Symantec™ Security Gateways Reference Guide - Sawmill

Controlling user accessAuthentication83Out Of Band Authentication (OOBA)Out of Band Authentication (OOBA) is Symantec’s customizable form of authentication. OOBA lets theadministrator define any currently configured authentication or extended authentication method as theauthentication method that OOBA uses. Not all proxies support authentication. OOBA was designedspecifically for those proxies that do not support authentication, or support a limited set of authenticationtypes (like HTTP). The most common use for OOBA is to enable authentication on a GSP, which does nothave authentication by default.Understanding OOBAThe administrator configures the OOBA daemon by selecting the authentication method to use and port tolisten on. A user desiring access to services behind the security gateway directs their Web browser to thesecurity gateway on the defined port. Once authenticated, the user is prompted to select the services theywant access to. OOBA then issues a cookie to the user’s machine that defines how long the current sessionmay last, and what services are allowed.OOBA is most often used on connections originating from an internal network destined for an externalnetwork because text passed during OOBA authentication is in clear-text. OOBA authentication is used byremote users. However, because OOBA passes traffic in clear-text, it is not advised that you use OOBA forthis purpose.Non-HTTP connectionsUsers that need to be authenticated by OOBA and connecting to any proxy other than the HTTP proxy mustfirst use their Web browser to connect to the OOBA daemon and authenticate themselves. Users must openthe Web browser, enter the IP address and OOBA port of the security gateway, and connect. Through aseries of Web pages, OOBA guides the user through the authentication process. When finished with theauthentication process, the user must leave the Web page open for the duration of the connection.For the user that successfully authenticates, the OOBA daemon creates a ticket and sends that ticket backto the user’s browser in the form of a cookie. The cookie is sent back to the security gateway each time theuser accesses an OOBA-protected service, so the user need not authenticate again until the ticket expires.The expiration time of the ticket is determined by the administrator and is set globally for every OOBAconnection.HTTP connectionsUsers connecting to the HTTP proxy do not need to connect to OOBA on a specific port. When accessing theHTTP proxy, it recognizes that the rule requires OOBA, and redirect the connection to the OOBAauthentication process automatically. Authentication proceeds exactly as non-HTTP connections and, ifsuccessful, returns to the HTTP proxy and connects the user to the URL originally requested.Note: The HTTP proxy cannot support true challenge/response passwords for authentication. Acceptableforms of authentication include RSA SecurID, S/Key, or Defender in synchronous mode. Administratorsshould set the password reuse on authentication methods for HTTP connections.Configuration information for Out of Band authentication is found in your product’s administrator’s guide.PASSGO Defender authenticationOften, static passwords are easily guessed, shared, cracked by others, or in some way compromised. Longerpasswords help, but still don’t prevent all problems when authenticating a user with a password. Inenvironments where users are forced to change their passwords on a regular basis, users often picksomething easy to remember, or use a single password for all applications. If the password is unfamiliar,the user may write the new password down. All of these make the user more vulnerable to compromise andhighlight why static passwords are inadequate for uniquely authenticating users.