Welcome to the anniversary - 10th lesson. And today we will talk about another Check Point blade β Identity Awareness. At the very beginning, when describing NGFW, we determined that it must be able to regulate access based on accounts, not IP addresses. This is primarily due to the increased mobility of users and the ubiquity of the BYOD model - bring your own device. There can be a lot of people in a company who connect via WiFi, get a dynamic IP, and even from different network segments. Try here to create access lists based on ip-shnikov. Here, user identification is indispensable. And it is precisely the Identity Awareness blade that will help us in this matter.
But first, let's figure out what user identification is most often used for?
- To restrict network access by user accounts, not IP addresses. Access can be regulated both simply to the Internet and to any other network segments, such as DMZ.
- VPN access. Agree that it is much more convenient for the user to use his domain account for authorization, and not another invented password.
- To manage Check Point, you also need an account that can have various rights.
- And the best part is reporting. It is much nicer to see specific users in the reports, and not their ip-addresses.
At the same time, Check Point supports two types of accounts:
- Local Internal Users. The user is created in the local database of the management server.
- External Users. Microsoft Active Directory or any other LDAP server can act as an external user base.
Today we will talk about network access. To control network access, in the presence of Active Directory, as an object (source or destination), the so-called access role, which allows three user options:
- Network β i.e. the network the user is trying to connect to
- AD User or User Group - this data is pulled directly from the AD server
- Machine - work station.
In this case, user identification can be performed in several ways:
- AD Query. Check Point reads the AD server logs for authenticated users and their IP addresses. Computers that are in the AD domain are identified automatically.
- Browser Based Authentication. Identification through the user's browser (Captive Portal or Transparent Kerberos). Most commonly used for devices that are not in a domain.
- Terminal Servers. In this case, identification is carried out using a special terminal agent (installed on the terminal server).
These are the three most common options, but there are three more:
- Identity Agents. A special agent is installed on users' computers.
- Identity Collector. A separate utility that is installed on Windows Server and collects authentication logs instead of the gateway. In fact, a mandatory option for a large number of users.
- RADIUS Accounting. Well, where without the good old RADIUS.
In this tutorial, I will demonstrate the second option - Browser-Based. Enough theory, let's move on to practice.
Video tutorial
Stay tuned for more and join us : )
Source: habr.com