

 

Users can be locally created on the firewall and grouped as per your need.Enable web authentication on the trust interface and specify an IP address. Create an allow access policy and enable the authentication on the that policy along with specifying the users or groups whom you wish to allow access to services.

 

 

I gues you can also integrate LDAP for authentication..Not to sure though..

 

Hope this helps.

 

Visitor
simonzabala
Posts: 6
Registered: ‎12-07-2009
0

Re: Best practices for Internet (Untrust) access control

Greetings & thanks all of you for feedbacking this thread.

 

link2ali: is there a way of controlling access based of MAC address plus username & password?

I mean, that only allowed MACs can get web-authenticated.

I hope you guys can feedbackme on that.

Best regards,

Simonzabala

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: Best practices for Internet (Untrust) access control

Hi

it's my opinion, i manage and controlling 4000 usrs to internet acces, i think the best practice you can put proxy servers btween users and firewall, you have windows domain right you can do that :smileyhappy:. but your  users should be set thier internet browser, your admin can create policy rul on AD for setting your IE explorer.

after that on your proxy you can create rull to allow only one group " Internet access Group"  you put only user have allowed internet access.

on your firewall you allow DNS, HTTPS,HTTP..., only from trust to untrsut with NAT egrees  from proxy server to internet and after that you can allow some protocole like MSN yahoo ......etc.

 

you change your trust interface   to Route mode and you controle NAT by policy it's better 

 

i hope this help you

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Visitor
simonzabala
Posts: 6
Registered: ‎12-07-2009
0

Re: Best practices for Internet (Untrust) access control

Hi mehdi, sorry for getting along this thread too late, and thanks for your professional post.

 

I think my situation best fits your comment because I have a AD server. I dont have a proxy already setup, but that shouldnot be a problem.

 

Would you mind helping more on this. Is there a way we can share more about this matter?

 

Thanks anyways.

 

Best Regards, SZ

Visitor
simonzabala
Posts: 6
Registered: ‎12-07-2009
0

Re: Best practices for Internet (Untrust) access control

By the way, thanks you all for your valuable tips and advices.

 

Succes!

 

SZ

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.