Check Point FireWall-1 provides
customers, including remote users and
telecommuters, with secure, authenticated
access to enterprise resources using
multiple authentication schemes.
FireWall-1 authentication services
securely validate that the users
attempting to make a connection are who
they say they are before the
communication is allowed to proceed.
Modifications to local servers or client
applications are not required.
Authentication services are fully
integrated into the enterprise-wide
security policy and can be centrally
managed through FireWall-1's graphical
user interface. All authentication
sessions can be monitored and tracked
through the Log Viewer. FireWall-1
provides three authentication methods:
- User Authentication
- Client Authentication
- Transparent Session
Authentication
User Authentication
FireWall-1's transparent User
Authentication provides access privileges
on a per user basis for FTP, TELNET,
HTTP, and RLOGIN, regardless of the
user's IP address. If a local user is
temporarily away from the office and
logging in on a different host, the
security administrator may define a rule
that allows that user to work on the
local network without extending access to
all users on the same host.
The FireWall-1 Security Servers
implement user authentication on the
gateway. FireWall-1 intercepts a user's
attempt to start an authenticated session
on the requested server and directs the
connection to the appropriate Security
Server. After the user is authenticated,
the FireWall-1 Security Server opens a
second connection to the host. All
subsequent packets of the session are
intercepted and inspected by FireWall-1
on the gateway.
Client Authentication
Client Authentication enables an
administrator to grant access privileges
to a specific user at a specific IP
address. In contrast to User
Authentication, Client Authentication is
not restricted to specific services, but
provides a mechanism for authenticating
any application, standard or custom.
FireWall-1 Client Authentication is not
transparent, but it does not require any
additional software or modifications on
either the client or server. The
administrator can determine how each
individual is authenticated, which
servers and applications are accessible,
at what times and days, and how many
sessions are permitted. Under Version 4,
Client Authentication can now be
performed from a Web browser through an
HTTP connection or via a Telnet session.
Transparent Session Authentication
Transparent Session Authentication can
be used to authenticate any
service on a per-session basis.
After the user initiates a connection
directly to the server, the FireWall-1
gateway, located between the user and the
destination, intercepts the connection,
recognizes that it requires user-level
authentication, and initiates a
connection with a Session Authentication
Agent. The Agent performs the required
authentication, after which FireWall-1
allows the connection to continue to the
requested server if permitted.
- Authentication Schemes
FireWall-1
supports the following
authentication schemes:
- SecurID
— The user is
challenged to enter the
number displayed on the
Security Dynamics SecurID
card.
- S/Key
— The user is
challenged to enter the
value of requested S/Key
iteration. In addition,
It has also been enhanced
with MD5 data integrity
- OS Password
— The user is
challenged to enter his
or her OS password.
- Internal
— The user is
challenged to enter his
or her internal
FireWall-1 password on
the gateway.
- Axent
— The user is
challenged for the
response, as defined by
the Axent server.
- RADIUS
— The user is
challenged for a
response, as defined by
the RADIUS server.
- LDAP
— The user is
prompted for a response
from the LDAP server
- TACACS
— The user is
prompted for response
from the TACACS server
There are a number of OPSEC Certified
RADIUS authentication
solutions offered by OPSEC Alliance
partners.
@1999 Check Point
Software Technologies Ltd. All rights
reserved. Used with permission
|
