Client Authentication


In contrast to user authentication, client authentication is used to grant access based on source address rather than users. Client authentication is also not restricted to any particular service ”it can be configured to work with all applications and services. The downside to client authentication is that it will associate a username with an IP address for a given period of time. For example, if a user from your network uses client authentication to authenticate to a firewall on the other side of the Internet, any other users coming from your network will also be allowed because the connection will be coming from the same IP address (because hide-mode NAT was configured for the LAN). This is also a valid concern if a user abandons his IP address (shuts down his system, for example) and it is reassigned to or reused by another system before the firewall times out the authentication.

In order to authenticate via client authentication, users must connect to the firewall with either telnet (port 259) or HTTP (port 900). Access via HTTPS is also an option; see skI5130 in Check Point s SecureKnowledge Database. The firewall will challenge the user with username and password prompts, and will use the response to determine whether that user is authorized to connect from their source address.

Configuring client authentication is similar to configuring user authentication. Again, the first step is to define your users in the user manager. Then, create a rule in the rule base, as in rule 8 in Figure 6.14.

click to expand
Figure 6.14: Client Authentication Rule

Again, we are allowing all users in the Engineering department, when originating from the LAN, to connect via HTTP, HTTPS, and FTP to systems on the Internet. Just as in user authentication, there are action properties for client authentication, accessed by right-clicking Client Auth and choosing Edit Properties (see Figure 6.15).

click to expand
Figure 6.15: Client Authentication Action Properties

The source and destination options behave the same as they do in user authentication. Verify secure configuration on Desktop only applies to users who are using the Secure Client VPN client, which will be covered in chapter 11. This setting ensures that the user s desktop settings are secure. Specifically, it ensures that only TCP/IP is used, and that the desktop policy has been applied to all available network interfaces.

Required Sign On , when set to Standard , means that once a user has authenticated one time, they are permitted to access all services, as long as they are allowed to do so according to the rulebase. When set to Specific , users must authenticate again for each new service they attempt to access.

Sign-On Method has the following five options:

  • Manual Users must use either telnet to port 259 of the firewall, or use a Web browser to connect to port 900 on the firewall to authenticate before being granted access. Access via HTTPS is also an option; see skI5130 in Check Point s SecureKnowledge Database.

  • Partially Automatic If user authentication is configured for the service the user is attempting to access, and they pass this authentication, then no further client authentication is required. For example, if HTTP is permitted on a client authentication rule, the user will be able to transparently authenticate since FW-1 has a security server for HTTP. Then, if this setting is chosen , users will not have to manually authenticate for this connection. Note that this applies to all services for which FW-1 has built-in security servers (HTTP, FTP, telnet, and rlogin).

  • Fully Automatic If the client has the session authentication agent installed, then no further client authentication is required (see session authentication below). For HTTP, FTP, telnet, or rlogin, the firewall will authenticate via user authentication, and then session authentication will be used to authenticate all other services.

  • Agent Automatic Sign On Uses session authentication agent to provide transparent authentication (see session authentication below).

  • Single Sign On Used in conjunction with UserAuthority servers to provide enhanced application level security. Discussion of UserAuthority is beyond the scope of this chapter.

Client Authentication versus User Authentication

Table 6.1 compares various aspects of user authentication and client authentication:

Table 6.1: Client Authentication versus User Authentication

Authentication Property

User Authentication

Client Authentication

Based on Source IP

No

Yes

Restrict on Username

Yes

Yes

Transparent

Optional

Depends on Sign On Method

Services Available

HTTP, HTTPS, FTP, telnet, rlogin

All




Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net