Download presentation
Presentation is loading. Please wait.
Published byJocelyn Joanna Berry Modified over 9 years ago
1
IT und TK Training Check Point Authentication Methods A short comparison
2
Overview General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods User Authentication Client Authentication Session Authentication Securing the Authentication Comparison and Conclusion Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
3
Chapter 1 – General Aspects (Firewall Authentication) Why firewall authentication? Difficulties with firewall authentication Client side and server side aspects Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
4
The scenario Some companies allow internet access by group membership Most aspects in the presentation could also be used for DMZ access No Remote Access VPN! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
5
The Authentication Problem Getting user information (client side) Choosing the best authentication procedures (server side) Securing the Connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Firewall is no proxy!
6
The Client Side – Authentication Methods How do I get the information I need? User Authentication Firewall as transparent Proxy HTTP, FTP, Telnet, Rlogin Client Authentication Identifying the Client by the IP-Address How do I get the correlation? Session Authentication Proprietary Method Requiering an Agent Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
7
The Server Side – Authentication Schemes Check Point Password RADIUS SecurID TACACS OS Password LDAP?? Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
8
Chapter 2 – General Aspects (Rulebase) Rule Structure Rule Positioning Common Configurations Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
9
The Rule Strcuture In Source Column either User Access or Any In Action Column either User, Session or Client Authentication Service Column entry depends on Authentication Method Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
10
The Rules Paradoxon Existence of rule 5 has an impact on rule 4 Authentication only if packet would be dropped otherwise Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
11
User Location Source Column vs User Properties Authentication object defines precedence Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
12
The User Object Login Name Group Membership Authentication Scheme Location and Time Restrictions Certificate Remote Access Parameters Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
13
Firewall Properties Allowed Authentication Schemes Authentication timeout for one-time passwords Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
14
Global Properties Number of allowed login failures Limiting certificates to special CA Delaying reauthentication tries Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
15
Chapter 3 – Authentication Methods User Authentication Client Authentication Session Authentication Different Aspects: Configuration Limitations Packet Flows SmartView Tracker Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
16
User Authentication - Principles Firewall behaves like transparent proxy Client does not know that he is speaking with the firewall HTTP, FTP, Telnet, Rlogin only Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
17
User Authentication with HTTP – A good start SYN to the webserver Firewall intercepts and answers with webservers IP 401 because no credentials are in the request After getting the credentials from the user the browser restarts the session automatically Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
18
User Authentication with HTTP – A bad follow-up Browsers cache credentials, but they are correlated to webservers Requests to same webserver are no problem; sometimes session even stays open Request to other webserver requires reauthentication User Authentication with HTTP is no good idea! Less problems with FTP or Telnet Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
19
User Authentication – firewall as explicit proxy With explicit proxy Setting Browser resends credentials with every request Changing Check Point firewall to explicit proxy mode i.Advanced Configuration in Global Prperties ii.http_connection_ method_proxy for proxy mode iii.http_connection_ methode_tunneling for HTTPS connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
20
User Authentication – Special Settings Default Setting does not work by default HTTP access to internet requires All servers HTTP access to DMZ server could use Predefined Servers Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
21
User Authentication – A packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Packet Flow New server requires reauthentication Clear text password
22
User Authentication in SmartView Tracker Only first authentication results in User entry No Rule entry for subsequent requests Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
23
Client Authentication Necessary: User has to be correlated to IP-Address No NAT No common Terminal Server Duration of the correlation Necessary: Firewall has to learn about correlation Manual Sign-On Using User Authentication Using Session Authentication Asking someone else Rule Position Interaction with Stealth Rule Usable for any service Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
24
Client Authentication – Getting the Information Manual: http://x.x.x.x:900 telnet x.x.x.x 259 Partial automatic: First request with User Authentication Agent automatic: First request with Session Authentication agent Single Sign On: Asking User Authority server Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
25
Client Authentication – Duration of correlation Time limit or number of session limit Time limit = Inactivity time limit with Refreshable timeout set For HTTP: Number of Sessions should be infinite Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
26
Client Authentication – Improving the HTTP Partial Automatic Limit: 1 Minute, 5 Sessions User connects to single website, authenticates and requests next website after 1 minute Question to the audience: What will happen after 1 minute? a)User will be challenged again for credentials b)User won´t be challenged again but reauthenticated c)User will get access without reauthentication d)User will be blocked Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
27
Client Authentication – A packet Capture Redirection to firewall!! No reauthen- tication within first minute Automatic reauthentication after one minute Browser caches credentials HTTPS can´t be authenticated!! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
28
Client Authentication – Manual Sign-On HTTP Port 900 (FW1_clntauth_http) Telnet Port 259 (FW1_clntauth_telnet) No automatic reauthentication by browser -> choose limits wisely Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
29
Client Authentication – Customizing HTML files $FWDIR/conf/ahclientd/ ahclientd#.html 1: Greeting Page (Enter Username) 2: End-of-session Page 3: Signing Off Page 4: Successful Login Page 5: Specific Sign-On Page 6: Authentication Failure Page 7,8: Password Pages Be careful with %s and %d entries! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
30
Client Authentication in the SmartView Tracker Reauthentication after exceeding time limit or connection limit Every request has User entry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
31
Client Authentication – Rule Position Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Partial Automatic Rule above Stealth Rule Manual Login Rule above Stealth Rule Session Automatic or SSO No requirement
32
Session Authentication Requires Session Authentication Agent Authenticates every session Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
33
Session Authentication Agent – Packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
34
Session Authentication – SmartView Tracker Authenticating every session Several requests within one TCP session with HTTP 1.1 Every session shows User entry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
35
Chapter 4 – Securing the Authentication Server side usually easy E.g. LDAP SSL Client Side HTTP request is unencrypted Default settings don´t support encryption Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
36
Securing Session Authentication In Session Authentication Agent Global Properties – Advanced Configuration BTW, default settings on both sides are conflicting Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
37
Securing Client Authentication - Manual 900 fwssd in.aclientd wait 900 ssl:ICA_CERT Restart demon Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
38
Securing Client Authentication – Partial Automatic That should have worked Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
39
Securing User Authentication No redirect to firewall => Session can´t be secured Don´t use Check Point Password! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
40
The Comparison - Barry´s Overview Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Thanks to Barry for providing the nice table(slightly modified)
41
Final words Several possibilities All have benefits and limitations Proxies often have more possibilities, but Check Point allows file customization Don´t neglect performance impact on firewall! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.