Symantec™ Security Gateways Reference Guide - Sawmill

Understanding accessProxies61If the connection is allowed, but with restrictions, and depending on the authentication method, the Telnetproxy may prompt for a user name and password. If the user name and password are valid, the Telnet proxythen negotiates with the destination machine and begins proxying packets.When the Telnet proxy authenticates a user using standard gateway passwords, gwcontrol performs theauthentication. For other forms of authentication, such as S/Key, the Telnet proxy makes the call itself. Ifno authentication method is specified for the rule, but users or groups are specified, the Telnet proxyperforms multiple authentication, as follows:■■■For connections external to the protected network, and destined for the protected network, the Telnetproxy tries S/Key authentication first.If the user does not have an S/Key account set up and presses Enter at the S/Key challenge, the Telnetproxy attempts to authenticate using gateway password.If the user has an S/Key account, but provides an incorrect password, the connection is refused.Generic Server Proxy (GSP)A generic server proxy (GSP) is a mechanism that creates a custom listener for services that are otherwiseturned away. A GSP is most commonly used when the security gateway needs to allow requests through forservices running on other machines for which there is no supplied application proxy. For example, externalrequests to an internal Internet Relay Chat (IRC) server would be stopped at the external interface of thesecurity gateway unless a GSP were created to allow that protocol.Note: GSPs do not provide packet inspection. If an application proxy exists, you should use the applicationproxy instead of creating a GSP.Configuration of a GSP involves defining the protocol (which includes both the port and packet type) theservice uses. A rule is then created to allow the service through. Once a GSP is created, a record is loadedinto the driver with information about the new GSP. If the driver hasn’t been notified about a specific portlistening for traffic, the packet is normally dropped. Pushing the GSP record into the driver instructs thedriver to send the traffic up to the GSP. You can use generic services in authorization rules just as youwould any of the services that have a native application proxy.Note: By default, a GSP handles all requests transparently. These requests are proxied to their destinationsas if the requester were directly connected to the destination machine.Because a GSP is a general purpose proxy, the security gateway does not know in advance for whichservices it is used. Therefore, no known protocol set is adhered to. As a result of this, if authentication isrequired for the connection, Out of Band Authentication (OOBA) is the only authentication methodpermitted.A GSP is classified by the type of protocol selected. The four choices include IP, TCP, TCPAP (multiple TCPports), and UDP.Note: FTP is not supported by TCP GSP as TCP GSP has no intelligence of control and data ports.Third-party proxies (appliance only)There are times when you may want to use the security gateway in an environment that supports one ormore network technologies for which there is no default application proxy and for which a GSP isinsufficient. Examples of this include dynamic routing, dynamic network address assignement through theDynamic Host Control Protocol (DHCP), or connecting to a standards-based server, such as an Oracle