Setting Up a Firewall for Remote Administration

The firewall allows remote privileged logins for administration in two ways:

• Dial-up login using a modem;

• A `trusted friend' user account - one account can be set up which can be accessed from a set of designated external hosts using either SSH or a special `telnet2fw' service. Once logged in, the trusted friend can use the `su' command to get administrative privileges. Note that the root user cannot be the trusted friend.

In addition, remote administration can be done using the MS-Windows administration program and the remadmin service. Remote user key maintenance can be done using the MS-Windows key management program and the keyadmin service. `Passive' administrative functions, such as system log browsing and report generation, can be done remotely using a WWW web browser and the webadmin service.

  

Figure 4.68: The Remote Admin Setup Screen

These features are configured using the Remote Admin Setup Screen (Figure 4.68). The fields in this screen are:

Dialup Login

This YES/NO toggle specifies whether dial-up login is enabled or not.

Modem Port

This specifies which serial port, if any, should be used for dial-up login.

Baud Rate

This specifies the baud rate to use for the serial port.

WebAdmin Port

This lets you specify the port on which to run the `webadmin' HTTP or HTTPS service for remote manual and system log browsing. (See Section 5.5 for more details.)

Use SSL/HTTPS

This lets you specify that the `webadmin' service should use encrypted connections rather than plaintext connections, in which case it must be accessed using `https'-style URLs rather than `http'-style. ^4.1

Telnet2FW Port

This lets you specify the port on which to run the `telnet2fw' service for telnet to the firewall. The default is 1023.

RemAdmin Port

This lets you specify the port on which to run the `remadmin' service for secure transfer of the firewall configuration file to/from the Windows remote administration program.

KeyAdmin Port

This lets you specify the port on which to run the `keyadmin' service for secure transfer of the user key database to/from the Windows key management program.

RemAdmin Password

The SPEKE protocol can be used instead of Diffie-Hellman for establishing the one-time session key for remote administration. This field allows you to specify the password to use for SPEKE.

Trusted Friend

The user ID of the trusted friend.

Enable SSH Access for CEQURUX Support Staff

Setting this to YES will perform several steps that are necessary to allow CEQURUX support staff to log in to your firewall to help diagnose problems for you. The steps are:

• Add a user named `support' to the firewall.

• Install CEQURUX support's RSA public key in the firewall's key database. (The public key is read from a file named `/usr/local/etc/cequrux.pubkey' to allow this to be easily changed in the future if necessary.)

• Add `support.cequrux.com' as a Friend Host.

• Add a TCP proxy entry that permits the user `support' to connect using SSH from a single IP address associated with the host `support.cequrux.com'. (If DNS is not working correctly then a fixed IP address will be used.)

Setting this option to NO will undo all the above actions, so that CEQURUX support staff will no longer be able to log in to your firewall.

To allow the MS Windows remote admin program to access your firewall, you must specify a non-zero value for the remadmin service port, and set up one or more TCP proxy entries for this service. The usual authentication methods will apply, hence you are strongly advised to make sure the TCP proxy entries use strong user authentication (S/Key, RSA, DSA or X.509). The admin program will also complain if you have a remadmin password configured and you have the telnet2fw service enabled. This is to avoid a situation in which you connect to the firewall over the network (using telnet2fw) and then view or edit the config file which contains the remadmin password. If someone is sniffing the network connection at that point, they may obtain your remadmin password.

The trusted friend should have an S/Key password; if normal authentication fails for the user when connecting using the telnet2fw service, then the firewall will fall back to manual S/Key. To set the password press F2. To set up the list of hosts from which the trusted friend can connect, press F3. This will bring up the Trusted Friend Host Setup Screen (Figure 4.69).

Note that you need to specify both the name and the IP address for each host that the trusted friend can connect from. You will also need to configure one or more telnet2fw or SSH TCP proxies to allow access.

  

Figure 4.69: The Trusted Friend Hosts Setup Screen