| Windows User-ID agent configured with the
User-ID credential service add-on | The firewall checks to determine if the
username and password a user submits match the same user’s corporate
username and password. To do this, the firewall must be able
to match credential submissions to valid corporate usernames and passwords
and verify that the username submitted maps to the IP address of
the login username as follows: To detect corporate
usernames and passwords —The firewall retrieves a secure bit
mask, called a bloom filter, from a Windows User-ID
agent equipped with the User-ID credential service add-on. This
add-on service scans your directory for usernames and password hashes
and deconstructs them into a secure bit mask (the bloom filter)
and delivers it to the Windows User-ID agent. The firewall retrieves the
bloom filter from the Windows User-ID agent at regular intervals.
Whenever it detects a user submitting credentials to a restricted
category, it reconstructs the bloom filter and looks for a matching
username and password hash. The firewall can only connect to one
Windows User-ID agent running the User-ID credential service add-on. To verify that the credentials belong to the login username —The
firewall looks for a mapping between the IP address of the login
username and the detected username in its IP address-to-username
mapping table.
|