Check Point NG[s]AI

Authentication is a major component of any firewall. Without authentication, we would not be able to distinguish authorized users from unauthorized users, requiring the access to always be based on IP addresses. FW-1 gives you the option of several different authentication schemes. Some of these schemes make use of external products or servers, while others are purely internal to FW-1.

All of these schemes can be used in conjunction with user , session, and client authentication, which will be discussed later in this chapter. Note that to use any of these schemes, you must enable them in your firewall object s Authentication tab (Figure 6.1).

Figure 6.1: Firewall Object Authentication Tab

Turning on each of the schemes merely gives you the option of using them for a particular user; it does not force you to use this scheme. You can also use this tab to configure User Authentication session timeout , which is the amount of time that must pass before a user is required to authenticate again. The Enable wait mode for Client Authentication option will be discussed below, under Client Authentication.

SecurID

SecurID is a two-factor authentication method, meaning two pieces of information are required before access is granted: a password and a token. The token is generally generated by a SecurID token ”a small electronic device created by RSA Security that the user keeps with him or her that displays a new number every 60 seconds. Combining this number with the user s password allows the SecurID server to determine whether or not the user should be granted access.

In order to configure SecurID, your FW-1 server must be configured as an ACE client. A separate server is required to run the ACE Server software. Please refer to your ACE server documentation for further information. To enable SecurID authentication in FW-1, ensure that it is first enabled in the firewall object s Authentication tab. There are no settings for SecurID in the Policy Editor; you simply need to set the authentication scheme for the user you are configuring to SecurID in the user s Authentication tab.

OS Password

Authentication via operating system (OS) password means that FW-1 will refer to the user s account in the operating system for authentication. This may be a convenient method for you if all the users you want to configure for firewall authentication already have accounts on the system.

One example of this is if you want to authenticate your users with their domain passwords. To do this, your firewall must reside on your NT domain so that the firewall can access the domain user database. Be aware of the possible security risks of locating your firewall on the NT domain; if security is breached on the domain, it may also be breached on the firewall.

OS password authentication may not be appropriate in all situations. For example, if you are running FW-1 on a standalone appliance, it is unlikely that users will have local accounts on the appliance.

In order to configure FW-1 to use OS password authentication, ensure that it is enabled in the firewall object s Authentication tab, and simply choose it as the authentication scheme for the user you are configuring; there are no other settings for this scheme.

VPN-1 & FireWall-1 Password

If your users do not have accounts on the local FW-1 server, but you do not want to use an external authentication scheme such as SecurID, then your best option is FW-1 password. Using a FW-1 password simply means that you assign the user a password within FW-1, and the user must enter a matching password to authenticate.

If you are using OS password authentication, be careful about users who have OS accounts that you do not want to grant access to through the firewall. If you have defined a default generic* user, you may inadvertently grant access to more users than you intended. If this is the case, you can create users with authentication schemes set to Undefined , which will deny those users access. If a significant amount of your OS users should not have access, consider using a different authentication scheme.

To configure VPN-1 and FW-1 password authentication, ensure that this option is enabled in the Authentication tab of your firewall object. Access the Authentication tab of the user you are configuring and choose VPN-1 & FireWall-1 Password. Enter a password of eight characters or less. FW-1 will ask you to confirm the password.

RADIUS

RADIUS, which stands for Remote Access Dial In User Service, is a convenient way of managing usernames and passwords. In order to use this authentication scheme, you must have a functional RADIUS server that contains a database of all the users you would like to authenticate.

To configure RADIUS authentication in FW-1, the first step is to add a workstation object to represent your RADIUS server. To do this from SmartDashboard, click New or go to Manage Network Objects New Node Host . Create the object with the IP address of your RADIUS server.

The next step is to add a RADIUS server object. To do this, open the SmartDashboard, and select Manage Servers and OPSEC Applications . Click New and select RADIUS , (see Figure 6.2).

Figure 6.2: RADIUS Server Configuration

Enter the following information:

• Name A descriptive name for your RADIUS server.

• Comment A descriptive comment about your RADIUS server.

• Color Select the color that will identify your RADIUS server icon in the user interface.

• Host The physical server on which your RADIUS server is running. Note that you need to define this host as a network object prior to completing this configuration.

• Service Select RADIUS . If the RADIUS Server is listening for queries on a different port, select the service object that represents that port.

• Shared Secret Enter a secret password. You also need to configure this password on the RADIUS server; see your RADIUS server documentation for details.

• Version: Select either version 1.0 or 2.0 compatible, depending on the version of your RADIUS server.

• Priority: Specify 1 if you only have one RADIUS server. If you have more than one RADIUS server, then you have the option of ranking them by priority so that certain servers are always contacted first. See below for a discussion about configuring multiple RADIUS servers.

Now that you have configured your RADIUS server and have told FW-1 about it, enabling RADIUS authentication for a user is simple. Ensure that RADIUS is enabled in your firewall object s Authentication tab, and then select RADIUS as the authentication scheme.When prompted for a RADIUS server to use, select the server you configured above.

You also have the option of configuring multiple RADIUS servers. The advantage of this is that if one RADIUS server fails, users will continue to be able to authenticate via the backup servers. The process of synchronizing usernames and passwords between RADIUS servers is a function of the RADIUS server package you are using ”the firewall does not handle this.

To configure multiple RADIUS servers, add each RADIUS server to FW-1 under the Manage menu and select Servers . Be sure to configure each server with an appropriate priority, depending on the sequence in which you want the servers to be queried; lower numbers indicate higher priorities.

Once you have all your RADIUS servers configured, create a RADIUS Group in your list of servers, and add each RADIUS server to this group. Then, when configuring each user, select this group in their Authentication tabs after choosing RADIUS authentication. You will see that you also have the option of selecting All, which means all available RADIUS servers will be queried. This has the same effect as adding all your servers to a RADIUS group and using that group.

TACACS

TACACS, which stands for Terminal Access Controller Access Control System, is another external authentication scheme you can use to authenticate your users. Configuring TACACS is similar to configuring RADIUS.

First, you need to ensure that your TACACS server is set up and configured correctly. Then, add a workstation object to the firewall with the TACACS server IP address. Next, in FW-1 s Policy Editor, select Manage Servers and OPSEC Applications . Choose New TACACS (see Figure 6.3).

Figure 6.3: TACACS Server Configuration

Enter the following information:

• Name A descriptive name for your TACACS server.

• Comment A descriptive comment for your TACACS server.

• Color Choose a color for the icon that will represent your TACACS server.

• Host Choose the physical server on which your TACACS server is configured. Note that this server should already be configured as a firewall object prior to this configuration.

• Type Choose TACACS or TACACS+ , depending on the version of your TACACS server.

• Secret Key This option is only available for TACACS+ servers. If you have configured a secret key on your TACACS+ server, check this box and enter the same key here.

• Service Choose TACACS. Note that if you select TACACS+ for Type , this option is not available.

Now that your TACACS server is defined, you need to ensure that TACACS is enabled in the Authentication tab of your firewall object. Next, choose TACACS in the Authentication tab of the user you are configuring, and select the TACACS server you defined.