Check Point Authentication Methods A short comparison

IT und TK Training

Check Point Authentication MethodsA short comparison

Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Overview

General Aspects – Authentication at a Firewall General Aspects – The Rule Base Authentication Methods

- User Authentication- Client Authentication- Session Authentication

Securing the Authentication Comparison and Conclusion


Chapter 1 – General Aspects (Firewall Authentication)

Why firewall authentication? Difficulties with firewall authentication Client side and server side aspects


The scenario

Some companies allow internet access by group membership

Most aspects in the presentation could also be used for DMZ access

No Remote Access VPN!


The Authentication Problem

Getting user information(client side)

Choosing the best authentication procedures(server side)

Securing the Connections

Firewall is no proxy!


The Client Side – Authentication Methods

How do I get the information I need? User Authentication

- Firewall as transparent Proxy- HTTP, FTP, Telnet, Rlogin

Client Authentication- Identifying the Client by the IP-Address- How do I get the correlation?

Session Authentication- Proprietary Method- Requiering an Agent


The Server Side – Authentication Schemes

Check Point Password

RADIUS SecurID TACACS OS Password LDAP??


Chapter 2 – General Aspects (Rulebase)

Rule Structure Rule Positioning Common Configurations


The Rule Strcuture

In Source Column either User Access or Any In Action Column either User, Session or Client Authentication Service Column entry depends on Authentication Method


The Rules Paradoxon

Existence of rule 5 has an impact on rule 4 Authentication only if packet would be dropped otherwise


User Location

Source Column vs User Properties Authentication object defines precedence


The User Object

Login Name Group Membership Authentication Scheme Location and Time

Restrictions Certificate Remote Access Parameters


Firewall Properties

Allowed Authentication Schemes

Authentication timeout for one-time passwords


Global Properties

Number of allowed login failures

Limiting certificates to special CA

Delaying reauthentication tries


Chapter 3 – Authentication Methods

User Authentication Client Authentication Session Authentication

Different Aspects:- Configuration- Limitations- Packet Flows- SmartView Tracker


User Authentication - Principles

Firewall behaves like transparent proxy

Client does not know that he is speaking with the firewall

HTTP, FTP, Telnet, Rlogin only


User Authentication with HTTP – A good start

SYN to the webserver Firewall intercepts and

answers with webservers IP

401 because no credentials are in the request

After getting the credentials from the user the browser restarts the session automatically


User Authentication with HTTP – A bad follow-up

Browsers cache credentials, but they are correlated to webservers

Requests to same webserver are no problem; sometimes session even stays open

Request to other webserver requires reauthentication

User Authentication with HTTP is no good idea!

Less problems with FTP or Telnet


User Authentication – firewall as explicit proxy

With explicit proxy Setting Browser resends credentials with every request

Changing Check Point firewall to explicit proxy mode

i. Advanced Configuration in Global Prperties

ii. http_connection_method_proxy for proxy mode

iii. http_connection_methode_tunneling for HTTPS connections


User Authentication – Special Settings

Default Setting does not work by default HTTP access to internet requires All servers HTTP access to DMZ server could use Predefined Servers


User Authentication – A packet Capture

Packet Flow New server

requires reauthentication

Clear text password


User Authentication in SmartView Tracker

Only first authentication results in User entry No Rule entry for subsequent requests


Client Authentication

Necessary: User has to be correlated to IP-Address- No NAT- No common Terminal Server- Duration of the correlation

Necessary: Firewall has to learn about correlation- Manual Sign-On- Using User Authentication- Using Session Authentication- Asking someone else

Rule Position- Interaction with Stealth Rule

Usable for any service


Client Authentication – Getting the Information

Manual:http://x.x.x.x:900telnet x.x.x.x 259

Partial automatic:First request with User Authentication

Agent automatic:First request with Session Authentication agent

Single Sign On:Asking User Authority server


Client Authentication – Duration of correlation

Time limit or number of session limit

Time limit = Inactivity time limit with Refreshable timeout set

For HTTP: Number of Sessions should be infinite


Client Authentication – Improving the HTTP

Partial Automatic Limit: 1 Minute, 5 Sessions User connects to single website, authenticates and requests next website

after 1 minute

Question to the audience: What will happen after 1 minute?a) User will be challenged again for credentialsb) User won´t be challenged again but reauthenticatedc) User will get access without reauthenticationd) User will be blocked

Client Authentication – A packet Capture

Redirection to firewall!!

No reauthen-tication within first minute

Automatic reauthentication after one minute

Browser caches credentials

HTTPS can´t be authenticated!!



Client Authentication – Manual Sign-On

HTTP Port 900 (FW1_clntauth_http) Telnet Port 259 (FW1_clntauth_telnet) No automatic reauthentication by browser -> choose limits wisely


Client Authentication – Customizing HTML files

$FWDIR/conf/ahclientd/ ahclientd#.html

- 1: Greeting Page (Enter Username)- 2: End-of-session Page- 3: Signing Off Page- 4: Successful Login Page- 5: Specific Sign-On Page- 6: Authentication Failure Page- 7,8: Password Pages

Be careful with %s and %d entries!


Client Authentication in the SmartView Tracker

Reauthentication after exceeding time limit or connection limit Every request has User entry


Client Authentication – Rule Position

Partial Automatic Rule above

Stealth Rule Manual

Login Rule above Stealth Rule

Session Automaticor SSO No requirement


Session Authentication

Requires Session Authentication Agent

Authenticates every session


Session Authentication Agent – Packet Capture


Session Authentication – SmartView Tracker

Authenticating every session Several requests within one TCP session with HTTP 1.1 Every session shows User entry


Chapter 4 – Securing the Authentication

Server side usually easy- E.g. LDAP SSL

Client Side- HTTP request is unencrypted- Default settings don´t support encryption


Securing Session Authentication

In Session Authentication Agent Global Properties – Advanced Configuration BTW, default settings on both sides are conflicting


Securing Client Authentication - Manual

900 fwssd in.aclientd wait 900 ssl:ICA_CERT Restart demon


Securing Client Authentication – Partial Automatic

That should have worked


Securing User Authentication

No redirect to firewall => Session can´t be secured Don´t use Check Point Password!


The Comparison - Barry´s Overview

Thanks to Barry for providing the nice table (slightly modified)


Final words

Several possibilities All have benefits and limitations

Proxies often have more possibilities, but Check Point allows file customization

Don´t neglect performance impact on firewall!


Documents

Check Point Authentication Methods A short comparison