HORATIO -- AUTHENTICATED NETWORK ACCESS The Horatio system is a firewall authentication tool. The premise: Legitimate users want to attach laptops and other mobile hosts to the network, but security demands that illegitimate users be prevented from accessing the internal, secure network and from abusing the general Internet. The approach taken by Horatio is to provide a separate, untrusted, network that only connects to the internal network (and thus to the Internet) through a firewall that by default does not pass any traffic. When a legitimate user connects his or her host, it is assigned an address by a DHCP server, but is unable to contact anything outside the untrusted network. The user must must point a web browser at the Horatio web server, which runs on the firewall machine, and provide a username and password. Once the username and password have been validated, the firewall rules are modified to allow the host access to the rest of the network. This package contains the Horatio web server and firewall scripts. The remaining components (listed below) are available elsewhere. SECURITY WARNING! I MAKE NO CLAIMS REGARDING THE SECURITY OR UTILITY OF THIS SOFTWARE. The GNU General Public License, under which this software is made available, says, NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Please keep that in mind. We have taken some effort to make sure this system works as advertised, but I am not a security expert and this software should not be blindly trusted. (In fact, it should only be considered a "technology demonstration," or perhaps a piece of performance art.) As well, there is a trade-off between security and convenience, and by making it easier to allow random people to connect to your network you are decreasing your security. YOU HAVE BEEN WARNED. SECURITY WARNING! REQUIREMENTS * Firewall machine running something Unix-y (Tested with Linux 2.4.18.) * Perl (Tested with 5.005_02 and 5.6.1.) * Bash (Tested with 2.05.0(1); another shell may work.) * fping (Tested with something that claims to be 2.0 from 1994.) * OpenSSL (Tested with 0.9.7.) * Syslog (Using Perl's Sys::Syslog module; requires UDP syslogging to be enabled.) * Perl IO::Socket::SSL (0.94), Net::SSLeay (1.23), and HTTP::Daemon::SSL (1.00) modules. * ipchains (Tested with 1.3.9.) * DHCP server (Tested with Internet Software Consortium DHCP Server 2.0.) INSTALLATION Generic and detailed instructions are in "INSTALL". Basic installation should look like: $ configure $ make $ make install The following files and directories are installed in the following locations: horatio $(sbin) Perl HTTP/HTTPS server horatio-hostlist $(pkgdatadir) Bash script managing trusted hosts horatio-firewall $(pkgdatadir) Bash script setting up firewall horatio.8 $(mandir) Man page for horatio horatio-hostlist.8 $(mandir) Man page for horatio-hostlist horatio-firewall.8 $(mandir) ...blah, blah CONFIGURATION The horatio server reads a configuration file (by default, $(sysconfdir)/horatio.conf) for the following information: * A list of password files * A directory to hold state information, logs, certificates, etc. * A directory to hold HTML files, including error messages * The URLs and files that the HTTP and HTTPS servers will handle * HTTPS (SSL) certificate and key files * The frequency (by default, 300 seconds) of rollcalls A sample horatio.conf and html files are available in the html/ subdirectory. A SysV-init startup script is included as horatio.rc. For more information, see the horatio(8), horatio-hostlist(8), and horatio-firewall(8) man pages. HOME PAGE This package is located at http://horatio.sourceforge.net Tommy M. McGuire