check point authentication methods a short comparison
DESCRIPTION
Check Point Authentication Methods A short comparison. Overview. General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods User Authentication Client Authentication Session Authentication Securing the Authentication - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/1.jpg)
IT und TK Training
Check Point Authentication MethodsA short comparison
![Page 2: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/2.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Overview
General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods
- User Authentication- Client Authentication- Session Authentication
Securing the Authentication Comparison and Conclusion
![Page 3: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/3.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 1 – General Aspects (Firewall Authentication)
Why firewall authentication? Difficulties with firewall authentication Client side and server side aspects
![Page 4: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/4.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The scenario
Some companies allow internet access by group membership
Most aspects in the presentation could also be used for DMZ access
No Remote Access VPN!
![Page 5: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/5.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Authentication Problem
Getting user information(client side)
Choosing the best authentication procedures(server side)
Securing the Connections
Firewall is no proxy!
![Page 6: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/6.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Client Side – Authentication Methods
How do I get the information I need? User Authentication
- Firewall as transparent Proxy- HTTP, FTP, Telnet, Rlogin
Client Authentication- Identifying the Client by the IP-Address- How do I get the correlation?
Session Authentication- Proprietary Method- Requiering an Agent
![Page 7: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/7.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Server Side – Authentication Schemes
Check Point Password
RADIUS SecurID TACACS OS Password LDAP??
![Page 8: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/8.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 2 – General Aspects (Rulebase)
Rule Structure Rule Positioning Common Configurations
![Page 9: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/9.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Rule Strcuture
In Source Column either User Access or Any In Action Column either User, Session or Client Authentication Service Column entry depends on Authentication Method
![Page 10: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/10.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Rules Paradoxon
Existence of rule 5 has an impact on rule 4 Authentication only if packet would be dropped otherwise
![Page 11: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/11.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Location
Source Column vs User Properties Authentication object defines precedence
![Page 12: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/12.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The User Object
Login Name Group Membership Authentication Scheme Location and Time
Restrictions Certificate Remote Access Parameters
![Page 13: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/13.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Firewall Properties
Allowed Authentication Schemes
Authentication timeout for one-time passwords
![Page 14: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/14.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Global Properties
Number of allowed login failures
Limiting certificates to special CA
Delaying reauthentication tries
![Page 15: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/15.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 3 – Authentication Methods
User Authentication Client Authentication Session Authentication
Different Aspects:- Configuration- Limitations- Packet Flows- SmartView Tracker
![Page 16: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/16.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication - Principles
Firewall behaves like transparent proxy
Client does not know that he is speaking with the firewall
HTTP, FTP, Telnet, Rlogin only
![Page 17: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/17.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication with HTTP – A good start
SYN to the webserver Firewall intercepts and
answers with webservers IP
401 because no credentials are in the request
After getting the credentials from the user the browser restarts the session automatically
![Page 18: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/18.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication with HTTP – A bad follow-up
Browsers cache credentials, but they are correlated to webservers
Requests to same webserver are no problem; sometimes session even stays open
Request to other webserver requires reauthentication
User Authentication with HTTP is no good idea!
Less problems with FTP or Telnet
![Page 19: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/19.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – firewall as explicit proxy
With explicit proxy Setting Browser resends credentials with every request
Changing Check Point firewall to explicit proxy mode
i. Advanced Configuration in Global Prperties
ii. http_connection_method_proxy for proxy mode
iii. http_connection_methode_tunneling for HTTPS connections
![Page 20: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/20.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – Special Settings
Default Setting does not work by default HTTP access to internet requires All servers HTTP access to DMZ server could use Predefined Servers
![Page 21: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/21.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – A packet Capture
Packet Flow New server
requires reauthentication
Clear text password
![Page 22: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/22.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication in SmartView Tracker
Only first authentication results in User entry No Rule entry for subsequent requests
![Page 23: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/23.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication
Necessary: User has to be correlated to IP-Address- No NAT- No common Terminal Server- Duration of the correlation
Necessary: Firewall has to learn about correlation- Manual Sign-On- Using User Authentication- Using Session Authentication- Asking someone else
Rule Position- Interaction with Stealth Rule
Usable for any service
![Page 24: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/24.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Getting the Information
Manual:http://x.x.x.x:900telnet x.x.x.x 259
Partial automatic:First request with User Authentication
Agent automatic:First request with Session Authentication agent
Single Sign On:Asking User Authority server
![Page 25: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/25.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Duration of correlation
Time limit or number of session limit
Time limit = Inactivity time limit with Refreshable timeout set
For HTTP: Number of Sessions should be infinite
![Page 26: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/26.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Improving the HTTP
Partial Automatic Limit: 1 Minute, 5 Sessions User connects to single website, authenticates and requests next website
after 1 minute
Question to the audience: What will happen after 1 minute?a) User will be challenged again for credentialsb) User won´t be challenged again but reauthenticatedc) User will get access without reauthenticationd) User will be blocked
![Page 27: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/27.jpg)
Client Authentication – A packet Capture
Redirection to firewall!!
No reauthen-tication within first minute
Automatic reauthentication after one minute
Browser caches credentials
HTTPS can´t be authenticated!!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
![Page 28: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/28.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Manual Sign-On
HTTP Port 900 (FW1_clntauth_http) Telnet Port 259 (FW1_clntauth_telnet) No automatic reauthentication by browser -> choose limits wisely
![Page 29: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/29.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Customizing HTML files
$FWDIR/conf/ahclientd/ ahclientd#.html
- 1: Greeting Page (Enter Username)- 2: End-of-session Page- 3: Signing Off Page- 4: Successful Login Page- 5: Specific Sign-On Page- 6: Authentication Failure Page- 7,8: Password Pages
Be careful with %s and %d entries!
![Page 30: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/30.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication in the SmartView Tracker
Reauthentication after exceeding time limit or connection limit Every request has User entry
![Page 31: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/31.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Rule Position
Partial Automatic Rule above
Stealth Rule Manual
Login Rule above Stealth Rule
Session Automaticor SSO No requirement
![Page 32: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/32.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication
Requires Session Authentication Agent
Authenticates every session
![Page 33: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/33.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication Agent – Packet Capture
![Page 34: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/34.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication – SmartView Tracker
Authenticating every session Several requests within one TCP session with HTTP 1.1 Every session shows User entry
![Page 35: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/35.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 4 – Securing the Authentication
Server side usually easy- E.g. LDAP SSL
Client Side- HTTP request is unencrypted- Default settings don´t support encryption
![Page 36: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/36.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Session Authentication
In Session Authentication Agent Global Properties – Advanced Configuration BTW, default settings on both sides are conflicting
![Page 37: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/37.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Client Authentication - Manual
900 fwssd in.aclientd wait 900 ssl:ICA_CERT Restart demon
![Page 38: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/38.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Client Authentication – Partial Automatic
That should have worked
![Page 39: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/39.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing User Authentication
No redirect to firewall => Session can´t be secured Don´t use Check Point Password!
![Page 40: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/40.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Comparison - Barry´s Overview
Thanks to Barry for providing the nice table (slightly modified)
![Page 41: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/41.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Final words
Several possibilities All have benefits and limitations
Proxies often have more possibilities, but Check Point allows file customization
Don´t neglect performance impact on firewall!
![Page 42: Check Point Authentication Methods A short comparison](https://reader035.vdocuments.mx/reader035/viewer/2022062316/56816733550346895ddbe020/html5/thumbnails/42.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn