1 / 16

Comprehensive Guide to Identity Awareness for Check Point Employees

Understand Identity Awareness, Identity Sources, IDA Daemons, PDP, PEP, Identity Acquisition Flow, Access Roles, Browser-Based Authentication, Identity Agents, Identity Collector, and their roles in network policy management.

blackmon
Download Presentation

Comprehensive Guide to Identity Awareness for Check Point Employees

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity awareness uses Terrence Adams – Security Engineer  [Internal Use] for Check Point employees​

  2. What is Identity Awareness? Identity Awareness uses the Source and Destination IP addresses of network traffic to identity users and computers. You can use these elements as matching criteria in the Source and Destination fields of your policy rules: The identity of users or user groups The identity of computers or computer groups Identity Sources: Active Directory(AD Query) Identity Collector(Cisco ISE integration) Radius Servers Terminal Servers  [Internal Use] for Check Point employees​

  3. IDA Daemons • PDP (Policy Decision Point) • Acquires the identities information • Runs the various identity sources (Captive Portal, ADQuery…) • Communicate with different remote components • Identities management (Roles membership, timeouts, etc.) • Provide the identities information to the PEP. • Activated upon enabling one of the Identity Sources on the GW • PEP (Policy Enforcement Point) • Receives the identities information from the PDP • Provide Access Roles and logging information to the rule base and logging modules, upon demand. • Activated upon enabling Identity Awareness on the GW  [Restricted] for designated teams ​

  4. Identity Acquisition Flow • User Logs in • When a user/machine is logged in, a session is created with their IP address and user/machine name. • Groups membership fetch • The GW retrieves all the groups that user/machine is a member of • Access Roles matching • Access roles are then calculated and associated to the IP according to: • The user/machine name. • The user/machine groups. • The user/machine IP. • Traffic • When new traffic arrives to the GW the security policy can enforce it based on the Access Roles associated to the source and/or destination IP.  [Restricted] for designated teams ​

  5. Identities in Policy Management Access Roles have to be created to use identities in a network policy You can use Access Role objects as source and/or destination parameter in a rule. Access Role objects can include one or more of these objects: Networks Users and user groups Computers and computer groups Remote Access clients  [Internal Use] for Check Point employees​

  6. Browser-Based Authentication - Captive Portal Unidentified users log in with a user name and password in a Captive Portal. After authentication, the user is then allowed to their destined address. There are two modes: BYOD for Domain Users – Users can bring their own device from home(BYOD). The user will then use their own corporate credentials to log into the Captive Portal. This mode can also enforce the user to Use to the Identity agent(discussed later). Guest Mode – Users without corporate credentials can also get a specialized captive portal page where they have to input their name, company, email and phone number for access. This mode suggested for networks that only allow Internet access but disallows access to corporate resources.  [Internal Use] for Check Point employees​

  7. Identity Agents Endpoint Identity Agents are dedicated client agents that are installed on user endpoint computers. These Endpoint Identity Agents acquire and report identities to the Identity Awareness Gateway. Comes in two flavours: Full - Predefined Endpoint Identity Agent that includes packet tagging and computer authentication. It applies to all users on the computer, on which it is installed. Administrator permissions are required to use the Full Endpoint Identity Agent type. For the Full Endpoint Identity Agent, you can enforce IP spoofing protection. You can also leverage computer authentication, if you define computers in Access Roles. Light - Predefined Endpoint Identity Agent that does not include packet tagging and computer authentication. You can install this Endpoint Identity Agent individually for each user on the target computer. Administrator permissions are not required to use the Light Endpoint Identity Agent type.  [Internal Use] for Check Point employees​

  8. Identity Collector • Check Point Identity Collector is a Windows-based application, which collects information from Identity Sources about identities and their associated IP addresses. The Identity Collector then sends this information to the Identity Awareness Gateway for identity enforcement. • The Identity Collector supports these Identity Sources: • • Microsoft Active Directory Domain Controllers • • Cisco Identity Services Engine (ISE) Servers, versions 2.0, 2.1 an Identity Collector key benefits over standard AD Query • Reduces the load on the Security Gateway - the agent is doing the queries instead of the Security Gateway. • Reduces the load on the DCs - the native Windows API used consumes less resources. • The Identity Collector requires no administrator or administrator-like permissions. Only permission required is read-only access to the domain security logs. • One Identity Collector can serve multiple Security Gateways, even from different CMA.  [Internal Use] for Check Point employees​

  9. Check Point Identity Collector Identity Information Identity Information Check Point Identity Collector A windows based agent Collects identities information together with their associated IP addresses Provide the relevant identities to Check Point Firewalls  [Restricted] for designated teams ​

  10. Cisco ISE • Check Point Identity Collector Check Point Identity Collector Communicate with several Check Point Firewalls, Microsoft Domain Controllers & Cisco ISE servers simultaneously  [Restricted] for designated teams ​

  11. Identity Sharing In environments that use many Security Gateways and AD Query, we recommend that you set only one Security Gateway to acquire identities from a given Active Directory domain controller for each physical site. If more than one Security Gateway gets identities from the same AD server, the AD server can become overloaded with WMI queries. Identity sharing uses port 28581 for sharing purposes.  [Internal Use] for Check Point employees​

  12. PDP/PEP commands All commands must be executes in Expert mode! • pdp status show – show pdp daemon status • pep status show – shows pep daemon status • pdp monitor all – shows detailed view of users and machines identified • pdp monitor summary all – shows summary of fetched identities( great for IA sharing) • pdp update all – forces a mapping update for all users • pdp control revoke_ipip_address– removes a user mapping • pep show user all – shows users being enforced in policy

  13. Endpoint Security On-demand(ESOD) The Check Point Endpoint Security On Demand scanner enforces endpoint compliance by scanning the endpoint to see if it complies with a pre-defined endpoint compliance policy. For example, an endpoint compliance policy would make sure that the endpoint client has updated Anti-Virus and an active firewall. If the endpoint is compliant with the endpoint compliance policy, the user is allowed to access the portal.

  14. Identity Awareness API • The Identity Awareness API is used to add/delete/query identities • Setup of the Identity Awareness API is done in the SmartConsole Identity Awareness blade • The API runs on a gateway that is running Identity Awareness • Access is setup as part of the Identity Awareness blade • Restrictions are made on both the Interface access or Firewall Policy • Each API client can be authorized with a different key  [Internal Use] for Check Point employees​

  15. Identity Awareness API • The Identity Awareness API is used drive integration with • Check Point vSEC controller • Pulse Secure • Aruba Networks • ForeScoutCounterACT • The API was used in R77.30 vSEC Controller and early integration • The API went GA with R80.10 Maintrain • The Identity Awareness Web API uses JSON encoded RESTful calls  [Internal Use] for Check Point employees​

  16. THANK YOU  [Internal Use] for Check Point employees​

More Related