IT und TK Training Check Point Authentication Methods A short comparison.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
UAG Authentication and Authorization- part1
Technical Overview July, 2004.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Remote Networking Architectures
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
CTSP TRAINING Router 101 And Networking Basics. You Don’t Need Internet Access to Run or Connect your devices to an Ethernet switch or Router Enable DHCP.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
1 NETS KVM Setup July 11, What we’ll cover Setup and configuration User Interfaces Troubleshooting Open Issues Coming attractions.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
User Access to Router Securing Access.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Remote Controller & Presenter Make education more efficiently
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Module 11: Securing a Microsoft ASP.NET Web Application.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
Integrating and Troubleshooting Citrix Access Gateway.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Operating Systems Proj.. Background A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections.
Accessing Evitech network via FTP by Susan Jansson.
Configuring the PIX Firewall Presented by Drew Spesard.
Module 10: Windows Firewall and Caching Fundamentals.
The OWASP Foundation guarding your applications Koen Vanderloock
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
Overview on Web Caching COSC 513 Class Presentation Instructor: Prof. M. Anvari Student name: Wei Wei ID:
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
INTERNET APPLICATIONS CPIT405 Install a web server and analyze packets.
Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
Installing TMG & Choosing a Client Type
F5 BIGIP V 9 Training.
Radius, LDAP, Radius used in Authenticating Users
Introduction to Networking
Introduction to Networking
NSE4-5.4 Dumps
– Chapter 3 – Device Security (B)
How are we keeping our company & clients safe?
Configuring Internet-related services
– Chapter 3 – Device Security (B)
Presentation transcript:

IT und TK Training Check Point Authentication Methods A short comparison

Overview General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods  User Authentication  Client Authentication  Session Authentication Securing the Authentication Comparison and Conclusion Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Chapter 1 – General Aspects (Firewall Authentication) Why firewall authentication? Difficulties with firewall authentication Client side and server side aspects Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

The scenario Some companies allow internet access by group membership Most aspects in the presentation could also be used for DMZ access No Remote Access VPN! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

The Authentication Problem Getting user information (client side) Choosing the best authentication procedures (server side) Securing the Connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Firewall is no proxy!

The Client Side – Authentication Methods How do I get the information I need? User Authentication  Firewall as transparent Proxy  HTTP, FTP, Telnet, Rlogin Client Authentication  Identifying the Client by the IP-Address  How do I get the correlation? Session Authentication  Proprietary Method  Requiering an Agent Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

The Server Side – Authentication Schemes Check Point Password RADIUS SecurID TACACS OS Password LDAP?? Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Chapter 2 – General Aspects (Rulebase) Rule Structure Rule Positioning Common Configurations Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

The Rule Strcuture In Source Column either User Access or Any In Action Column either User, Session or Client Authentication Service Column entry depends on Authentication Method Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

The Rules Paradoxon Existence of rule 5 has an impact on rule 4 Authentication only if packet would be dropped otherwise Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

User Location Source Column vs User Properties Authentication object defines precedence Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

The User Object Login Name Group Membership Authentication Scheme Location and Time Restrictions Certificate Remote Access Parameters Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Firewall Properties Allowed Authentication Schemes Authentication timeout for one-time passwords Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Global Properties Number of allowed login failures Limiting certificates to special CA Delaying reauthentication tries Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Chapter 3 – Authentication Methods User Authentication Client Authentication Session Authentication Different Aspects:  Configuration  Limitations  Packet Flows  SmartView Tracker Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

User Authentication - Principles Firewall behaves like transparent proxy Client does not know that he is speaking with the firewall HTTP, FTP, Telnet, Rlogin only Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

User Authentication with HTTP – A good start SYN to the webserver Firewall intercepts and answers with webservers IP 401 because no credentials are in the request After getting the credentials from the user the browser restarts the session automatically Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

User Authentication with HTTP – A bad follow-up Browsers cache credentials, but they are correlated to webservers Requests to same webserver are no problem; sometimes session even stays open Request to other webserver requires reauthentication User Authentication with HTTP is no good idea! Less problems with FTP or Telnet Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

User Authentication – firewall as explicit proxy With explicit proxy Setting Browser resends credentials with every request Changing Check Point firewall to explicit proxy mode i.Advanced Configuration in Global Prperties ii.http_connection_ method_proxy for proxy mode iii.http_connection_ methode_tunneling for HTTPS connections Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

User Authentication – Special Settings Default Setting does not work by default HTTP access to internet requires All servers HTTP access to DMZ server could use Predefined Servers Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

User Authentication – A packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Packet Flow New server requires reauthentication Clear text password

User Authentication in SmartView Tracker Only first authentication results in User entry No Rule entry for subsequent requests Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication Necessary: User has to be correlated to IP-Address  No NAT  No common Terminal Server  Duration of the correlation Necessary: Firewall has to learn about correlation  Manual Sign-On  Using User Authentication  Using Session Authentication  Asking someone else Rule Position  Interaction with Stealth Rule Usable for any service Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication – Getting the Information Manual: telnet x.x.x.x 259 Partial automatic: First request with User Authentication Agent automatic: First request with Session Authentication agent Single Sign On: Asking User Authority server Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication – Duration of correlation Time limit or number of session limit Time limit = Inactivity time limit with Refreshable timeout set For HTTP: Number of Sessions should be infinite Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication – Improving the HTTP Partial Automatic Limit: 1 Minute, 5 Sessions User connects to single website, authenticates and requests next website after 1 minute Question to the audience: What will happen after 1 minute? a)User will be challenged again for credentials b)User won´t be challenged again but reauthenticated c)User will get access without reauthentication d)User will be blocked Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication – A packet Capture Redirection to firewall!! No reauthen- tication within first minute Automatic reauthentication after one minute Browser caches credentials HTTPS can´t be authenticated!! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication – Manual Sign-On HTTP Port 900 (FW1_clntauth_http) Telnet Port 259 (FW1_clntauth_telnet) No automatic reauthentication by browser -> choose limits wisely Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication – Customizing HTML files $FWDIR/conf/ahclientd/ ahclientd#.html  1: Greeting Page (Enter Username)  2: End-of-session Page  3: Signing Off Page  4: Successful Login Page  5: Specific Sign-On Page  6: Authentication Failure Page  7,8: Password Pages Be careful with %s and %d entries! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication in the SmartView Tracker Reauthentication after exceeding time limit or connection limit Every request has User entry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Client Authentication – Rule Position Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Partial Automatic  Rule above Stealth Rule Manual  Login Rule above Stealth Rule Session Automatic or SSO  No requirement

Session Authentication Requires Session Authentication Agent Authenticates every session Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Session Authentication Agent – Packet Capture Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Session Authentication – SmartView Tracker Authenticating every session Several requests within one TCP session with HTTP 1.1 Every session shows User entry Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Chapter 4 – Securing the Authentication Server side usually easy  E.g. LDAP SSL Client Side  HTTP request is unencrypted  Default settings don´t support encryption Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Securing Session Authentication In Session Authentication Agent Global Properties – Advanced Configuration BTW, default settings on both sides are conflicting Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Securing Client Authentication - Manual  900 fwssd in.aclientd wait 900 ssl:ICA_CERT  Restart demon Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Securing Client Authentication – Partial Automatic That should have worked  Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Securing User Authentication No redirect to firewall => Session can´t be secured Don´t use Check Point Password! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

The Comparison - Barry´s Overview Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn Thanks to Barry for providing the nice table(slightly modified)

Final words Several possibilities All have benefits and limitations Proxies often have more possibilities, but Check Point allows file customization Don´t neglect performance impact on firewall! Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.