Welcome to the anniversary – the 10th lesson. And today we'll talk about another Check Point Blade – Identity Awareness. At the very beginning, when describing NGFW, we determined that it is obligatory for it to regulate access based on accounts and not IP addresses. This is primarily due to the increased mobility of users and the ubiquitous BYOD model – bring your device. The company may have a lot of people who connect via WiFi, get a dynamic IP, and even from different network segments. Try here create access lists based on ip-Schnick. Here, without the identification of users can not do. And it is precisely the Blade Identity Awareness that will help us in this matter.
But first, let's see what is the most commonly used user identification?
- To restrict network access by user accounts, not by IP addresses. Access can be regulated either simply to the Internet, or to any other network segments, such as the DMZ.
- VPN access. Agree that it is much more convenient for the user to use his domain account for authorization, and not another password that was invented.
- To manage Check Point, you also need an account that can have different rights.
- And the most enjoyable part is Reporting. It is much more pleasant to see specific users in the reports, not their ip-addresses.
At the same time, Check Point supports two types of accounts:
- Local Internal Users. The user is created in the local database of the management server.
- External Users. Microsoft Active Directory or any other LDAP server can act as an external user base.
Today we will talk about network access. To control network access, in the presence of Active Directory, the so-called object is used as an object (source or destination) Access Role, which allows the use of three user parameters:
- Network – i.e. the network the user is trying to connect to
- AD User or User Group – this data is pulled out directly from the AD server
- Machine – work station.
In this case, user identification can be performed in several ways:
- AD Query. Check Point reads the AD server logs for authenticated users and their IP addresses. Computers that are in the AD domain are automatically identified.
- Browser-Based Authentication. Identification through the user's browser (Captive Portal or Transparent Kerberos). Most often used for devices that are not in the domain.
- Terminal servers. In this case, identification is performed using a special terminal agent (installed on the terminal server).
These are the three most common options, but there are three more:
- Identity agents. A special agent is installed on users' computers.
- Identity Collector. A separate utility that is installed on the Windows Server and collects authentication logs instead of the gateway. In fact, a mandatory option with a large number of users.
- RADIUS Accounting. Well, where do without the good old RADIUS.
In this lesson I will demonstrate the second option – Browser-Based. I think enough theory, let's move on to practice.
Stay tuned for more and join our YouTube channel 🙂