User Security

Out of the box the FireBrick® allows access from the local network (LAN ports) to set basic filters and change configuration. This makes the basic operation of the FireBrick® very simple, but even restricting the operation to the LAN this does not make it very secure in a larger office.

You should therefore consider setting up user security on your FireBrick®. You must be careful when doing this as it is quite possible to lock yourself out completely (see Don't Panic).

Basic security model

The FireBrick® uses a basic user login security model. When you access the FireBrick® web pages you are initially the nobody user. This is a user like any other, but has no password. You can control what the access that the nobody user has. All other users require a login using a username and password.

Each user has a set of up to 8 security rights. These allow view or edit at each security level. The most powerful user would have view and edit for all security levels 1 to 8. By default, the nobody user has rights for level 1 view and edit only.

Each of the settings in the system then has a security level (1-8). Only if you have view access at a specific level can you view those settings. Similarly, only if you have edit rights at that level can you change a setting.

Creating the admin user

In order to set up other users you will need to set up an all powerful admin user. Select the Users icon from the top of the page and select the admin user that is already set up. You can then enter a password (enter it twice) and save the settings.

Once you have done this you can log in as the admin user using the login link on the top left of the page. Enter the username and password carefully. Once logged in the name is shown on the top left and a Logout link. If this does not work, go back and check the password on the user settings is correct and try again.

Stopping general access

If you want to stop general access to the FireBrick®, all you have to do is restrict the permissions of the nobody user. Don't do this until you are sure you have managed to log in as the admin user! Simply edit the nobody user and change the view/edit settings so that there is no view or edit access at any level.

This will have the effect that the main login screen, when not logged in, will now be blank rather than listing a set of filters. This is because these filters are all level 1 security and the nobody user no longer has that access. You could obviously leave the nobody user at level 1 access and change all other settings to be a level other than 1. You could decide that you will make level 8 the low security setting and make the nobody user level 8 edit and view and then only set specific entries to level 8 security. The level numbers do not have a specific meaning, so 8 is not a higher security setting than 1.

User settings

The basic user settings are as follows :-

User settings
 
Security Controls the level of security of this entry, restricting who can view and change the user
Allow Where the user can log in from
Login The login name
Timeout The auto logout timeout in minutes
Name The full name of the user
Page The number of lines shown on each page of multi page configurations
Password The password - enter twice to be sure
View rights Which security levels the user can view
Edit rights Which security levels the user can edit
Profile The profile (e.g. time of day) when the user is allowed to log in

General access

The main setup page contains a list of security settings that affect general aspects of the FireBrick®. These include security settings for access to each of the main configuration pages as well as software upgrade ability. Ensure that these are set to fit in with your user security scheme. Care should be taken with the upload/save config level a this allows a complete configuration to be saved or replaced.

Access from outside

You will only be able to access the FireBrick® from outside if you have configured a suitable IP address. By default no access is permitted to the configuration pages from the WAN, so you will need to make a number of changes to allow remote access :- Always consider security carefully. Test what you have done wherever possible - i.e. try logging in from outside and from where you should not be able to.

Always ensure you have a valid login yourself before making changes you are unsure about. You may even want to set up a separate backup admin login with a very obscure password just in case you lock yourself out. If in doubt, save the configuration before a change.

Controlling access

A typical situation may be that you wish to control access. i.e. you want certain specific settings on the FireBrick® that you have set, and want to allow someone else to be able to make some additional changes. For example you may want certain filters, but allow someone else to add extra filters.

This can be done by setting the appropriate security levels on the user and on the settings you want to control. You can choose if the user will be able to see the settings you have fixed or not.

If you do this, you must be careful to consider the order in which settings apply. For example, filters are applied in order. So your fixed settings must be first in the list otherwise they could be overridden by something your user can change.

As an example, a managed office may want to impose speed limiting controls yet allow the tenants to set up the firewall filters. This allows responsibility for filtering to be given to the tenants but stops them being able to override some basic settings such as the speed of their access.