Identity Awareness R75 Administration Guide docx

17 January 2011

Administration Guide

Identity Awareness

R75

© 2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under

licensing restricting their use, copying, distribution, and decompilation. No part of this product or related

documentation may be reproduced in any form or by any means without prior written authorization of Check

Point. While every precaution has been taken in the preparation of this book, Check Point assumes no

responsibility for errors or omissions. This publication and features described herein are subject to change

without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph

(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR

52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of

relevant copyrights and third-party licenses.

Important Information

Latest Documentation

The latest version of this document is at:

http://supportcontent.checkpoint.com/documentation_download?ID=11662

For additional technical information, visit the Check Point Support Center

(http://supportcenter.checkpoint.com).

Revision History

Date Description

17 January 2011 Added a new chapter ("Identity Awareness Commands" on page 95)

Improved formatting and document layout

30 December 2010 Improved documentation, formatting and document layout

15 December 2010 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments

(mailto:[email protected]?subject=Feedback on Identity Awareness R75

Administration Guide).

Contents

Important Information.............................................................................................3

Getting Started With Identity Awareness ..............................................................7

Introduction ......................................................................................................... 7

AD Query........................................................................................................ 9

Captive Portal ................................................................................................10

Identity Agents...............................................................................................11

Deployment ........................................................................................................13

Identity Awareness Scenarios ............................................................................14

Acquiring Identities for Active Directory Users ...............................................14

Acquiring Identities with the Captive Portal ....................................................16

Acquiring Identities with Identity Agents.........................................................20

Acquiring Identities in Application Control ......................................................22

Configuring Identity Awareness ..........................................................................25

Enabling Identity Awareness on the Security Gateway .......................................25

Results of the Wizard.....................................................................................28

Creating Access Roles .......................................................................................28

Using Identity Awareness in the Firewall Rule Base ...........................................30

Access Role Objects......................................................................................31

Negate and Drop ...........................................................................................31

Using Identity Awareness in the Application Control Rule Base..........................31

Source and Destination Fields .......................................................................32

Negate and Block ..........................................................................................33

Configuring Captive Portal in SmartDashboard ..................................................33

Portal Network Location.................................................................................33

Access Settings .............................................................................................33

Authentication Settings ..................................................................................34

Customize Appearance..................................................................................34

User Access ..................................................................................................35

Agent Deployment from the Portal .................................................................36

Configuring Identity Agents.................................................................................36

Identity Agent Types ......................................................................................36

Identity Agent Deployment Methods ..............................................................38

Server Discovery and Trust............................................................................39

Configuring Identity Agents in SmartDashboard.............................................40

Configuring Identity Awareness for a Log Server................................................42

Enabling Identity Awareness on the Log Server.............................................42

Identity Sources....................................................................................................43

Choosing Identity Sources..................................................................................43

Advanced AD Query Configuration.....................................................................43

Configuring Identity Awareness for a Domain Forest (Subdomains) ..............43

Specifying Domain Controllers per Security Gateway ....................................44

Permissions and Timeout ..............................................................................47

Multiple Gateway Environments.....................................................................48

Non-English Language Support .....................................................................48

Performance ..................................................................................................48

Troubleshooting.............................................................................................49

Advanced Captive Portal Configuration ..............................................................51

Customizing Text Strings ...............................................................................51

Adding a New Language................................................................................54

Server Certificates .........................................................................................56

Advanced Identity Agents Configuration.............................................................58

Customizing Parameters................................................................................58

Prepackaging Identity Agent Installation ........................................................59

Advanced Deployment .........................................................................................60

Introduction ........................................................................................................60

Deployment Options ...........................................................................................61

Configuring Clusters in Bridge Mode ..................................................................61

Preparing Clusters with a Bridge....................................................................63

Checking the Bridge Configuration.................................................................63

Configuring the External Identity Awareness Gateway...................................63

Configuring the Cluster ..................................................................................64

Configuring Cluster and Bridge Support.........................................................64

Deploying a Test Environment............................................................................64

Testing Identity Sources ................................................................................65

Testing Identity Agents ..................................................................................65

Deployment Scenarios .......................................................................................66

Perimeter Security Gateway with Identity Awareness ....................................66

Data Center Protection ..................................................................................67

Large Scale Enterprise Deployment...............................................................67

Network Segregation .....................................................................................69

Distributed Enterprise with Branch Offices.....................................................70

Wireless Campus...........................................................................................72

Dedicated Identity Acquisition Gateway .........................................................72

Advanced Identity Agent Options........................................................................74

Kerberos SSO Configuration ..............................................................................75

Overview........................................................................................................75

How SSO Operates .......................................................................................76

References ....................................................................................................76

SSO Configuration.........................................................................................76

Server Discovery and Trust ................................................................................81

Introduction....................................................................................................81

Discovery and Trust Options..........................................................................82

Option Comparison........................................................................................83

Prepackaging Identity Agents .............................................................................89

Introduction....................................................................................................89

Custom Identity Agent msi .............................................................................89

Using the cpmsi_tool.exe...............................................................................89

Sample INI File ..............................................................................................93

Deploying a Prepackaged Agent via the Captive Portal .................................93

Identity Awareness Commands...........................................................................95

Introduction ........................................................................................................95

pdp .....................................................................................................................96

pdp monitor....................................................................................................96

pdp connections.............................................................................................98

pdp control.....................................................................................................98

pdp network ...................................................................................................99

pdp debug......................................................................................................99

pdp tracker...................................................................................................100

pdp status....................................................................................................101

pdp update...................................................................................................101

pep ...................................................................................................................102

pep show .....................................................................................................102

pep debug....................................................................................................104

adlog ................................................................................................................105

adlog query..................................................................................................105

adlog dc.......................................................................................................106

adlog statistics .............................................................................................106

adlog debug.................................................................................................106

adlog control ................................................................................................107

adlog service_accounts ...............................................................................107

test_ad_connectivity.........................................................................................108

Index ....................................................................................................................109

Page 7

Chapter 1

Getting Started With Identity

Awareness

In This Chapter

Introduction 7

Deployment 13

Identity Awareness Scenarios 14

Introduction

Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and machine

identities behind those IP addresses. Identity Awareness removes this notion of anonymity since it maps

users and machine identities. This lets you enforce access and audit data based on identity.

Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active Directory and

non-Active Directory based networks as well as for employees and guest users. It is currently available on

the Firewall blade and Application Control blade and will operate with other blades in the future.

Identity Awareness lets you easily configure network access and auditing based on network location and:

 The identity of a user

 The identity of a machine

When Identity Awareness identifies a source or destination, it shows the IP address of the user or machine

with a name. For example, this lets you create firewall rules with any of these properties. You can define a

firewall rule for specific users when they send traffic from specific machines or a firewall rule for a specific

user regardless of which machine they send traffic from.

Introduction

Getting Started With Identity Awareness Page 8

In SmartDashboard, you use Access Role objects to define users, machines and network locations as one

object.

Identity Awareness also lets you see user activity in SmartView Tracker and SmartEvent based on user and

machine name and not just IP addresses.

Identity Awareness gets identities from these acquisition sources:

 AD Query

 Captive Portal

 Identity Agent

The table below shows how identity sources are different in terms of usage and deployment considerations.

Depending on those considerations, you can configure Identity Awareness to use one identity source or a

combination of identity sources ("Choosing Identity Sources" on page 43).

Introduction

Getting Started With Identity Awareness Page 9

Source Description Recommended Usage Deployment Considerations

AD Query Gets identity data

seamlessly from

Microsoft Active

Directory (AD)

 Identity based

auditing and

logging

 Leveraging

identity in

Internet

application

control

 Basic identity

enforcement in

the internal

network

 Easy configuration

(requires AD

administrator

credentials)

 Preferred for desktop

users

 Only detects AD users

and machines

Captive Portal Sends unidentified

users to a Web portal

for authentication

 Identity based

enforcement for

non-AD users

(non-Windows

and guest users)

 For deployment

of Identity

Agents

 Used for identity

enforcement (not

intended for logging

purposes)

Identity Agent A lightweight endpoint

agent that

authenticates securely

with Single Sign-On

(SSO)

 Leveraging

identity for Data

Center

protection

 Protecting highly

sensitive servers

 When accuracy

in detecting

identity is crucial

 See Choosing Identity

Sources (on page 43).

Identity aware gateways can share the identity information that they acquire with other identity aware

gateways. In this way, users that need to pass through several enforcement points are only identified once.

See Advanced Deployment (on page 60) for more information.

AD Query

AD Query is an easy to deploy, clientless identity acquisition method. It is based on Active Directory

integration and it is completely transparent to the user.

The AD Query option operates when:

 An identified asset (user or machine) tries to access an Intranet resource that creates an authentication

request. For example, when a user logs in, unlocks a screen, shares a network drive, reads emails

through Exchange, or accesses an Intranet portal.

 AD Query is selected as a way to acquire identities.

The technology is based on querying the Active Directory Security Event Logs and extracting the user and

machine mapping to the network address from them. It is based on Windows Management Instrumentation

(WMI), a standard Microsoft protocol. The Security Gateway communicates directly with the Active Directory

domain controllers and does not require a separate server.

No installation is necessary on the clients or on the Active Directory server.

How AD Query Operates - Firewall Rule Base Example

The steps listed in the example align with the numbers in the image below.

1. The Security Gateway registers to receive security event logs from the Active Directory domain

controllers.

2. A user logs in to a desktop computer using his Active Directory credentials.

Introduction

Getting Started With Identity Awareness Page 10

3. The Active Directory DC sends the security event log to the Security Gateway. The Security Gateway

extracts the user and IP information (user name@domain, machine name and source IP address).

4. The user initiates a connection to the Internet.

5. The Security Gateway confirms that the user has been identified and lets him access the Internet based

on the policy.

Captive Portal

The Captive Portal is a tool that acquires identities from unidentified users. It is a simple method that

authenticates users through a web interface before granting them access to Intranet resources. When users

try to access a protected resource, they get a web page that must fill out to continue.

Figure 1-1 Captive Portal Login

The Captive Portal option operates when a user tries to access a web resource and all of these apply:

 The Captive Portal is selected as a way to acquire identities and the redirect option has been set for the

applicable rule.

 Unidentified users cannot access that resource because of rules with access roles in the Firewall /

Application Rule Base. But if users are identified, they might be able to access the resource.

When these criteria are true, Captive Portal acquires the identities of users.

From the Captive Portal users can:

 Enter an existing user name and password if they have them.

 For guest users, enter required credentials. Configure what is required in the Portal Settings.

Introduction

Getting Started With Identity Awareness Page 11

 Click a link to download an Identity Awareness agent. Configure this in the Portal Settings.

How Captive Portal Operates - Firewall Rule Base

The steps listed in the example align with the numbers in the image below.

1. A user wants to access the Internal Data Center.

2. Identity Awareness does not recognize him and redirects the browser to the Captive Portal.

3. The user enters his regular office credentials. The credentials can be AD or other Check Point supported

authentication methods, such as LDAP, Check Point internal credentials, or RADIUS.

4. The credentials are sent to the Security Gateway and verified in this example against the AD server.

5. The user can now go to the originally requested URL.

Identity Agents

Identity Agents are dedicated client agents installed on users' computers that acquire and report identities to

the Security Gateway.

Using Identity Agents gives you: