IT und TK Training Check Point Authentication Methods A short comparison.
-
Upload
jocelyn-joanna-berry -
Category
Documents
-
view
217 -
download
1
Transcript of IT und TK Training Check Point Authentication Methods A short comparison.
![Page 1: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/1.jpg)
IT und TK Training
Check Point Authentication Methods
A short comparison
![Page 2: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/2.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Overview
General Aspects – Authentication at a Firewall
General Aspects – The Rule Base
Authentication Methods- User Authentication- Client Authentication- Session Authentication
Securing the Authentication
Comparison and Conclusion
![Page 3: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/3.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 1 – General Aspects (Firewall Authentication)
Why firewall authentication?
Difficulties with firewall authentication
Client side and server side aspects
![Page 4: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/4.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The scenario
Some companies allow internet access by group membership
Most aspects in the presentation could also be used for DMZ access
No Remote Access VPN!
![Page 5: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/5.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Authentication Problem
Getting user information(client side)
Choosing the best authentication procedures(server side)
Securing the Connections
Firewall is no proxy!
![Page 6: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/6.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Client Side – Authentication Methods
How do I get the information I need?
User Authentication- Firewall as transparent Proxy- HTTP, FTP, Telnet, Rlogin
Client Authentication- Identifying the Client by the IP-Address- How do I get the correlation?
Session Authentication- Proprietary Method- Requiering an Agent
![Page 7: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/7.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Server Side – Authentication Schemes
Check Point Password
RADIUS
SecurID
TACACS
OS Password
LDAP??
![Page 8: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/8.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 2 – General Aspects (Rulebase)
Rule Structure
Rule Positioning
Common Configurations
![Page 9: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/9.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Rule Strcuture
In Source Column either User Access or Any
In Action Column either User, Session or Client Authentication
Service Column entry depends on Authentication Method
![Page 10: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/10.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Rules Paradoxon
Existence of rule 5 has an impact on rule 4
Authentication only if packet would be dropped otherwise
![Page 11: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/11.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Location
Source Column vs User Properties
Authentication object defines precedence
![Page 12: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/12.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The User Object
Login Name
Group Membership
Authentication Scheme
Location and Time Restrictions
Certificate
Remote Access Parameters
![Page 13: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/13.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Firewall Properties
Allowed Authentication Schemes
Authentication timeout for one-time passwords
![Page 14: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/14.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Global Properties
Number of allowed login failures
Limiting certificates to special CA
Delaying reauthentication tries
![Page 15: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/15.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 3 – Authentication Methods
User Authentication
Client Authentication
Session Authentication
Different Aspects:- Configuration- Limitations- Packet Flows- SmartView Tracker
![Page 16: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/16.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication - Principles
Firewall behaves like transparent proxy
Client does not know that he is speaking with the firewall
HTTP, FTP, Telnet, Rlogin only
![Page 17: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/17.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication with HTTP – A good start
SYN to the webserver
Firewall intercepts and answers with webservers IP
401 because no credentials are in the request
After getting the credentials from the user the browser restarts the session automatically
![Page 18: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/18.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication with HTTP – A bad follow-up
Browsers cache credentials, but they are correlated to webservers
Requests to same webserver are no problem; sometimes session even stays open
Request to other webserver requires reauthentication
User Authentication with HTTP is no good idea!
Less problems with FTP or Telnet
![Page 19: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/19.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – firewall as explicit proxy
With explicit proxy Setting Browser resends credentials with every request
Changing Check Point firewall to explicit proxy mode
i. Advanced Configuration in Global Prperties
ii. http_connection_method_proxy for proxy mode
iii. http_connection_methode_tunneling for HTTPS connections
![Page 20: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/20.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – Special Settings
Default Setting does not work by default
HTTP access to internet requires All servers
HTTP access to DMZ server could use Predefined Servers
![Page 21: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/21.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – A packet Capture
Packet Flow
New server requires reauthentication
Clear text password
![Page 22: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/22.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication in SmartView Tracker
Only first authentication results in User entry
No Rule entry for subsequent requests
![Page 23: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/23.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication
Necessary: User has to be correlated to IP-Address- No NAT- No common Terminal Server- Duration of the correlation
Necessary: Firewall has to learn about correlation- Manual Sign-On- Using User Authentication- Using Session Authentication- Asking someone else
Rule Position- Interaction with Stealth Rule
Usable for any service
![Page 24: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/24.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Getting the Information
Manual:http://x.x.x.x:900telnet x.x.x.x 259
Partial automatic:First request with User Authentication
Agent automatic:First request with Session Authentication agent
Single Sign On:Asking User Authority server
![Page 25: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/25.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Duration of correlation
Time limit or number of session limit
Time limit = Inactivity time limit with Refreshable timeout set
For HTTP: Number of Sessions should be infinite
![Page 26: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/26.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Improving the HTTP
Partial Automatic
Limit: 1 Minute, 5 Sessions
User connects to single website, authenticates and requests next website after 1 minute
Question to the audience: What will happen after 1 minute?
a) User will be challenged again for credentials
b) User won´t be challenged again but reauthenticated
c) User will get access without reauthentication
d) User will be blocked
![Page 27: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/27.jpg)
Client Authentication – A packet Capture
Redirection to firewall!!
No reauthen-tication within first minute
Automatic reauthentication after one minute
Browser caches credentials
HTTPS can´t be authenticated!!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
![Page 28: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/28.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Manual Sign-On
HTTP Port 900 (FW1_clntauth_http)
Telnet Port 259 (FW1_clntauth_telnet)
No automatic reauthentication by browser -> choose limits wisely
![Page 29: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/29.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Customizing HTML files
$FWDIR/conf/ahclientd/
ahclientd#.html- 1: Greeting Page (Enter Username)- 2: End-of-session Page- 3: Signing Off Page- 4: Successful Login Page- 5: Specific Sign-On Page- 6: Authentication Failure Page- 7,8: Password Pages
Be careful with %s and %d entries!
![Page 30: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/30.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication in the SmartView Tracker
Reauthentication after exceeding time limit or connection limit
Every request has User entry
![Page 31: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/31.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Rule Position
Partial Automatic
Rule above Stealth Rule
Manual
Login Rule above Stealth Rule
Session Automaticor SSO
No requirement
![Page 32: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/32.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication
Requires Session Authentication Agent
Authenticates every session
![Page 33: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/33.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication Agent – Packet Capture
![Page 34: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/34.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication – SmartView Tracker
Authenticating every session
Several requests within one TCP session with HTTP 1.1
Every session shows User entry
![Page 35: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/35.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 4 – Securing the Authentication
Server side usually easy- E.g. LDAP SSL
Client Side- HTTP request is unencrypted- Default settings don´t support encryption
![Page 36: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/36.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Session Authentication
In Session Authentication Agent
Global Properties – Advanced Configuration
BTW, default settings on both sides are conflicting
![Page 37: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/37.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Client Authentication - Manual
900 fwssd in.aclientd wait 900 ssl:ICA_CERT
Restart demon
![Page 38: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/38.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Client Authentication – Partial Automatic
That should have worked
![Page 39: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/39.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing User Authentication
No redirect to firewall => Session can´t be secured
Don´t use Check Point Password!
![Page 40: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/40.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Comparison - Barry´s Overview
Thanks to Barry for providing the nice table (slightly modified)
![Page 41: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/41.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Final words
Several possibilities
All have benefits and limitations
Proxies often have more possibilities, but Check Point allows file customization
Don´t neglect performance impact on firewall!
![Page 42: IT und TK Training Check Point Authentication Methods A short comparison.](https://reader033.fdocuments.in/reader033/viewer/2022051416/56649e5d5503460f94b56bbc/html5/thumbnails/42.jpg)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn