Link to home
Start Free TrialLog in
Avatar of Daniel Forrester
Daniel Forrester

asked on

Firewall that is controlled by AD login

Is there a way to control the Active directory  login so that it talks to the firewall and you can control what ports can be accessed by that user? Happy to change my firewall
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

What are you trying to block? If its just to web filter your clients, then Any Cisco ASA Next Gen with FirePOWER services will do that.

As for PORTS - the rule is if they don't need to be open don't have them open?


Regards,

Pete
Avatar of Daniel Forrester
Daniel Forrester

ASKER

I want to be able to have logins that block all ports in and out, i'd like them to be Active Directory specific, what firewall/router can do this?
ASKER CERTIFIED SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
...firewalls in connection with users...

What we can do (for example with the windows firewall) is limit outgoing traffic based on user names. So you can create a rule "let user A only create outgoing traffic on port x".

What we can also do is create an incoming rule like "only allow incoming traffic on port x if if is coming from (remote) domain user B".

But what we cannot do is go like "if user C is logged on close all incoming ports".

You see, you need to specify what exactly you are trying to do.
I'm trying to block users from making any connection to outside of the network, for example, port 80, port 443, port 25 common ports that are used to transfer data from the network. I'd like to control it through their login names.
You can use the windows advanced firewall for that goal. Try it, setup a policy and afterwards open its properties to set the user-bound activation.
I still don't understand the reasoning behind this. Do you want to restrict users from surfing the web and sending email?

If you are seeking a closed circuit environment you can achieve this with a logical segmented design (dynamic network opposed to a flat one). Create a VLAN/Zone for your users and explicitly block all VLAN > WAN ports. Then to authenticate and use other network resources add Access Rules between the appropriate VLANs/Zones. For example, here is a list of AD ports required to be opened: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
How did you solve it?