Security policies, firewall rules, safe browsing rules, and many other features of UserGate NGFW can be applied to users or user groups. The ability to apply policies only to the relevant users gives the administrator the flexibility to configure the network to the organization's requirements.
User identification is a fundamental part of NGFW functionality. A user is considered identified if the system has unambiguously associated the user with the IP address of the device they use to connect to the network. NGFW uses different user identification mechanisms:
-
Explicitly defined IP address
-
Login name and password
-
Dedicated terminal server agent (for Microsoft Terminal Server user identification)
-
Authorization agent (for Windows systems)
-
NTLM or Kerberos protocol.
User identification using name and password can be performed via the captive portal, which in turn can be configured to identify users with the help of Active Directory, RADIUS, TACACS+, NTLM or Kerberos directories or a local user database.
The following user types are defined in NGFW:
Name |
Description |
---|---|
Unknown user |
Represents the set of users not identified by the system. |
Known user |
Represents the set of users identified by the system. The methods of user identification can differ and will be described in more detail later in this chapter. |
Any user |
This is a union of the Known and Unknown user sets. |
Specific user |
A specific user defined and identified in the system; e.g., DOMAIN\User, identified using Active Directory domain authorization. |
Users and groups can be added on the NGFW device itself (these are known as local users and groups) or obtained from external directories, such as Microsoft Active Directory.