Opengate Q & A
Concept
- Why is the authentication needed?
There are many incidents such as computer cracking
or copyright infringement in the network. The organization
might be caughted by many troubles caused by such incidents.
In these cases, it is needed to identify the related person.
The other reason is the restriction required by payment or aim
of the network
- Why don't you use the authentication function inherent in the
terminal?
Unified system can depend on such function. But it
cannot be applied to the open network envoronment where
various hardwares and users are connected with various
formats, such as wireless connection of his/her own portable
PC.
- Why do you try to authenticate at client site? Is the
authentication at server site essential?
Yes it is essential. But to prevent trouble occured
by unknown user of your site, authentication and usage log
systems are required.
- Why does the target include open-use terminal that is settled
by the organization for open usage? It can be protected by the
system software.
It is difficult for network control section to
maintain many terminals distributed in wide campus. Moreover
there are already various terminals settled by various
sections. Some do not have such function and some are leaved
with no control.
- Why don't you use the log obtained at gateway or firewall?
The log does not include user identification.
- What is the merit compared with the identification by MAC
address.
The cost might be large to maitain the matching
between user and MAC address.
As a supplement system for Opengate, we released a MAC address
base user authentication system OpengateM, in which we take
some measures about MAC address registration/updating cost,
router insertion, and MAC address spoofing.
- What is the merit compared with various authentication
systems for network usage proposed recently.
The merits of Opengate are as follows. Wide
applicability about terminals, such as its hardware, software,
management and connection. Minimum cost for user guidance and
management. Easy implementation to existing network. Quick
open at start usage and quick close at stop usage. IPv4/IPv6
dual stack support.
- Is there any other application of the system?
For example, it might be used as the gateway from
intra-net to extra-net or the contrary.
- What to do for No Java terminals?
The no Java user can enters the usage duraion in
auth page. To cope with hijacking and notting, the connection
state is checked periodically by ARP command and packet count
passing the firewall. The user can also close the network by
clicking the TERMINATE link in accept page. From Version 1.4,
JavaScript is used instead of Java.
Usage
- Is the system compatible with wireless LAN?
Yes. But do not use the host station having NAT.
- Can the system coexists with NAT or DHCP.
Yes. But do not insert NAT between the server and
client.
- Can the MAC address be obtained?
Yes. But the address is restricted to the one
aquired from server on ethernet.
- I want to supply some services without authentication, or I
do not want to supply some services even after authentication.
The both can be realized by firewall rule set.
- I want to separate the commission range by the user rank.
Use ExrtaSet in configuration file. The paremeter
in ExtraSet overrides the default setting, if ExtraSet
attribute is matched. Or enable perl script to open firewall
and edit the script.
- I want manage temporal users.
It is needed to register to an authentication
server. As the system comminucates with plural servers, you
can make specific server for temporal users and maintain it.
- Can the password secret be maintained?
Yes. Communication between client and opengate
server can be protected by SSL. Communication between opengate
server and authentication server can be protected by secure
auth protocol.We implement pop3s, ftps, radius, and pam(which
supports many secure protocols).
- How are the scalability and performance?
We are using the system in environments including
active 50 or above terminals.
- Can I use protocols other than Web?
Yes. You should authenticate by Web browser, and
stay it on desktop (can iconize). Other protocols than Web can
also be used until the browser is closed. If you insert
firewall rules previous to opengate rules, any protocols can
be fixed to deny or allow mode.
- Can I view the usage of many terminals.
Log is stored in /var/log/opengate.log via syslog.
A terminal is watched by a process. By entering 'ps -axww |
grep opengate', you can view process id, userid, IP address,
and firewall rule number corresponding to every process. If
you kill a opengate process, corresponding firewall rules are
removed. The firewall rules are shown by 'ipfw list' or 'ip6fw
list'.
Installation and Development
- I meet bugs on installation.
See other document.
- Am I permited to use, modify or distribute the program?
Yes it is permitted under GPL.
- Can I modify the web page design.
As the web pages are described in html files, it is
easy to modify the design.
- Can I display web pages with other language.
Directorys named en and ja are the html
documentations in english and japanese. Same as the directory,
make the new language documentations. And modify the language
setting in configuration file and index.html.var.
- Can I avoid atacks such as IP spoofing or DoS(Denial of
Service)?
IP spoofing has no merit, because the system
permits the address from which user information sended. DoS
can be avoided, because each client uses different port in the
system.
- Can the server run on other OSs than FreeBSD.
No. The system uses ipfw command which is specific
to FreeBSD. The ipchains command in Linux can be used instead
of ipwf.
- It is not smart that many processes resident. Can these be
integrated to one process?
Yes. But in the present version, we take priority
on simplicity of program.
- Is the system compatible with IPv6?
Yes. IPv6 support is added in Version 1.2.0.