Authentication positively identifies users and defines "user" and "user group" policies. WatchGuard® Firebox® X Core™ models (X2500, X1000, X700, and X500) and Firebox® III models (4500, 2500, 1000, 700, and 500) can authenticate users against five authentication servers:
- Windows NT® servers.
- RADIUS™-compliant authentication servers (as defined in RFC 2138).
- SecurID® authentication.
- CRYPTOCard® authentication.
- WatchGuard's built-in authentication server.
To authenticate, using any Java enabled client browser, such as Netscape® Navigator or Microsoft® Internet Explorer, users first query an authentication daemon on the Firebox. A micro-WWW server on the Firebox then sends a Java applet back to the user, where they can enter name and password information. This information is encrypted within the applet and passed back to the Firebox for verification against the authentication server defined in its configuration. As a result, the system authenticates users just once, instead of each time they attempt to connect to a site. User name and password information needed for authentication is never passed in clear text.
Authentication is particularly crucial when you use dynamic IP addressing (DHCP) behind the Firebox, or want users to identify themselves before performing various services through the Firebox. With the WatchGuard Firebox System, authentication can be configured on a service-by-service basis allowing users to authenticate only for certain services.
WatchGuard offers interoperability with standards-based authentication technology from SecurID, and from CRYPTOCard for both CRYPTOAdmin and RB-1 Tokens. This enables you to secure network access using powerful token-based authentication solutions from either SecurID or CRYPTOCard in conjunction with the Firebox System.
The built-in authentication server included with the WatchGuard Firebox System is designed for smaller environments. User names, group names and passwords can be entered directly into the Firebox configuration to set individual filter rules as desired.