Horatio: Authenticated Network Access

| News | Source | Documentation | License | Further information | Who is Horatio? | SourceForge Project |

A Roman soldierThe Horatio system is a firewall authentication tool. The premise: Legitimate users want to attach laptops and other mobile hosts to the network, but security demands that illegitimate users be prevented from accessing the internal, secure network and from abusing the general Internet. The approach taken by Horatio is to provide a separate, untrusted, network that only connects to the internal network (and thus to the Internet) through a firewall that by default does not pass any traffic.

When a legitimate user connects his or her host, it is assigned an address by a DHCP server (such as dhcpd), but is unable to contact anything outside the untrusted network. The user must must point a web browser at the horatio web server, which runs on the firewall machine, and provide a username and password. Once the username and password have been validated, the firewall rules are modified to allow the host access to the rest of the network.

When leaving, the user can log out, removing his or her host from the access list. If the user does not log out, a periodic rollcall (using fping) will detect that the host is no longer accessible and remove it from the access list.

The horatio server uses syslog to log the actions it takes, including log-ins, log-outs, web accesses, rollcalls, and process starts and stops. The firewall uses Linux ipchains. HTTPS support is provided using OpenSSL, and the Perl modules IO::Socket::SSL, Net::SSLeay, and HTTP::Daemon::SSL. The firewall and host list management scripts are written in Bash.

For more information, see the horatio(8) man page. More details about the firewall are available in the horatio-firewall(8) man page and about the host management in the horatio-hostlist(8) man page.

News

Source code

Documentation

License

GNU General Public License, Version 2

Further information

Horatio is loosely based on SPINACH developed at Stanford University.

Information about UTCS's Horatio installation is available at their Horatio page as well as their Background page.

A somewhat related project is NoCatNet and the centralized authentication system NoCatAuth. The primary difference is that NoCatAuth does not trust the gateway/firewall and therefore uses a more complicated authentication system. It also is intended to provide differing levels of service to classes of authenticated/unauthenticated users.

The Authentication Gateway HOWTO, by Nathan Zorn, describes using PAM authentication with SSH as well as NoCatAuth. It also has a link to a Wireless Firewall Gateway White Paper from the NASA Advanced Supercomputing Division as well as a link to a University of Alberta solution.

A very useful tool for developing the firewall needed to protect the Horatio machine and the internal network appears to be hlfl, the High Level Firewall Language. This appears to allow a concise definition of firewall rules, which is translated into the appropriate lower-level firewall commands (i.e. ipchains, netfilter, etc.). Future Horatio improvements will probably be based on using hlfl to define the firewall and internal modules for granting/denying packet access.

Who is Horatio?

See The History of Rome, Volume 1, Book 2, Section 2.10, by Titus Livius from the Electronic Text Center, the University of Virginia Library.

Also, check The Project Gutenberg Etext of Lays of Ancient Rome, by Thomas Babbington Macaulay.

SourceForge.net Logo