2

Since the old days, ISA and now TMG have had several great features that I often want to deploy to my customers because of the enhanced functionality and security, but often the cost of an additinal server HW, Windows Server, and TMG license is too much to justify when compared to a $300-500 appliance.

Are there other gateway firewalls that can perform one or more of these application layer features:

  1. Pre-authenticate incoming HTTP traffic against AD/LDAP before sending packets to internal server (forms auth or basic creds popup)?
  2. Read host headers of incoming HTTP traffic (even on https) to a public IP and route packets to different internal servers based on that host header?
TristanK
  • 8,953
  • 2
  • 27
  • 39
Bret Fisher
  • 3,963
  • 2
  • 20
  • 25

3 Answers3

1

Well, you could use a combo with Squid and Varnish.

Squid will be used for the authentication on LDAP, and Varnish will redirect the server depending on the headers informations.

I think you can even use squid to do both jobs.

Kedare
  • 1,766
  • 4
  • 20
  • 36
  • I'm looking for a firewall to do this. I don't know Varnish but I don't believe you would use this solution as your gateway firewall/router would you? – Bret Fisher Apr 03 '11 at 18:38
  • 1
    Squid is an HTTP proxy (like ISA), so yes you can use it to requires authentication from users. It's even included on some software-based routers/firewalls like Vyatta and pfSense (not sure for this one) – Kedare Apr 04 '11 at 21:55
  • I can't speak for the varnish bit, but the combination of iptables as a layer-3 firewall and squid as a layer-4 HTTP firewall is what came to my mind. I've done squid authentication off AD, so I know that works. Bret, I know you want one tool to do it all, but that's not the UNIX way; if you're open to UNIX, expect to combine several (slightly) smaller tools that each do one bit, and do it properly. – MadHatter Apr 06 '11 at 06:16
  • Thanks for the info Kedare and MadHatter. At times that flexibility is good, but in this scenario I'm looking more for a single product rather then choose-your-own-adventure. Happy to consider a OSS FW bundle that provided a single management interface for all the parts, if that existed and had the above features. – Bret Fisher Apr 06 '11 at 16:08
  • If you want something unified, I recommend you to try Vyatta, it's based on multiple OSS, but provides an unified and centralized CLI and configuration. – Kedare Apr 06 '11 at 19:29
1

True application/proxy firewalls in appliance form generally run above that range. (Palo Alto and Sidewinder... I mean McAfee Firewall Enterprise come to mind, but are $$).

I would recommend the FortiNet FortiGate 60C. It is a really solid box, and a no-frills system would cover your two requirements at around $500.

  • HTTP/HTTPS preauthentication support using LDAP auth source
  • HTTP/1.1 Host header based load balancing - Should allow the routing you described
Paul Doom
  • 841
  • 6
  • 9
0

If the $300-$500 appliances could do all that, they'd cost more? :)

Application Request Routing, an add-on extension for IIS 7, can do bits of that. It can be configured with fairly extensive rules for forwarding, but doesn't have preauthentication built in. My read is that it would be non-trivial but not hard to do. Likewise, its interface for rule construction might leave a bit to be desired when compared with TMG.

The SSL host headers part can be done by ARR as well, or at least by IIS - it doesn't solve the problem of requiring a SAN or wildcard certificate (and arguably, nothing should), but it does allow/require the SSL session to be established before the host cracking bit happens.

It doesn't do garden-variety port forwarding though, so you'd want RRAS configured underneath it too, as a guess. But the total cost would be close to Windows + hardware, and it could be scaled down to a very small box in many cases, I'd guess.

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • That's a creative solution, and I've not used ARR, but ultimately this solution isn't a true firewall. If all I'm saving is the TMG license then the cost of TMG is worth it :). Thanks for the ideas though TristanK. – Bret Fisher Mar 30 '11 at 20:15