Opengate Q & A
Concept
-
Why is the authentication needed?
There are many incidents such as computer cracking or copyright infringement in the network. The organization might be caughted by many troubles caused by such incidents. In these cases, it is needed to identify the related person. The other reason is the restriction required by payment or aim of the network
- Why don't you use the authentication function inherent in the terminal?
Unified system can depend on such function. But it cannot be applied to the open network envoronment where various hardwares and users are connected with various formats, such as wireless connection of his/her own portable PC.
-
Why do you try to authenticate at client site? Is the authentication at server site essential?
Yes it is essential. But to prevent trouble occured by unknown user of your site, authentication and usage log systems are required.
-
Why does the target include open-use terminal that is settled by the organization for open usage? It can be protected by the system software.
It is difficult for network control section to maintain many terminals distributed in wide campus. Moreover there are already various terminals settled by various sections. Some do not have such function and some are leaved with no control.
-
Why don't you use the log obtained at gateway or firewall?
The log does not include user identification.
-
What is the merit compared with the identification by MAC address.
The cost might be large to maitain the matching between user and MAC address.
-
What is the merit compared with various authentication systems for network usage proposed recently.
The merits of Opengate are as follows. Wide applicability about terminals, such as its hardware, software, management and connection. Minimum cost for user guidance and management. Easy implementation to existing network. Quick open at start usage and quick close at stop usage.
-
Is there any other application of the system?
For example, it might be used as the gateway from intra-net to extra-net or the contrary.
-
What to do for No Java terminals?
The no Java user can enters the usage duraion in auth page. To cope with hijacking and notting, the connection state is checked periodically by ARP command and packet count passing the firewall. The user can also close the network by clicking the TERMINATE link in accept page.
Usage
-
Is the system compatible with wireless LAN?
Yes. But do not use the host station having NAT.
-
Can the system coexists with NAT or DHCP.
Yes. But do not insert NAT between the server and client.
-
Can the MAC address be obtained?
Yes. But the address is restricted to the one aquired from server on ethernet.
-
I want to supply some services without authentication, or I do not want to supply some services even after authentication.
The both can be realized by firewall rule set.
-
I want to separate the commission range by the user rank.
Firewall can be controled by Perl script. If the user rank is discriminated with userID pattern, authentication server, or IP address, it might be done. The function is added in Ver.0.80.
-
I want manage temporal users.
It is needed to register to an authentication server. As the system comminucates with plural servers, you can make specific server for temporal users and maintain it.
-
Can the password secret be maintained?
Yes. Communication between client and opengate server can be protected by SSL. Communication between opengate server and authentication server can be protected by secure auth protocol.We implement pop3s, radius, and pam(which supports many secure protocols).
-
How are the scalability and performance?
We are using the system in environments including active 50 or above terminals.
Installation and Development
-
I meet bugs on installation.
See other document.
-
Am I permited to use, modify or distribute the program?
Yes it is permitted under GPL.
-
Can I modify the web page design.
As the web pages are described in html files, it is easy to modify the design.
-
Can I avoid atacks such as IP spoofing or DoS(Denial of Service)?
IP spoofing has no merit, because the system permits the address from which user information sended. DoS can be avoided, because each client uses different port in the system.
-
Why the archive file is disorder?
Sorry. I am trying to order.
-
Can the server run on other OSs than FreeBSD.
No. The system uses ipfw command which is specific to FreeBSD. The ipchains command in Linux can be used instead of ipwf.
-
It is not smart that many processes resident. Can these be integrated to one process?
Yes. But in the present version, we take priority on simplicity of program.