3 <title>Opengate Q & A</title>
10 <H3>Opengate Q & A</H3>
15 Why is the authentication needed?
18 There are many incidents such as computer cracking or copyright infringement in the network. The organization might be caughted by many troubles caused by such incidents. In these cases, it is needed to identify the related person. The other reason is the restriction required by payment or aim of the network
21 <LI>Why don't you use the authentication function inherent in the terminal?
24 Unified system can depend on such function. But it cannot be applied to the open network envoronment where various hardwares and users are connected with various formats, such as wireless connection of his/her own portable PC.
28 Why do you try to authenticate at client site? Is the authentication at server site essential?
31 Yes it is essential. But to prevent trouble occured by unknown user of your site, authentication and usage log systems are required.
35 Why does the target include open-use terminal that is settled by the organization for open usage? It can be protected by the system software.
38 It is difficult for network control section to maintain many terminals distributed in wide campus. Moreover there are already various terminals settled by various sections. Some do not have such function and some are leaved with no control.
42 Why don't you use the log obtained at gateway or firewall?
45 The log does not include user identification.
49 What is the merit compared with the identification by MAC address.
52 The cost might be large to maitain the matching between user and MAC address.
56 What is the merit compared with various authentication systems for network usage proposed recently.
58 The merits of Opengate are as follows. Wide applicability about terminals, such as its hardware, software, management and connection. Minimum cost for user guidance and management. Easy implementation to existing network. Quick open at start usage and quick close at stop usage.
62 Is there any other application of the system?
64 For example, it might be used as the gateway from intra-net to extra-net or the contrary.
68 What to do for No Java terminals?
70 The no Java user can enters the usage duraion in auth page. To cope with hijacking and notting, the connection state is checked periodically by ARP command and packet count passing the firewall. The user can also close the network by clicking the TERMINATE link in accept page.
81 Is the system compatible with wireless LAN?
84 Yes. But do not use the host station having NAT.
88 Can the system coexists with NAT or DHCP.
91 Yes. But do not insert NAT between the server and client.
95 Can the MAC address be obtained?
97 Yes. But the address is restricted to the one aquired from server on ethernet.
101 I want to supply some services without authentication, or I do not want to supply some services even after authentication.
104 The both can be realized by firewall rule set.
108 I want to separate the commission range by the user rank.
111 Firewall can be controled by Perl script. If the user rank is discriminated with userID pattern, authentication server, or IP address, it might be done. The function is added in Ver.0.80.
115 I want manage temporal users.
118 It is needed to register to an authentication server. As the system comminucates with plural servers, you can make specific server for temporal users and maintain it.
122 Can the password secret be maintained?
125 Yes. Communication between client and opengate server can be protected by SSL. Communication between opengate server and authentication server can be protected by secure auth protocol.We implement pop3s, radius, and pam(which supports many secure protocols).
129 How are the scalability and performance?
132 We are using the system in environments including active 50 or above terminals.
136 Installation and Development
139 I meet bugs on installation.
146 Am I permited to use, modify or distribute the program?
149 Yes it is permitted under GPL.
153 Can I modify the web page design.
156 As the web pages are described in html files, it is easy to modify the design.
161 Can I avoid atacks such as IP spoofing or DoS(Denial of Service)?
164 IP spoofing has no merit, because the system permits the address from which user information sended. DoS can be avoided, because each client uses different port in the system.
168 Why the archive file is disorder?
171 Sorry. I am trying to order.
175 Can the server run on other OSs than FreeBSD.
178 No. The system uses ipfw command which is specific to FreeBSD. The ipchains command in Linux can be used instead of ipwf.
182 It is not smart that many processes resident. Can these be integrated to one process?
185 Yes. But in the present version, we take priority on simplicity of program.
190 Is the system compatible with IPv6?
193 It might be realized by controlling both ipfw and ip6fw. But, in ipv4/IPv6 dual stack state, it is not so easy to get all IP addresses for the requested terminal. Thus, it is not yet programmed.
195 For the present, following method might be the solution, though there is a restriction. Modify the ipfw control script opengatefw.pl as to allow IPv6 packet from/to the requested terminal's MAC address. The method can be used when the gateway and the terminal stay in the same ethernet link.
OSDN Git Service
