Session Authentication
The third type of authentication available is session authentication. Session authentication enables you to grant users access to any service, without requiring them to originate from the same source IP.
In order to accomplish this type of authentication, the user must run a session authentication agent. This agent is responsible for receiving the authentication request from the firewall, prompting the user for his or her login credentials, and transmitting that information back to the firewall. The session authentication agent can be found on the Check Point installation CD, and does not require any special licensing.
Configuring session authentication is similar to configuring client or user authentication. First, ensure that your users are configured in the user manager. Then, add a rule to the standard rule base as in rule 8 in Figure 6.16.
Figure 6.16: Session Authentication Rule
Here, the rule is similar to our previous rule for client authentication. Note that it is not required that you restrict session authentication to a service. Again, there are action properties available for session authentication, accessible by right-clicking on the Session Auth icon and choosing Edit properties (see Figure 6.17).
Figure 6.17: Session Authentication Action Properties
The Source and Destination properties behave here just as they do in client or user authentication. Contact Agent At enables you to specify where the authentication agent is running. In general, the agent will be running on the user s workstation, which is located at the source of the connection, so this setting should be left as Src . In special cases, when the authentication agent is installed elsewhere, you can specify that location via this setting.
Accept only if connection is encrypted enables you to reject connections, even if the authentication information is valid, unless the user is connecting over through an encrypted VPN connection.
Query user identity from UserAuthority enables you to integrate session authentication with a UserAuthority server for Single Sign On.
Session Authentication versus Client and User Authentication
Table 6.2 compares various aspects of session, client, and user authentication:
| Authentication | User | Client | Session |
|---|---|---|---|
| Based on source IP | No | Yes | No |
| Restrict on Username | Yes | Yes | Yes |
| Transparent | Optional | Depends on Sign On Method | Yes |
| Services Available | HTTP, HTTPS, FTP, telnet, rlogin | All | All |
| Agent required | No | No | Yes |
![Check Point NG[s]AI](/icons/blank_book.jpg "Check Point NG[s]AI"){kind=icon}
- Structures, Processes and Relational Mechanisms for IT Governance
- An Emerging Strategy for E-Business IT Governance
- Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group
- Technical Issues Related to IT Governance Tactics: Product Metrics, Measurements and Process Control
- Governance in IT Outsourcing Partnerships