10. Check Point Getting Started R80.20. Identity Awareness
Welcome to the anniversary - 10th lesson. And today we'll talk about another Check Point blade - Identity Awareness . At the very beginning, when describing NGFW, we determined that it was mandatory for him to regulate access based on accounts, not IP addresses. This is due primarily to increased user mobility and the widespread use of the BYOD model - bring your own device. The company may have a bunch of people who connect via WiFi, get a dynamic IP, and even from different network segments. Try here create access lists based on ip-shnikov. Here you can’t do without user identification. And that is the Identity Awareness blade that will help us in this matter.
But first, let's figure out what the user identification is most often used for.
- To restrict network access by user accounts, not IP addresses. Access can be regulated both simply to the Internet, and to any other network segments, for example DMZ.
- VPN access. Agree that it is much more convenient for the user to use their domain account for authorization, rather than another invented password.
- To manage the Check Point, you also need an account that can have various rights.
- And the most enjoyable part is Reporting. It’s much nicer to see specific users in reports, not their IP addresses.
At the same time, Check Point supports two types of accounts:
- Local Internal Users . The user is created in the local database of the management server.
- External Users . The Microsoft Active Directory or any other LDAP server can act as an external user database.
Today we will talk about network access. To control network access, in the presence of Active Directory, the so-called Access Role is used as an object (source or destination) , which allows you to use three user parameters:
- Network - i.e. the network the user is trying to connect to
- AD User or User Group - this data is pulled directly from the AD server
- Machine - a workstation.
At the same time, user authentication can be performed in several ways:
- AD Query . Check Point reads the AD server logs for authenticated users and their IP addresses. Computers that are in the AD domain are automatically identified.
- Browser-Based Authentication . Authentication through the user's browser (Captive Portal or Transparent Kerberos). Most often used for devices that are not in a domain.
- Terminal Servers . In this case, identification is carried out using a special terminal agent (installed on the terminal server).
These are the three most common options, but there are three more:
- Identity Agents . A special agent is installed on users' computers.
- Identity Collector . A separate utility that is installed on Windows Server and collects authentication logs instead of a gateway. In fact, a mandatory option with a large number of users.
- RADIUS Accounting . Well, and where without the good old RADIUS.
In this tutorial, I will demonstrate the second option - Browser-Based. I think enough theory, let's move on to practice.
Stay tuned for more and join our YouTube channel :)