IT und TK Training
Check Point Authentication MethodsA short comparison
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Overview
General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods
- User Authentication- Client Authentication- Session Authentication
Securing the Authentication Comparison and Conclusion
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 1 – General Aspects (Firewall Authentication)
Why firewall authentication? Difficulties with firewall authentication Client side and server side aspects
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The scenario
Some companies allow internet access by group membership
Most aspects in the presentation could also be used for DMZ access
No Remote Access VPN!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Authentication Problem
Getting user information(client side)
Choosing the best authentication procedures(server side)
Securing the Connections
Firewall is no proxy!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Client Side – Authentication Methods
How do I get the information I need? User Authentication
- Firewall as transparent Proxy- HTTP, FTP, Telnet, Rlogin
Client Authentication- Identifying the Client by the IP-Address- How do I get the correlation?
Session Authentication- Proprietary Method- Requiering an Agent
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Server Side – Authentication Schemes
Check Point Password
RADIUS SecurID TACACS OS Password LDAP??
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 2 – General Aspects (Rulebase)
Rule Structure Rule Positioning Common Configurations
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Rule Strcuture
In Source Column either User Access or Any In Action Column either User, Session or Client Authentication Service Column entry depends on Authentication Method
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Rules Paradoxon
Existence of rule 5 has an impact on rule 4 Authentication only if packet would be dropped otherwise
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Location
Source Column vs User Properties Authentication object defines precedence
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The User Object
Login Name Group Membership Authentication Scheme Location and Time
Restrictions Certificate Remote Access Parameters
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Firewall Properties
Allowed Authentication Schemes
Authentication timeout for one-time passwords
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Global Properties
Number of allowed login failures
Limiting certificates to special CA
Delaying reauthentication tries
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 3 – Authentication Methods
User Authentication Client Authentication Session Authentication
Different Aspects:- Configuration- Limitations- Packet Flows- SmartView Tracker
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication - Principles
Firewall behaves like transparent proxy
Client does not know that he is speaking with the firewall
HTTP, FTP, Telnet, Rlogin only
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication with HTTP – A good start
SYN to the webserver Firewall intercepts and
answers with webservers IP
401 because no credentials are in the request
After getting the credentials from the user the browser restarts the session automatically
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication with HTTP – A bad follow-up
Browsers cache credentials, but they are correlated to webservers
Requests to same webserver are no problem; sometimes session even stays open
Request to other webserver requires reauthentication
User Authentication with HTTP is no good idea!
Less problems with FTP or Telnet
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – firewall as explicit proxy
With explicit proxy Setting Browser resends credentials with every request
Changing Check Point firewall to explicit proxy mode
i. Advanced Configuration in Global Prperties
ii. http_connection_method_proxy for proxy mode
iii. http_connection_methode_tunneling for HTTPS connections
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – Special Settings
Default Setting does not work by default HTTP access to internet requires All servers HTTP access to DMZ server could use Predefined Servers
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication – A packet Capture
Packet Flow New server
requires reauthentication
Clear text password
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
User Authentication in SmartView Tracker
Only first authentication results in User entry No Rule entry for subsequent requests
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication
Necessary: User has to be correlated to IP-Address- No NAT- No common Terminal Server- Duration of the correlation
Necessary: Firewall has to learn about correlation- Manual Sign-On- Using User Authentication- Using Session Authentication- Asking someone else
Rule Position- Interaction with Stealth Rule
Usable for any service
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Getting the Information
Manual:http://x.x.x.x:900telnet x.x.x.x 259
Partial automatic:First request with User Authentication
Agent automatic:First request with Session Authentication agent
Single Sign On:Asking User Authority server
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Duration of correlation
Time limit or number of session limit
Time limit = Inactivity time limit with Refreshable timeout set
For HTTP: Number of Sessions should be infinite
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Improving the HTTP
Partial Automatic Limit: 1 Minute, 5 Sessions User connects to single website, authenticates and requests next website
after 1 minute
Question to the audience: What will happen after 1 minute?a) User will be challenged again for credentialsb) User won´t be challenged again but reauthenticatedc) User will get access without reauthenticationd) User will be blocked
Client Authentication – A packet Capture
Redirection to firewall!!
No reauthen-tication within first minute
Automatic reauthentication after one minute
Browser caches credentials
HTTPS can´t be authenticated!!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Manual Sign-On
HTTP Port 900 (FW1_clntauth_http) Telnet Port 259 (FW1_clntauth_telnet) No automatic reauthentication by browser -> choose limits wisely
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Customizing HTML files
$FWDIR/conf/ahclientd/ ahclientd#.html
- 1: Greeting Page (Enter Username)- 2: End-of-session Page- 3: Signing Off Page- 4: Successful Login Page- 5: Specific Sign-On Page- 6: Authentication Failure Page- 7,8: Password Pages
Be careful with %s and %d entries!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication in the SmartView Tracker
Reauthentication after exceeding time limit or connection limit Every request has User entry
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Client Authentication – Rule Position
Partial Automatic Rule above
Stealth Rule Manual
Login Rule above Stealth Rule
Session Automaticor SSO No requirement
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication
Requires Session Authentication Agent
Authenticates every session
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication Agent – Packet Capture
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Session Authentication – SmartView Tracker
Authenticating every session Several requests within one TCP session with HTTP 1.1 Every session shows User entry
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Chapter 4 – Securing the Authentication
Server side usually easy- E.g. LDAP SSL
Client Side- HTTP request is unencrypted- Default settings don´t support encryption
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Session Authentication
In Session Authentication Agent Global Properties – Advanced Configuration BTW, default settings on both sides are conflicting
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Client Authentication - Manual
900 fwssd in.aclientd wait 900 ssl:ICA_CERT Restart demon
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing Client Authentication – Partial Automatic
That should have worked
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Securing User Authentication
No redirect to firewall => Session can´t be secured Don´t use Check Point Password!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
The Comparison - Barry´s Overview
Thanks to Barry for providing the nice table (slightly modified)
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn
Final words
Several possibilities All have benefits and limitations
Proxies often have more possibilities, but Check Point allows file customization
Don´t neglect performance impact on firewall!
Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn