Horatio: Authenticated Network Access

A Roman soldier The Horatio system is a firewall authentication tool. The premise: Legitimate users want to attach laptops and other mobile hosts to the network, but security demands that illegitimate users be prevented from accessing the internal, secure network and from abusing the general Internet. The approach taken by Horatio is to provide a separate, untrusted, network that only connects to the internal network (and thus to the Internet) through a firewall that by default does not pass any traffic.

When a legitimate user connects his or her host, it is assigned an address by a DHCP server (such as dhcpd), but is unable to contact anything outside the untrusted network. The user must must point a web browser at the horatio web server, which runs on the firewall machine, and provide a username and password. Once the username and password have been validated, the firewall rules are modified to allow the host access to the rest of the network.

When leaving, the user can log out, removing his or her host from the access list. If the user does not log out, a periodic rollcall (using fping) will detect that the host is no longer accessible and remove it from the access list.

The horatio server uses syslog to log the actions it takes, including log-ins, log-outs, web accesses, rollcalls, and process starts and stops. The firewall uses Linux ipchains. HTTPS support is provided using OpenSSL, and the Perl modules IO::Socket::SSL, Net::SSLeay, and HTTP::Daemon::SSL. The firewall and host list management scripts are written in Bash.

For more information, see the horatio(8) man page. More details about the firewall are available in the horatio-firewall(8) man page and about the host management in the horatio-hostlist(8) man page.

News

5 May 2005 Horatio moves to SourceForge. I (Tommy McGuire) would like to welcome Mark Dammer, who has made a number of long-needed updates to Horatio and provided the impetus to finally move it to SourceForge. Look for more changes soon!
18 Oct 2003 Horatio-1.7: Include how a login request came in (i.e. HTTP or HTTPS) to the logging information. Add a Timeout to the HTTPS Daemon options, in the hopes that it will take care of the hanging daemon problem.
29 Jul 2003 Horatio-1.6: The SIGPIPE fix didn't work. Added a null SSL_error_trap function to the HTTPS daemon constructor. Another patch from Fletcher Mattox.
24 Jul 2003 Horatio-1.5: Ignore SIGPIPE when client connection goes away. A patch from Fletcher Mattox.
17 Jul 2003 Horatio-1.4: I lied. This version removes the local HTTPSDaemon module in favor of HTTP::Daemon::SSL, on the advice of Peter Behroozi:

If the actual server "blocks" on a read, that is usually a sign of a misconfigured client that fails SSL negotiation (such as an HTTP client connecting to your HTTPS server). Since the actual accept routine does not read from the socket (other than the SSL negotiation), this is likely your problem. Try using the HTTP::Daemon::SSL module and see if that helps.

I would recommend upgrading to IO::Socket::SSL at least v0.93 (in order to use HTTP::Daemon::SSL) and to Net::SSLeay at least v1.23 (to avoid several rather nasty bugs).

When I first saw the problem, I thought it was a weird client, but I wasn't ever able to pin it down to one OS/browser combination. My current theory is a race condition in the SSL negotiation. We'll see.
18 Mar 2003 Horatio-1.3: One more pass at fixing the HTTPS bug. We may have it this time! If all goes well, the next release will be 2.0, with most of the functions of horatio-hostlist moved into a Perl module and support for iptables (as well as any other firewall commands). Currently, to use iptables, you would need to first replace horatio-firewall with a script that calls the iptable command rather than ipchains. Also, you would need to modify horatio-hostlist, since it calls ipchains to open and close the firewall when users log in or out. In 2.0, you'll still have to do the first part, although I should have a sample horatio-firewall script using iptables, but the commands for the second part will be configurable.
10 Feb 2003 Horatio-1.2: Major bug fixes.
10 Apr 2002 Horatio-1.0: Inital public release.

Source code

Documentation

License

GNU General Public License, Version 2

Further information

Horatio is loosely based on SPINACH developed at Stanford University.

Information about UTCS's Horatio installation is available at their Horatio page as well as their Background page.

A somewhat related project is NoCatNet and the centralized authentication system NoCatAuth. The primary difference is that NoCatAuth does not trust the gateway/firewall and therefore uses a more complicated authentication system. It also is intended to provide differing levels of service to classes of authenticated/unauthenticated users.

The Authentication Gateway HOWTO, by Nathan Zorn, describes using PAM authentication with SSH as well as NoCatAuth. It also has a link to a Wireless Firewall Gateway White Paper from the NASA Advanced Supercomputing Division as well as a link to a University of Alberta solution.

A very useful tool for developing the firewall needed to protect the Horatio machine and the internal network appears to be hlfl, the High Level Firewall Language. This appears to allow a concise definition of firewall rules, which is translated into the appropriate lower-level firewall commands (i.e. ipchains, netfilter, etc.). Future Horatio improvements will probably be based on using hlfl to define the firewall and internal modules for granting/denying packet access.

Who is Horatio?

See The History of Rome, Volume 1, Book 2, Section 2.10, by Titus Livius from the Electronic Text Center, the University of Virginia Library.

Also, check The Project Gutenberg Etext of Lays of Ancient Rome, by Thomas Babbington Macaulay.