Satyr Manual |
 |
Zorp Authentication Agent (Satyr) is an authentication client, capable of cooperating with the Zorp firewall and the Zorp Authentication Server (ZAS) to identify the users initiating network connections. The authentication process and the related communication between the components is summarized below. See Chapter 18, Connection authentication and authorization of the Zorp Administrator`s Guide for details on this topic.
Authentication aims to determine the identity of the user. During the authentication process the user initiating the connection shares a secret (e.g.: a password) with the other party who verifies the user's.
Several procedures (so called authentication methods) exist for verifying the identity of the user:
The user knows a secret, e.g.: a password, PIN code, the response to a challenge, etc.
The user owns a device, e.g.: a hardware key, chipcard, SecurID token, etc.
Naturally, the above methods can be combined to implement strong two-factor authentication in sensitive environments.
The aim of network authentication is to authenticate the connections initiated by the users in order to ensure that only the proper users can access the services. Basically there is two types of authentication:
Inband: Authentication is performed by the application level protocol - the data traffic required for the authentication is part of the protocol. Inband authentication is used for example in the HTTP, FTP, or SSH protocols. The protocols usually support different authentication methods - these are usually described in the specifications of the protocol.
Outband: Authentication is performed in a separate data channel completely independent from the protocol of the accessed service. Outband authentication is realized by the combination of the Zorp Authentication Agent (Satyr), ZAS, and Zorp softwares. The advantage of outband authentication is that it can be used to authenticate any protocol, regardless of the authentication methods supported by the original protocol. That way strong authentication methods (e.g.: chipcards) can be used to authenticate protocols supporting only the weak username/password method (e.g.: HTTP).
Zorp implements outband authentication according to the following figure:
The procedure is as follows:
The client initiates a connection towards the server.
Zorp determines the service to be accessed based on the IP address of the client and the server. If authentication is required for the connection (an authentication policy is assigned to the service), Zorp initiates a connection towards the client using the Satyr protocol.
Depending on the authentication methods available (e.g.: for password based authentication), the dialog of the authentication agent is displayed on the client machine. The user enters his/her username that the authentication agent forwards to Zorp.
The Zorp firewall connects ZAS (the Zorp Authentication Server) and retrieves the list of authentication methods enabled for the particular user. Multiple authentication methods can be enabled for a single user (e.g.: x509, kerberos, password, etc.). The authorization of the user is also performed in this step, e.g.: the verification of the LDAP group membership.
Zorp returns the list of available methods to the client. The user selects a method and provides the information (e.g.: the password) required for the method.
The authentication agent sends the data (e.g.: the password) to Zorp, who forwards it to ZAS.
ZAS performs the authentication and notifies Zorp from the result (success/failure).
Zorp returns the result to the client and - if the authentication was successful - builds a connection towards the server. In case of a failed authentication it terminates the connection to the client.
© 2006 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com
