
	Servicing Locations \| Contact Us
		State Contract Services
		State Contract Services
Master Agreement \| Services \| News \| Forms

Services Index »
Administration & Billing »
Online Services »
Vocational Rehabilitation »
Loss Control Services »

Online Services

Firewall Setup For SOLCA

Technical Description of the Secure Shell Process
Ronald Kehoe, SCIF Network Operations - (707) 864-7481
Amendment #1 - September 7, 2001

Introduction

The purpose of this document is to describe the process of using the Secure Shell to log into a server from the Internet to the SCIF network.

Summary of Firewall Configuration

Below are the details of the Secure Shell process. This summary provides a high-level description of the changes required for a customer firewall to ensure connectivity with State Fund via Secure Shell.

Secure Shell Access Process

To access a server (that is, 206.202.64.8) within the State Fund network from a Secure Shell client in the Internet, proceed as follows:

Client initiates a Secure Shell with session 206.202.64.8;
SCIF firewall intercepts this request and initiates an authentication handshake with the client workstation;
Client is prompted for a username and password (SecurID access code);
Firewall checks the username against entries in the RADIUS database and checks the password against the ACE/Server; and
Firewall permits access to the server (206.202.64.8).

Secure Shell Access Process - Technical Description

Secure Shell Initiation

This process initiates the Secure Shell client software, which attempts to run an encrypted telnet session to the target host, 206.202.64.8. The TCP destination port for this access is port 22. The source port assignment is random, in accordance with normal TCP standards.

SCIF Firewall Interception

When the request for access to IP address 206.202.64.8 over TCP port 22, the firewall issues an authentication challenge to the client workstation. The firewall sends this to the client using TCP destination port 261. The source port is a random assignment, in accordance with normal TCP standards.

Client Prompts Username

When the firewall issues the authentication challenge over TCP port 261 to the client, the client's Checkpoint Session Authentication Agent software responds by prompting the user for a username. the client sends this data securely back to the firewall for authentication.

Firewall Checks Username

Once the firewall receives the username from the client, the firewall checks this entry against the SCIF RADIUS database. The SCIF RADIUS database identifies the type of password required to access the SCIF network. The firewall prompts for the password.

Dial-up clients use a static password located in the RADIUS database. Secure Shell clients use a dynamic password that the ACE/Server database generates.

Client Prompts Password

The client prompts the user for the user's pass code. This pass code. is the combination of the user's secret PIN and the randomly generated code on the user's SecurID FOB (a.k.a. token). The client returns this value to the firewall.

Firewall Checks Password

Once the firewall receives the password from the client, the firewall checks this entry against the ACE/Server. If the entry matches the ACE/Server, the firewall permits access to 206.202.64.8 over TCP destination port 22.Online Services


	Copyright © 2000-2008 State Compensation Insurance Fund		Home \| Legal Notice & California Privacy Policy