Saturday, April 2, 2016

Check Point Identity Awareness

Check Point Identity Awareness Software Blade provides granular visibility of users, groups, and machines, providing unmatched application and access control through the creation of accurate, identity-based policies. Centralized management and monitoring allows for policies to be managed from a single unified console.

Traditionally firewalls use IP addresses to monitor traffic and are unaware of the users and machines identities behind those IP addresses. Identity Awareness removes this notion of anonymity since it maps users and machine identities. This lets you enforce access and audit data based on identity.

Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active Directory and non-Active Directory based network as well as for employees and guest users. It is currently available on the Firewall blade and Application Control blade and will operate with other blades in the future.

Identity Awareness lets you easily configure network access and auditing based on network location and:

* The identity of a user

* The identity of a machine

When Identity Awareness identifies a source or destination, it shows the IP address of the user or machine with a name. For example, this lets you create firewall rules with any of these properties. You can define a firewall rule for specific users when they send traffic from specific machines or a firewall rule for a specific user regardless of which machine they send traffic from.

In SmartDashboard, you use Access Role objects to define users, machines, and network locations as one object.

Identity Awareness also lets you see user activity in SmartView Tracker and SmartView baed on user and machine name and not just IP addresses.

Identity Awareness gets identities from these acquisition sources:

* AD Query

* Browser-Based Authentication

* Endpoint Identity Agent

* Terminal Servers Identity Agent

* Remote Access



I've added a firewall rule (Rule #6) for HQ DMZ Server 1 (172.16.1.10) and also created a destination static NAT and mapped it to the outside IP 192.168.1.10. I've also enabled the IIS/web service on the HQ DMZ Server 1 and tested it via Telnet port 80 from an outside host which in this case is R1 (192.168.1.1).






Since I don't have an AD/LDAP server in my virtual lab, I've created local users and put them in a Group (Sales).








Enable Identity Awareness under Network Object > Check Point > click on the Security Gateway > General Properties > tick Identity Awareness. In this case, tick Browser-Based Authentication since there’s no AD server and we'll use the Captive Portal feature. The Captive Portal can be used for BYOD policy for users with smartphones and tablets as well as guest users such as partners and contractors.



Tick I do not wish to configure an Active Directory at this time and click Next.
 

Change the Main URL to use the outside IP address 192.168.1.111 and allow outside users to login via the Captive Portal. Click Edit and choose Through all interfaces. Click Next and Finish.




To use Access Role in a firewall rule, go to Users and Administrators Object > right-click on Access Roles and choose New Access Role.
 

Under Networks tab, choose Specific Networks > click on the plus (+) symbol and choose the Network Object HQ-Inside.




Under Users tab, click Specific users/groups > click on plus (+) symbol and choose Sales group. Leave everything in default under Machines and Authentication tabs.
 





Modify firewall rule #6 to use the Access-Role-Policy as Source going to Destination of HQ-DMZ-Server1. Under Action column > right-click on Accept and choose Edit properties.
 



To use the Captive Portal feature, tick Redirect http connections to an authentication (captive) portal and click OK.
 


Click Save and Verify Policies (found between Edit Global Properties and Install Policy icons).
 


The Verify Policies tool showed a warning that Rule 5 Hides rule 6. So I temporarily disabled rule #5 for testing purpose. Click Save and Install Policy.
 



I tested HTTP access from the internal SmartConsole PC (10.1.1.50) and typed the NAT IP of the HQ DMZ Server 1 (192.168.1.10) and got a web browser Privacy error. This is due to SSL certificate of from the ICA (Security Management Server) is not being recognized by my web browser (Chrome). Click Proceed to 192.168.1.111 (unsafe).
 


I used an Internal user (Sophia) from the Sales group and was redirected to the DMZ Web Server (192.168.1.10).
 


Go to SmartView Tracker to verify Identity Awareness logs which is represented by a green door icon.





No comments:

Post a Comment