Symantec™ Security Gateways Reference Guide - Sawmill

Chapter 6Controlling user accessThis chapter includes the following topics:■■■UsersAuthenticationTime PeriodsUsersA user represents an individual with rights to access your protected network resources, and must bedefined for rules and tunnels to limit access to authorized connections only. Users are also required formost types of authentication. Users are defined by creating a user account consisting of a unique user nameand authentication method.Types of usersThere are several different types of end-users that might try to access your network:GeneralTrustedGateway or staticDynamicDefault IKE userAny person outside of the protected network. You may want all general users to access a few services,like a Web or news server. General users are unknown to you, and should be viewed as a security risk.Any user your company has a relationship with, including employees, contractors, subscribers, andemployees of companies with business relationships with your company. Such a user is not, inprinciple, anonymous to you because you can attach a name to this user.Many of your rules allow the trusted users at your site to access the Internet using one protocol oranother. Trusted users may pose greater security risks than general users. Remember, these peopleare often in the building and behind the security gateway.A gateway user is any end-user with a user account on the security gateway. These user accounts areestablished through the security gateway management interface and maintained in a local databasefile named gwpasswd. Gateway users are authenticated with the gateway password authenticationsystem, Bellcore S/Key, or with an external authentication server.A dynamic user is an end-user who is authenticated with one of the authentication systems availableto the security gateway, but has no record on the security gateway. Instead, the user account is on theauthentication server. The security gateway offers several types of authentication methods that useauthentication servers, such as RSA SecurID and PassGo Defender.The default IKE user is not a physical user that accesses the security gateway, but is instead a predefineduser type. The default IKE user lets an administrator grant access to anyone that has theproper shared secret without having to create a user for the individual on the security gateway. Thedefault IKE user should be used in a user group that requires an extended authentication method,such as Defender or RADIUS, for access.