1 Introducing ChoiceNet       

ChoiceNet is a client/server packet-filtering application created by Lucent. ChoiceNet provides a mechanism to filter network traffic on dial-up InterNetworking Systems, synchronous leased line, or asynchronous connections. Filter information is stored in a central location known as the ChoiceNet server.

ChoiceNet clients can be one or more PortMaster 2 Communications Servers, PortMaster IRX Routers, PortMaster Office Routers, PortMaster 3 Integrated Access Servers, or PortMaster FireWall IRX Routers. ChoiceNet clients communicate with the ChoiceNet server to determine user access.

ChoiceNet can use filter names specified by the Remote Authentication Dial-In User Service (RADIUS) user record.

This chapter includes the following topics:

•   "Overview of ChoiceNet Features" on page 1-1
•   "ChoiceNet Functions" on page 1-3
•   "ChoiceNet Directory Structure" on page 1-4
•   "How ChoiceNet Operates" on page 1-5
•   "ChoiceNet Installation and Configuration" on page 1-9

Overview of ChoiceNet Features

• Custom Access. The ChoiceNet server uses site lists to control access to specific hosts, Web sites, and Internet addresses. With ChoiceNet, a single filter rule can specify an entire list of hosts or IP addresses. Internet service providers (ISPs) can fine-tune access to their customers' specific needs. For example, a school district can select only child-oriented sites for student access. Corporations can limit employee access to external sites to enhance employee productivity.
• Simplified Management. In large networks without a ChoiceNet server, filters must be scattered throughout the network on different communications servers or routers. ChoiceNet enables all filters to be stored on one host. Storing filters on the ChoiceNet server frees memory on the PortMasters for other uses. Central storage eliminates the need for updating filter tables on many individual clients. You can easily add new site lists and filters or modify existing information on the server.
• Tight Security. ChoiceNet filtering enables system administrators to restrict internal network access by establishing TCP and UDP sessions only as defined in a rule set. Any traffic not permitted in the rule set is denied. External access to internal networks can be denied entirely or constrained to specific subnets.
• Flexibility. ChoiceNet enables both inbound and outbound traffic filtering for each interface and user. Each interface, whether synchronous, asynchronous, or Ethernet, can have a customized set of rules. ChoiceNet filters IP traffic by comparing TCP, UDP, and ICMP packets against the filter rules.
• Logging Capabilities. The ChoiceNet server can log all ChoiceNet activities to the console or a file. You can use syslog to analyze information collected in the file for troubleshooting.

  ChoiceNet server software is available for the following operating systems:

• AIX 4.1
• Alpha Digital UNIX 3.0
• BSD/OS 2.0
• HP-UX 10.01
• IRX 5.2
• Linux 1.2.13 (ELF)
• Solaris 2.5.1
• Solaris x86 2.5.1
• SunOS 4.1.4    

ChoiceNet Functions

Centralized Site Lists

You store the site lists on the ChoiceNet server. The number of lists that you can add to this directory is unlimited.

Centralized Filter Management

When filters are stored locally in the nonvolatile configuration memory on each router or communications server, the amount of memory available on these devices limits the number of rules in each filter and the number of filters defined. For example, most PortMasters have 1MB of nonvolatile memory, which limits local storage to no more than 150 packet filters.

In contrast, ChoiceNet enables you to centralize the storage of an unlimited number of user-specific filters on the server. When a user dials in to the network, if the appropriate filter does not reside locally on the client, the client sends a request to the ChoiceNet server to look up the filter. If the name of the filter assigned to the interface matches a filter defined on the ChoiceNet server, the filter is downloaded to the client. This feature simplifies filter management and reduces the memory required on the client.

ChoiceNet can download filters from the server dynamically-on demand-to asynchronous and synchronous interfaces. To apply filters to an Ethernet interface, however, you must store the filters locally on the client. ChoiceNet cannot load filters dynamically for an Ethernet interface.  

ChoiceNet Directory Structure

• filterd Process. The filterd process runs on a UNIX host. It can be started from /etc/rc.local or manually executed. It listens on UDP port 1647 for requests from clients to download a filter or to verify whether a host is a member of a site list.
• Clients File. The clients file is used for communication between the ChoiceNet server and its clients. It contains the names or IP addresses of ChoiceNet clients and their shared secrets. The filterd process consults this file to verify the validity of the ChoiceNet clients sharing the secret with the server.
• ChoiceNet Filters. You define filters, or rule sets, to specify permissions for site access and network services. Although the filters can reside locally on the client, ChoiceNet enables you to store filters in the filters directory on the central ChoiceNet server. Filters are then dynamically downloaded to the client when requested.
  • Rules for Filters. A ChoiceNet filter contains a list of rules. A ChoiceNet client executes the rules from the top down as they are presented in the filter text file.
  • Port Services. The Internet Assigned Numbers Authority (IANA) specifies the association between TCP and UDP network services and port numbers on IP networks-well-known services and well-known port numbers.

  
  ChoiceNet controls access to these network services for source and destination hosts by comparing the port number or service requested with a port number specified in a filter rule. See Appendix C, "Port Assignments," for more information.

• Site Lists. You create and store site lists in the lists directory on the ChoiceNet server. Filter rules can use these lists instead of source or destination host addresses to evaluate access requests.

The buildlist utility resolves all hostnames in the lists directory into IP addresses using the Domain Name System (DNS). The utility places this information in database files in the lists.dbm directory. The actual names of the files created in the /etc/choicenet/lists.dbm directory can vary depending on your operating system.

The ChoiceNet server uses this database for faster searching when the PortMaster requests the server to determine whether a site is in a list specified in a filter rule.

• User Notification. When a filter denies access to a site or network service, it can send a notification to the source host, displaying a pop-up notification window to PC or Macintosh dial-up users.
• Activity Logging. The filterd process logs its activity to syslog. You can instruct filterd to log activity to a file-see "Starting ChoiceNet" on page 2-7.

How ChoiceNet Operates

ChoiceNet Filtering with RADIUS

A ChoiceNet filter rule can specify a site or address list instead of either a source or destination address. If the rest of the rule matches, the PortMaster determines from the ChoiceNet server whether the site is on that list. The PortMaster then takes the action required by the rule based on the server's response. The PortMaster caches the response for future use.

Example

If the user is authenticated, the RADIUS server sends information to the PortMaster that authorizes the connection. This information consists of the reply items from the user entry that tell the PortMaster how to configure the connection. One of the reply items is the Filter-Id that associates a filter with the user. For example, if the Filter-Id is wwwok, then the input filter for the user is wwwok.in and the output filter is wwwok.out.

In Figure 1-3, the dial-in user has successfully connected. The PortMaster searches the Filter Table for the filters specified by Filter-Id in the user entry. If the filters are present in the Filter Table, then they are applied to the connection.

In Figure 1-4, the connected user attempts to access a particular site or service. The PortMaster compares the access request against the input filter rules. If the request matches a rule, the PortMaster takes the action-permit or deny-specified in the rule.

If a rule specifies a site list, the PortMaster sends a request to the ChoiceNet server to determine whether the site is on that list. This operation is called a site list look-up. The PortMaster caches the answer for future use.

ChoiceNet Filtering without RADIUS

• Filter names are found in the PortMaster User Table entry rather than in the Filter-Id reply item of a RADIUS user entry.

ChoiceNet Installation and Configuration