How do technologies like Fortigate FSSO, Checkpoint Identity Awareness and even BlueCOAT's BCAAA work in general steps, when using a multiuser server (like TS or Citrix)?
In case of one user/server I find that easy, user signs in to server, agent identifies the user is logges in relays this info to the firewall, and now the firewall will apply the specific policy for traffic sourced from that IP.
However in the case of multiple users, there has to be more granularity, as the users may have different access privileges so you can't apply a policy to an IP, that just won't work. So how does it actually work?
My general idea is that when the agent would match each users applications by their PID, and then (through something like a netstat command) see the source ports used by those applications, and with that info (userid, AD group membership, source IP, destination IP, source port, destination port, and maybe URL) then the firewall can identify the connections and decide whether or not to allow them. However this seems like a lot of work. I'm doing some tests with a VM and I'm trying some websites and seeing that each takes a few tens of TCP connections each, granted these are probably very short lived. But given a few dozen users on the server, and each of them have a few websites open in different tabs/browsers I feel these would add up quite fast and be very dynamic. Seems a lot for the agent to relay and the firewall to go through.
No comments:
Post a Comment