Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT und TK Training Check Point Authentication Methods A short comparison.

Published byJocelyn Joanna Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "IT und TK Training Check Point Authentication Methods A short comparison."— Presentation transcript:

1 IT und TK Training Check Point Authentication Methods A short comparison

2 Overview General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods  User Authentication  Client Authentication  Session Authentication Securing the Authentication Comparison and Conclusion Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

3 Chapter 1 – General Aspects (Firewall Authentication) Why firewall authentication? Difficulties with firewall authentication Client side and server side aspects Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

4 The scenario Some companies allow internet access by group membership Most aspects in the presentation could also be used for DMZ access No Remote Access VPN! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

5 The Authentication Problem Getting user information (client side) Choosing the best authentication procedures (server side) Securing the Connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Firewall is no proxy!

6 The Client Side – Authentication Methods How do I get the information I need? User Authentication  Firewall as transparent Proxy  HTTP, FTP, Telnet, Rlogin Client Authentication  Identifying the Client by the IP-Address  How do I get the correlation? Session Authentication  Proprietary Method  Requiering an Agent Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

7 The Server Side – Authentication Schemes Check Point Password RADIUS SecurID TACACS OS Password LDAP?? Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

8 Chapter 2 – General Aspects (Rulebase) Rule Structure Rule Positioning Common Configurations Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

9 The Rule Strcuture In Source Column either User Access or Any In Action Column either User, Session or Client Authentication Service Column entry depends on Authentication Method Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

10 The Rules Paradoxon Existence of rule 5 has an impact on rule 4 Authentication only if packet would be dropped otherwise Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

11 User Location Source Column vs User Properties Authentication object defines precedence Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

12 The User Object Login Name Group Membership Authentication Scheme Location and Time Restrictions Certificate Remote Access Parameters Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

13 Firewall Properties Allowed Authentication Schemes Authentication timeout for one-time passwords Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

14 Global Properties Number of allowed login failures Limiting certificates to special CA Delaying reauthentication tries Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

15 Chapter 3 – Authentication Methods User Authentication Client Authentication Session Authentication Different Aspects:  Configuration  Limitations  Packet Flows  SmartView Tracker Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

16 User Authentication - Principles Firewall behaves like transparent proxy Client does not know that he is speaking with the firewall HTTP, FTP, Telnet, Rlogin only Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

17 User Authentication with HTTP – A good start SYN to the webserver Firewall intercepts and answers with webservers IP 401 because no credentials are in the request After getting the credentials from the user the browser restarts the session automatically Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

18 User Authentication with HTTP – A bad follow-up Browsers cache credentials, but they are correlated to webservers Requests to same webserver are no problem; sometimes session even stays open Request to other webserver requires reauthentication User Authentication with HTTP is no good idea! Less problems with FTP or Telnet Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

19 User Authentication – firewall as explicit proxy With explicit proxy Setting Browser resends credentials with every request Changing Check Point firewall to explicit proxy mode i.Advanced Configuration in Global Prperties ii.http_connection_ method_proxy for proxy mode iii.http_connection_ methode_tunneling for HTTPS connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

20 User Authentication – Special Settings Default Setting does not work by default HTTP access to internet requires All servers HTTP access to DMZ server could use Predefined Servers Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

21 User Authentication – A packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Packet Flow New server requires reauthentication Clear text password

22 User Authentication in SmartView Tracker Only first authentication results in User entry No Rule entry for subsequent requests Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

23 Client Authentication Necessary: User has to be correlated to IP-Address  No NAT  No common Terminal Server  Duration of the correlation Necessary: Firewall has to learn about correlation  Manual Sign-On  Using User Authentication  Using Session Authentication  Asking someone else Rule Position  Interaction with Stealth Rule Usable for any service Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

24 Client Authentication – Getting the Information Manual: http://x.x.x.x:900 telnet x.x.x.x 259 Partial automatic: First request with User Authentication Agent automatic: First request with Session Authentication agent Single Sign On: Asking User Authority server Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

25 Client Authentication – Duration of correlation Time limit or number of session limit Time limit = Inactivity time limit with Refreshable timeout set For HTTP: Number of Sessions should be infinite Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

26 Client Authentication – Improving the HTTP Partial Automatic Limit: 1 Minute, 5 Sessions User connects to single website, authenticates and requests next website after 1 minute Question to the audience: What will happen after 1 minute? a)User will be challenged again for credentials b)User won´t be challenged again but reauthenticated c)User will get access without reauthentication d)User will be blocked Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

27 Client Authentication – A packet Capture Redirection to firewall!! No reauthen- tication within first minute Automatic reauthentication after one minute Browser caches credentials HTTPS can´t be authenticated!! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

28 Client Authentication – Manual Sign-On HTTP Port 900 (FW1_clntauth_http) Telnet Port 259 (FW1_clntauth_telnet) No automatic reauthentication by browser -> choose limits wisely Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

29 Client Authentication – Customizing HTML files $FWDIR/conf/ahclientd/ ahclientd#.html  1: Greeting Page (Enter Username)  2: End-of-session Page  3: Signing Off Page  4: Successful Login Page  5: Specific Sign-On Page  6: Authentication Failure Page  7,8: Password Pages Be careful with %s and %d entries! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

30 Client Authentication in the SmartView Tracker Reauthentication after exceeding time limit or connection limit Every request has User entry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

31 Client Authentication – Rule Position Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Partial Automatic  Rule above Stealth Rule Manual  Login Rule above Stealth Rule Session Automatic or SSO  No requirement

32 Session Authentication Requires Session Authentication Agent Authenticates every session Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

33 Session Authentication Agent – Packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

34 Session Authentication – SmartView Tracker Authenticating every session Several requests within one TCP session with HTTP 1.1 Every session shows User entry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

35 Chapter 4 – Securing the Authentication Server side usually easy  E.g. LDAP SSL Client Side  HTTP request is unencrypted  Default settings don´t support encryption Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

36 Securing Session Authentication In Session Authentication Agent Global Properties – Advanced Configuration BTW, default settings on both sides are conflicting Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

37 Securing Client Authentication - Manual  900 fwssd in.aclientd wait 900 ssl:ICA_CERT  Restart demon Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

38 Securing Client Authentication – Partial Automatic That should have worked  Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

39 Securing User Authentication No redirect to firewall => Session can´t be secured Don´t use Check Point Password! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

40 The Comparison - Barry´s Overview Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Thanks to Barry for providing the nice table(slightly modified)

41 Final words Several possibilities All have benefits and limitations Proxies often have more possibilities, but Check Point allows file customization Don´t neglect performance impact on firewall! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

42

Download ppt "IT und TK Training Check Point Authentication Methods A short comparison."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
UAG Authentication and Authorization- part1

UAG Authentication and Authorization- part1
Technical Overview July, 2004.

Technical Overview July, 2004.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.

5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Remote Networking Architectures

Remote Networking Architectures
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

Similar presentations

Ads by Google