DOCSLIB.ORG

Check Point Userauthority Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Check Point Userauthority Guide Check Point UserAuthority Guide Version NGX R62 700358 January 2006 © 2003-2006 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2006 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall -1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro , Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS. Contents Preface Who Should Use This Guide.............................................................................. 10 Summary of Contents....................................................................................... 11 Appendices ................................................................................................ 12 Related Documentation .................................................................................... 13 More Information ............................................................................................. 15 Chapter 1 Introduction The Need for UserAuthority............................................................................... 18 Identity-based Access Control for Outbound Connections via VPN-1 Power Gateway 19 Underlying Concept and Advantage ................................................................... 20 Typical Deployment.......................................................................................... 21 UserAuthority SSO for VPN-1 Power Deployment ........................................... 21 OPSEC Protocols ............................................................................................. 23 How to Use this Guide...................................................................................... 24 Chapter 2 UserAuthority Deployments and Installation Overview ......................................................................................................... 26 Deployments ................................................................................................... 27 Outbound Access Control............................................................................. 27 Citrix MetaFrame or Windows Terminal Services............................................. 32 Installation and Configuration ........................................................................... 35 Installing and Configuring UAS on VPN-1 Power ............................................ 35 Installing and Configuring the UAS on the Windows DC .................................. 46 Chapter 3 Outbound Access Control The Challenge ................................................................................................. 58 The UserAuthority Solution ............................................................................... 59 Identification using SecureAgent.................................................................. 61 Identity Sharing.......................................................................................... 61 Retrieving Windows Groups with UserAuthority ................................................... 66 Outbound Access Control using Citrix Terminals as TIP ....................................... 67 Scenario - An Organization using Multiple Windows DCs...................................... 68 Scenario - An Organization Using Multiple Domains ............................................ 70 Configurations ................................................................................................. 72 Adding Additional Windows DCs................................................................... 72 Outbound Access Control on Citrix or Windows Terminals ............................... 73 Configuring UserAuthority Domain Equality ................................................... 73 Chapter 4 User Management in UserAuthority Overview ......................................................................................................... 78 Table of Contents 5 Managing Users and Groups ............................................................................. 79 Users in UserAuthority ................................................................................ 79 User Groups in UserAuthority....................................................................... 79 Using a Local Check Point Database.................................................................. 81 Using an External Database .............................................................................. 82 Using the Windows User Identity....................................................................... 83 Users in the Windows Domain...................................................................... 83 Configuring UserAuthority to Recognize Windows User Groups ........................ 83 Chapter 5 Auditing in UserAuthority Overview ......................................................................................................... 86 Using Logs for Auditing .................................................................................... 87 Auditing Outbound Traffic Using UserAuthority Outbound Access Control......... 88 Configuring UserAuthority for Auditing............................................................... 92 Configuring Auditing of Requests for External Resources ................................ 92 Chapter 6 High Availability and Load Balancing Overview ......................................................................................................... 93 High Availability ......................................................................................... 93 Load Balancing........................................................................................... 94 High Availability and Load Balancing in UserAuthority.................................... 94 Using Multiple Windows DCs ............................................................................ 95 Using a VPN-1 Power Cluster............................................................................ 96 Using VPN-1 Power Clusters ........................................................................ 96 Synchronizing the Credentials Manager......................................................... 96 Chapter 7 UserAuthority CLIs Chapter 8 UserAuthority OPSEC APIs Overview ....................................................................................................... 108 Programming Model....................................................................................... 109 Defining a UAA Client ............................................................................... 112 Client Server Configuration ........................................................................ 112 OPSEC UserAuthority API Overview ............................................................ 112 Function Calls ............................................................................................... 123 Session Management ................................................................................ 123 Assertions Management............................................................................. 124 Managing Queries ....................................................................................
Load more

Recommended publications
  • Connectra Web Security Gateway
    puresecurity PRODUCT DESCRIPTION Connectra Connectra™ is a complete Web Security Gateway that unifies SSL VPN access with comprehensive endpoint security Web Security Gateway and integrated intrusion prevention. Web connectivity with unmatched security PRODUCT FEATURES n Secure SSL VPN remote access YOUR CHALLENGE n Comprehensive endpoint security Access to information is critical to modern businesses, and, increasingly, n Integrated intrusion prevention employees and business partners need to access it anytime from virtually n Appliance or software platforms anywhere. Sharing timely information increases your business competitiveness, partnership effectiveness, and employee productivity. And sharing this informa- tion requires a solution that is universally available and easy to use—even for PRODUCT BENEFITS the lay user. n Delivers Web-based secure remote access for an extensive In addition to enabling ubiquitous access, the confidentiality and integrity of range of enterprise applications this information is even more important in today’s information-driven economy. Yet the explosion of spyware, like keystroke loggers and Trojan horses, threat- n Shields information from malicious ens the confidentiality and integrity of information shared with remote users. spyware and malware on remote endpoints Bottom line, you need to provide easy access to information from anywhere n Defends the integrity of internal while ensuring that your enterprise IT resources retain their security everywhere. infrastructure from worms and attacks n Provides standalone or full OUR SOLUTION SmartCenter™ central management ™ Connectra is a complete Web Security Gateway that provides SSL VPN n Protects against new threats access and comprehensive endpoint and integrated intrusion prevention through SmartDefense™ Services security in a single, unified solution.
    [Show full text]
  • Usability and Security of Personal Firewalls
    Usability and Security of Personal Firewalls Almut Herzog^ and Nahid Shahmehri^ Dept. of Computer and Information Science, Linkopings universitet,Sweden {almhe, nahsh}@ida.liu.se Abstract. Effective security of a personal firewall depends on (1) the rule granularity and the implementation of the rule enforcement and (2) the correctness and granularity of user decisions at the time of an alert. A misconfigured or loosely configured firewall may be more dangerous than no firewall at all because of the user's false sense of security. This study assesses effective security of 13 personal firewalls by comparing possible granularity of rules as well as the usability of rule set-up and its influence on security. In order to evaluate usability, we have submitted each firewall to use cases that require user decisions and cause rule creation. In order to evaluate the firewalls' security, we analysed the created rules. In ad­ dition, we ran a port scan and replaced a legitimate, network-enabled application with another program to etssess the firewalls' behaviour in misuse cases. We have conducted a cognitive walkthrough paying special attention to user guidance and user decision support. We conclude that a stronger emphasis on user guidance, on conveying the design of the personal firewall application, on the principle of least privilege and on implications of default settings would greatly enhance both usability and security of personal firewalls. 1 Introduction In times where roaming users connect their laptops to a variety of public, pri­ vate and corporate wireless or wired networks and in times where more and more computers are always online, host-based firewalls implemented in soft­ ware, called personal firewalls, have become an important part of the security armour of a personal computer.
    [Show full text]
  • Check Point Firewall V1.0
    Check Point Firewall Benchmark v1.0 Editor: John Traenkenschuh December 2007 Copyright 2001-2007, The Center for Internet Security (CIS) http://cisecurity.org [email protected] TERMS OF USE AGREEMENT Background. The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere (―Products‖) as a public service to Internet users worldwide. Recommendations contained in the Products (―Recommendations‖) result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a ―quick fix‖ for anyone‘s information security needs. No Representations, Warranties, or Covenants. CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations ―as is‖ and ―as available‖ without representations, warranties, or covenants of any kind. User Agreements. By using the Products and/or the Recommendations, I and/or my organization (―We‖) agree and acknowledge that: 1. No network, system, device, hardware, software, or component can be made fully secure; 2.
    [Show full text]
  • EC-Council Network Security Administrator (Exam 312-38)
    Product Information Sheet Exam 312-38 EC-Council Network Security Administrator (Exam 312-38) Page | 1 ENSAv4 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Product Information Sheet Exam 312-38 EC-Council NSA is CNSS 4011 Certified The Committee on National Security Systems (CNSS)/National Security Agency (NSA) of the United States of America certified EC-Council’s Network Security Administrator (ENSA) course as having met 100% of the requirements as set out by the Committee on National Security Systems (CNSS) National Standards 4011. This certification is managed by the Information Assurance Courseware Evaluation (IACE) Program, National INFOSEC (Information Security) Education and Training Program and is administered by the U.S. National Security Agency (NSA). The Committee on National Security Systems (CNSS) and National Security Agency (NSA) has developed a nationally recognized certification program based on NSTISSI standards. The CNSS/NSA Certification is a government class certification that is recognized as the National Training Standard for Information Security Professionals Students who have obtained these certifications would have demonstrated a solid grasp of the principles as outlined in the 4011 standard. With this, EC-Council has joined the ranks of the organizations United States Air Force Academy, United States Military Academy, Air Force Institute of Technology and Carnegie Mellon University; all of whom have attained the National Training Standard for Information Security Professionals - the CNSS 4011. Introduction The EC-Council's Network Security Administrator certification looks at the network security in defensive view while the CEH certification program looks at the security in offensive mode. The ENSA program is designed to provide fundamental skills needed to analyze the internal and external security threats against a network, and to develop security policies that will protect an organization’s information.
    [Show full text]
  • Mikogo & Personal Firewalls
    Mikogo & Personal Firewalls - ZoneAlarm Create an Exception Rule If you use ZoneAlarm personal firewall on your PC and you are having trouble using the Mikogo software you might have to first create an Exception Rule for Mikogo. In case you receive the following message and you use ZoneAlarm, please proceed as described below. Click on the ZoneAlarm icon in your system tray next to your computer clock. The ZoneAlarm main window will appear. In the vertical navigation on the left-hand side, click on Program Control. Mikogo & Personal Firewalls – ZoneAlarm Page 2 The ZoneAlarm Program Control will open. Click on the Programs tab. Click on Add. Browse to the mikogo-starter executable file, highlight it and click Open. Mikogo & Personal Firewalls – ZoneAlarm Page 3 Mikogo will then appear in the Programs list. Click in the Access column and choose Allow. Mikogo & Personal Firewalls – ZoneAlarm Page 4 Run a Connection Test Go to the Mikogo homepage and click on Join Session. When prompted enter 000-000-000 as the session ID and your name. Then click Join Session. Alternatively you can open the software on your computer. To do so, click on Start menu > Mikogo > Mikogo > to open and run the software. The panel will appear on your screen. Click on the button and enter the 000-000-000 session ID and your name. Then click Join Session. The following message will appear confirming that you can establish a connection with Mikogo: Mikogo & Personal Firewalls – ZoneAlarm Page 5 .
    [Show full text]
  • Personal Firewalls Are a Necessity for Solo Users
    Personal firewalls are a necessity for solo users COMPANY PRODUCT PLATFORM NOTES PRICE Aladdin Knowledge Systems Ltd. SeSafe Desktop Windows Combines antivirus with content filtering, blocking and $72 Arlington Heights, Ill. monitoring 847-808-0300 www.ealaddin.com Agnitum Inc. Outpost Firewall Pro Windows Blocks ads, sites, programs; limits access by specific times $40 Nicosia, Cyprus www.agnitum.com Computer Associates International Inc. eTrust EZ Firewall Windows Basic firewall available only by download $40/year Islandia, N.Y. 631-342-6000 my-etrust.com Deerfield Canada VisNetic Firewall Windows Stateful, packet-level firewall for workstations, mobile $101 (Canadian) St. Thomas, Ontario for Workstations users or telecommuters 519-633-3403 www.deerfieldcanada.ca Glucose Development Corp. Impasse Mac OS X Full-featured firewall with real-time logging display $10 Sunnyvale, Calif. www.glu.com Intego Corp. NetBarrier Personal Firewall Windows Full-featured firewall with cookie and ad blocking $50 Miami 512-637-0700 NetBarrier 10.1 Mac OS X Full-featured firewall $60 www.intego.com NetBarrier 2.1 Mac OS 8 and 9 Full-featured firewall $60 Internet Security Systems Inc. BlackIce Windows Consumer-oriented PC firewall $30 Atlanta 404-236-2600 RealSecure Desktop Windows Enterprise-grade firewall system for remote, mobile and wireless users Varies blackice.iss.net/ Kerio Technologies Inc. Kerio Personal Firewall Windows Bidirectional, stateful firewall with encrypted remote-management option $39 Santa Clara, Calif. 408-496-4500 www.kerio.com Lava Software Pty. Ltd. AdWare Plus Windows Antispyware blocks some advertiser monitoring but isn't $27 Falköping, Sweden intended to block surveillance utilities 46-0-515-530-14 www.lavasoft.de Network Associates Inc.
    [Show full text]
  • Master's Thesis
    Eindhoven University of Technology MASTER Securing the home network Stelma, J. Award date: 2015 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Department of Mathematics and Computer Science Architecture of Information Systems Research Group Securing the Home Network Master Thesis Jaap Stelma Supervisor: dr. D.S. (Dmitri) Jarnikov PDEng Graduation Committee: prof.dr. J.J. (Johan) Lukkien dr. D.S. (Dmitri) Jarnikov PDEng dr. J.I. (Jerry) Hartog, den Version: 1.2 (10 August 2015) Publication Date: 31 August 2016 Eindhoven, August 2015 Abstract Network security is protection and precaution taken against breaches of confidentiality, integrity, availability, authenticity, and accountability. The core technologies required to protect against the threads are identification and access control.
    [Show full text]
  • Hostscan 4.8.01064 Antimalware and Firewall Support Charts
    HostScan 4.8.01064 Antimalware and Firewall Support Charts 10/1/19 © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco public. Page 1 of 76 Contents HostScan Version 4.8.01064 Antimalware and Firewall Support Charts ............................................................................... 3 Antimalware and Firewall Attributes Supported by HostScan .................................................................................................. 3 OPSWAT Version Information ................................................................................................................................................. 5 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.890.0 for Windows .................................................. 5 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.890.0 for Windows ........................................................ 44 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.824.0 for macos .................................................... 65 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.824.0 for macOS ........................................................... 71 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.730.0 for Linux ...................................................... 73 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.730.0 for Linux .............................................................. 76 ©201 9 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
    [Show full text]
  • Sunbelt Personal Firewall User Guide
    Use of this software is subject to the End User License Agreement found in this User Guide (the License Agreement). By installing the software, you agree to accept the terms of the License Agreement. Copyright (c) 2008 Sunbelt Software. All rights reserved. All products mentioned are trademarks or registered trademarks of their respective companies. Information in this document is subject to change without notice. No part of this publication may be reproduced, photocopied, stored in a retrieval system, transmitted, or translated into any language without the prior written permission of Sunbelt Software, Inc. Sunbelt Personal Firewall User Guide Contents Introduction .......................................................................................... 1-1 Before You Start .............................................................................................................1-2 Overview .........................................................................................................................1-2 Components ...................................................................................................................1-3 Functions and Features ..................................................................................................1-4 System Requirements ....................................................................................................1-4 Conflicting Software ........................................................................................................1-5 Styles and References
    [Show full text]
  • 030107 Schulungskatalog 07.Indd
    Horizonte erweitern? Die neuen Trainings for Professionals 2007 07 2 Editorial Liebe Leserin, lieber Leser, ich freue mich, Ihnen eine überaus positive Neuigkeit mitteilen Noch Fragen zu unseren Schulungen? zu können: die Training Group COMPUTERLINKS wurde aufgrund Für mehr Details wenden Sie sich ihrer überragenden Leistung und allerbester Referenzen von in Deutschland bitte an: Microsoft in der Kategorie „Best Learning Solution“ zum Schulungszentrum München „Microsoft Partner 2006“ gekürt. T: +49 (0)89 9 30 99-168, F: +49 (0)89 9 30 99-499 [email protected] http://training.computerlinks.de Eine Auszeichnung, über die wir uns ganz besonders freuen, da Schulungszentrum Frankfurt sie unsere außergewöhnlichen Anstrengungen im Trainingsmarkt T: +49 (0)6103 98 45-50, F: +49 (0)6103 98 45-55 [email protected] belohnt. Sicher hat dabei auch eine Rolle gepielt, dass wir als http://training.computerlinks.de Microsoft Gold Partner mit unseren zertifizierten und fest- Schulungszentrum Berlin angestellten Trainern in den letzten drei Jahren mehr als 2.000 Teilnehmer auf die unter- in Kooperation mit SPC GmbH schiedlichsten Microsoft-Produkte und -Zertifizierungen vorbereitet haben. T: +49 (0)6103 98 45-50, F: +49 (0)6103 98 45-55 [email protected] http://training.computerlinks.de Natürlich haben wir bereits für das neue Betriebssystem Microsoft Vista eine Reihe von Kursen Schulungszentrum Düsseldorf (ab Seite 32) in unserem Schulungsangebot. Dazu bietet Microsoft zwei Ausbildungsgänge an: in Kooperation mit Unilog Integrata Training AG den Technology Specialist (TS) und den Enterprise Desktop Support Technician (EDST). Ebenso T: +49 (0)6103 98 45-50, F: +49 (0)6103 98 45-55 können Sie sich schon für Schulungen zum neuen Microsoft Exchange Server 2007 anmelden.
    [Show full text]
  • NCP Dynamic Personal Firewall (Win32/64)
    Data Sheet NCP Dynamic Net Guard Centrally administrable Personal Firewall for Windows 32/64 Bit operating systems . Central Management and Network Access Control . For company PCs and within the corporate network or at workstation PCs via VPN . Location awareness through Friendly Net Detection for dynamic adaption of firewall rules . Immediate protection of the end-device from system startup onwards . Silent Mode . Free-of-charge 30 day trial version Client (Local Awareness) and thus ensures recognition of a friendly network at any rate. Scope of supply and features Various firewall rules may be created for ports, IP addresses, segments or applications. Furthermore it is NCP’s Dynamic Net Guard (Win32/64) complements possible to define whether internet access is allowed NCP’s “Next Generation Network Access Technology”- (generally or for selected websites only) and/ or the holistic Secure Communications Solution. It whether the corporate network may be accessed protects laptops, notebooks, netbooks, tablet PCs and exclusively. It is possible for the administrator to lock desktop PCs with Windows 32/64 Bit operating all client settings so that the user may not alter any of systems - Windows 7, Windows Vista, Windows XP – them. This excludes deliberate manipulation or from unauthorized access. The end-device is always misconfiguration by the user. protected against attacks, be it mobile or stationary, Since the NCP firewall is immediately active at system be it on the internet, in a Wi-Fi network or in a LAN. startup of the mobile or stationary end-device, this Depending on the location different firewall rules severe security gap is tightly sealed.
    [Show full text]
  • Virtualized Network Security with VPN-1 Power VSX
    Virtualized Network Security with VPN-1A better approach Power to securing VSX networks Virtualized Network Security with VPN-1 Power VSX Contents Executive summary ………………………………………………………… 3 Introduction to virtualization ……………………………………………… 4 Check Point VPN-1 Power VSX …………………………………………… 4 Components virtualized by VPN-1 Power VSX code …………………… 5 Layer-2 security …………………………………………………………… 5 ARP poisoning ……………………………………………………………… 6 VLAN hopping ……………………………………………………………… 6 Platforms …………………………………………………………………… 6 Crossbeam Systems ……………………………………………………… 6 Check Point SecurePlatform ……………………………………………… 7 Virtual network environment ……………………………………………… 7 Application layer protection ……………………………………………… 8 Availability, reliability, and scalability ……………………………………… 8 Quality of Service …………………………………………………………… 10 Secure provisioning ………………………………………………………… 10 Secure Management Architecture ………………………………………… 11 Management challenges …………………………………………………… 11 Security classes …………………………………………………………… 13 Permission enforcement …………………………………………………… 14 Conclusion ………………………………………………………………… 15 Virtualized Network Security with VPN-1 Power VSX Executive summary Network complexity is growing rapidly. Dynamic business requirements, mergers, spinoffs, new services, new business units, new threats, and compliance considerations are driving an ever-increasing investment in network resources, equipment, and invasive infrastructure changes. The result is often a higher cost structure combined with lower network and service availability. Companies are realizing the advantages
    [Show full text]