1 / 42

Check Point Authentication Methods A short comparison

Check Point Authentication Methods A short comparison. Overview. General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods User Authentication Client Authentication Session Authentication Securing the Authentication

brinly
Download Presentation

Check Point Authentication Methods A short comparison

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Check Point Authentication Methods A shortcomparison

  2. Overview • General Aspects – Authentication at a Firewall • General Aspects – The Rule Base • Authentication Methods • User Authentication • Client Authentication • Session Authentication • Securingthe Authentication • ComparisonandConclusion Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  3. Chapter 1 – General Aspects (Firewall Authentication) Whyfirewallauthentication? Difficultieswithfirewallauthentication Client sideandserversideaspects Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  4. The scenario Somecompaniesallowinternetaccessbygroupmembership Most aspects in thepresentationcould also beusedfor DMZ access No Remote Access VPN! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  5. The Authentication Problem • Firewall isnoproxy! Gettinguserinformation(clientside) Choosingthebestauthenticationprocedures(serverside) Securingthe Connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  6. The Client Side – Authentication Methods • How do I gettheinformation I need? • User Authentication • Firewall as transparent Proxy • HTTP, FTP, Telnet, Rlogin • Client Authentication • Identifyingthe Client bythe IP-Address • How do I getthecorrelation? • Session Authentication • ProprietaryMethod • Requiering an Agent Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  7. The Server Side – Authentication Schemes Check Point Password RADIUS SecurID TACACS OS Password LDAP?? Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  8. Chapter 2 – General Aspects (Rulebase) RuleStructure RulePositioning Common Configurations Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  9. The RuleStrcuture In Source ColumneitherUser Access orAny In Action ColumneitherUser, Session or Client Authentication Service Columnentrydepends on Authentication Method Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  10. The Rules Paradoxon Existenceofrule 5 has an impact on rule 4 Authentication onlyif packet wouldbedroppedotherwise Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  11. User Location Source Columnvs User Properties Authentication objectdefinesprecedence Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  12. The User Object Login Name Group Membership Authentication Scheme Locationand Time Restrictions Certificate Remote Access Parameters Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  13. Firewall Properties Allowed Authentication Schemes Authentication timeoutforone-time passwords Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  14. Global Properties Numberofallowedloginfailures Limitingcertificatestospecial CA Delayingreauthenticationtries Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  15. Chapter 3 – Authentication Methods • User Authentication • Client Authentication • Session Authentication • Different Aspects: • Configuration • Limitations • Packet Flows • SmartViewTracker Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  16. User Authentication - Principles Firewall behaveslike transparent proxy Client does not knowthat he isspeakingwiththefirewall HTTP, FTP, Telnet, Rloginonly Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  17. User Authentication with HTTP – A goodstart SYN tothewebserver Firewall interceptsandanswerswithwebservers IP 401 becausenocredentialsare in therequest After gettingthecredentialsfromtheuserthebrowserrestartsthesessionautomatically Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  18. User Authentication with HTTP – A badfollow-up Browsers cachecredentials, but theyarecorrelatedtowebservers Requeststo same webserverarenoproblem; sometimessessionevenstays open Request tootherwebserverrequiresreauthentication User Authentication with HTTP isnogoodidea! Lessproblemswith FTP or Telnet Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  19. User Authentication – firewallas explicit proxy • With explicit proxy Setting Browser resendscredentialswitheveryrequest • Changing Check Point firewallto explicit proxymode • AdvancedConfiguration in Global Prperties • http_connection_method_proxyforproxymode • http_connection_methode_tunnelingfor HTTPS connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  20. User Authentication – Special Settings Default Setting does not workbydefault HTTP accesstointernetrequiresAll servers HTTP accessto DMZ servercouldusePredefined Servers Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  21. User Authentication – A packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Packet Flow New serverrequiresreauthentication Clear textpassword

  22. User Authentication in SmartViewTracker Onlyfirstauthenticationresults in Userentry NoRuleentryfor subsequent requests Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  23. Client Authentication • Necessary: User hastobecorrelatedto IP-Address • No NAT • Nocommon Terminal Server • Duration ofthecorrelation • Necessary: Firewall hastolearnaboutcorrelation • Manual Sign-On • Using User Authentication • Using Session Authentication • Askingsomeoneelse • Rule Position • Interaction withStealthRule • Usableforanyservice Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  24. Client Authentication – Gettingthe Information Manual:http://x.x.x.x:900telnetx.x.x.x 259 Partial automatic:First requestwithUser Authentication Agent automatic:First requestwith Session Authentication agent Single Sign On:Asking User Authority server Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  25. Client Authentication – Duration ofcorrelation Time limitornumberofsessionlimit Time limit = Inactivity time limitwithRefreshabletimeoutset For HTTP: Numberof Sessions shouldbe infinite Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  26. Client Authentication – Improvingthe HTTP • Partial Automatic • Limit: 1 Minute, 5 Sessions • User connectstosinglewebsite, authenticatesandrequestsnextwebsite after 1 minute • Questiontotheaudience: What will happen after 1 minute? • User will bechallengedagainforcredentials • User won´tbechallengedagain but reauthenticated • User will getaccesswithoutreauthentication • User will beblocked Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  27. Client Authentication – A packet Capture • Redirectiontofirewall!! • Noreauthen-ticationwithinfirstminute • Automatic reauthentication after oneminute • Browser cachescredentials • HTTPS can´tbeauthenticated!! Check Point Authentication Methods- A short comparison, Dr. CarstenLöhn

  28. Client Authentication – Manual Sign-On HTTP Port 900 (FW1_clntauth_http) Telnet Port 259 (FW1_clntauth_telnet) Noautomaticreauthenticationbybrowser -> chooselimitswisely Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  29. Client Authentication – Customizing HTML files • $FWDIR/conf/ahclientd/ • ahclientd#.html • 1: Greeting Page (Enter Username) • 2: End-of-session Page • 3: Signing Off Page • 4: Successful Login Page • 5: SpecificSign-On Page • 6: Authentication Failure Page • 7,8: Password Pages • Becarefulwith %s and %d entries! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  30. Client Authentication in theSmartViewTracker Reauthentication after exceeding time limitorconnectionlimit Every requesthasUserentry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  31. Client Authentication – Rule Position • Partial Automatic • RuleaboveStealthRule • Manual • Login RuleaboveStealthRule • Session Automaticor SSO • Norequirement Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  32. Session Authentication Requires Session Authentication Agent Authenticateseverysession Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  33. Session Authentication Agent – Packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  34. Session Authentication – SmartViewTracker Authenticatingeverysession Severalrequestswithinone TCP sessionwith HTTP 1.1 Every sessionshowsUserentry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  35. Chapter 4 – Securingthe Authentication • Server sideusually easy • E.g. LDAP SSL • Client Side • HTTP requestisunencrypted • Default settingsdon´tsupportencryption Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  36. Securing Session Authentication In Session Authentication Agent Global Properties – AdvancedConfiguration BTW, defaultsettings on bothsidesareconflicting Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  37. Securing Client Authentication - Manual • 900 fwssdin.aclientdwait 900 ssl:ICA_CERT • Restartdemon Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  38. Securing Client Authentication – Partial Automatic Thatshouldhaveworked Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  39. Securing User Authentication Noredirecttofirewall => Session can´tbesecured Don´tuseCheck Point Password! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  40. The Comparison - Barry´sOverview • Thanksto Barry forprovidingthenicetable • (slightlymodified) Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  41. Final words • Severalpossibilities • All havebenefitsandlimitations • Proxiesoftenhavemorepossibilities, but Check Point allowsfilecustomization • Don´tneglectperformanceimpact on firewall! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

  42. Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

More Related