IT und TK Training Check Point Authentication Methods A short comparison.

IT und TK Training

Check Point Authentication Methods

A short comparison

Check Point Authentication Methods- A short comparison, Dr. Carsten Löhn

Overview

General Aspects – Authentication at a Firewall

General Aspects – The Rule Base

Authentication Methods- User Authentication- Client Authentication- Session Authentication

Securing the Authentication

Comparison and Conclusion


Chapter 1 – General Aspects (Firewall Authentication)

Why firewall authentication?

Difficulties with firewall authentication

Client side and server side aspects


The scenario

Some companies allow internet access by group membership

Most aspects in the presentation could also be used for DMZ access

No Remote Access VPN!


The Authentication Problem

Getting user information(client side)

Choosing the best authentication procedures(server side)

Securing the Connections

Firewall is no proxy!


The Client Side – Authentication Methods

How do I get the information I need?

User Authentication- Firewall as transparent Proxy- HTTP, FTP, Telnet, Rlogin

Client Authentication- Identifying the Client by the IP-Address- How do I get the correlation?

Session Authentication- Proprietary Method- Requiering an Agent


The Server Side – Authentication Schemes

Check Point Password

RADIUS

SecurID

TACACS

OS Password

LDAP??


Chapter 2 – General Aspects (Rulebase)

Rule Structure

Rule Positioning

Common Configurations


The Rule Strcuture

In Source Column either User Access or Any

In Action Column either User, Session or Client Authentication

Service Column entry depends on Authentication Method


The Rules Paradoxon

Existence of rule 5 has an impact on rule 4

Authentication only if packet would be dropped otherwise


User Location

Source Column vs User Properties

Authentication object defines precedence


The User Object

Login Name

Group Membership

Authentication Scheme

Location and Time Restrictions

Certificate

Remote Access Parameters


Firewall Properties

Allowed Authentication Schemes

Authentication timeout for one-time passwords


Global Properties

Number of allowed login failures

Limiting certificates to special CA

Delaying reauthentication tries


Chapter 3 – Authentication Methods

User Authentication

Client Authentication

Session Authentication

Different Aspects:- Configuration- Limitations- Packet Flows- SmartView Tracker


User Authentication - Principles

Firewall behaves like transparent proxy

Client does not know that he is speaking with the firewall

HTTP, FTP, Telnet, Rlogin only


User Authentication with HTTP – A good start

SYN to the webserver

Firewall intercepts and answers with webservers IP

401 because no credentials are in the request

After getting the credentials from the user the browser restarts the session automatically


User Authentication with HTTP – A bad follow-up

Browsers cache credentials, but they are correlated to webservers

Requests to same webserver are no problem; sometimes session even stays open

Request to other webserver requires reauthentication

User Authentication with HTTP is no good idea!

Less problems with FTP or Telnet


User Authentication – firewall as explicit proxy

With explicit proxy Setting Browser resends credentials with every request

Changing Check Point firewall to explicit proxy mode

i. Advanced Configuration in Global Prperties

ii. http_connection_method_proxy for proxy mode

iii. http_connection_methode_tunneling for HTTPS connections


User Authentication – Special Settings

Default Setting does not work by default

HTTP access to internet requires All servers

HTTP access to DMZ server could use Predefined Servers


User Authentication – A packet Capture

Packet Flow

New server requires reauthentication

Clear text password


User Authentication in SmartView Tracker

Only first authentication results in User entry

No Rule entry for subsequent requests


Client Authentication

Necessary: User has to be correlated to IP-Address- No NAT- No common Terminal Server- Duration of the correlation

Necessary: Firewall has to learn about correlation- Manual Sign-On- Using User Authentication- Using Session Authentication- Asking someone else

Rule Position- Interaction with Stealth Rule

Usable for any service


Client Authentication – Getting the Information

Manual:http://x.x.x.x:900telnet x.x.x.x 259

Partial automatic:First request with User Authentication

Agent automatic:First request with Session Authentication agent

Single Sign On:Asking User Authority server


Client Authentication – Duration of correlation

Time limit or number of session limit

Time limit = Inactivity time limit with Refreshable timeout set

For HTTP: Number of Sessions should be infinite


Client Authentication – Improving the HTTP

Partial Automatic

Limit: 1 Minute, 5 Sessions

User connects to single website, authenticates and requests next website after 1 minute

Question to the audience: What will happen after 1 minute?

a) User will be challenged again for credentials

b) User won´t be challenged again but reauthenticated

c) User will get access without reauthentication

d) User will be blocked

Client Authentication – A packet Capture

Redirection to firewall!!

No reauthen-tication within first minute

Automatic reauthentication after one minute

Browser caches credentials

HTTPS can´t be authenticated!!



Client Authentication – Manual Sign-On

HTTP Port 900 (FW1_clntauth_http)

Telnet Port 259 (FW1_clntauth_telnet)

No automatic reauthentication by browser -> choose limits wisely


Client Authentication – Customizing HTML files

$FWDIR/conf/ahclientd/

ahclientd#.html- 1: Greeting Page (Enter Username)- 2: End-of-session Page- 3: Signing Off Page- 4: Successful Login Page- 5: Specific Sign-On Page- 6: Authentication Failure Page- 7,8: Password Pages

Be careful with %s and %d entries!


Client Authentication in the SmartView Tracker

Reauthentication after exceeding time limit or connection limit

Every request has User entry


Client Authentication – Rule Position

Partial Automatic

Rule above Stealth Rule

Manual

Login Rule above Stealth Rule

Session Automaticor SSO

No requirement


Session Authentication

Requires Session Authentication Agent

Authenticates every session


Session Authentication Agent – Packet Capture


Session Authentication – SmartView Tracker

Authenticating every session

Several requests within one TCP session with HTTP 1.1

Every session shows User entry


Chapter 4 – Securing the Authentication

Server side usually easy- E.g. LDAP SSL

Client Side- HTTP request is unencrypted- Default settings don´t support encryption


Securing Session Authentication

In Session Authentication Agent

Global Properties – Advanced Configuration

BTW, default settings on both sides are conflicting


Securing Client Authentication - Manual

900 fwssd in.aclientd wait 900 ssl:ICA_CERT

Restart demon


Securing Client Authentication – Partial Automatic

That should have worked


Securing User Authentication

No redirect to firewall => Session can´t be secured

Don´t use Check Point Password!


The Comparison - Barry´s Overview

Thanks to Barry for providing the nice table (slightly modified)


Final words

Several possibilities

All have benefits and limitations

Proxies often have more possibilities, but Check Point allows file customization

Don´t neglect performance impact on firewall!

IT und TK Training Check Point Authentication Methods A short comparison.

Documents

Transcript of IT und TK Training Check Point Authentication Methods A short comparison.