Scribd Logo
Upload

Welcome to Scribd!

  • 05 Identity Awareness 2020

    Uploaded by

    Abdul Basit
    10 views24 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views24 pages

    05 Identity Awareness 2020

    Uploaded by

    Abdul Basit

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    IDENTITY AWARENESS

    R80.40 Software Blade Training


    (JULY 2020)

    ©2017 Check Point


    ©2017 Software
    Check Point Technologies Ltd.
    Software Technologies Ltd. 1
    Visibility about
    the application

    Visibility about
    the attack

    Visibility about
    user, machine and OS
    Visibility about
    user, machine and OS

    ©2017 Check Point Software Technologies Ltd. 2


    IDENTITY SOURCES

    ©2017 Check Point Software Technologies Ltd.


    Support For Multiple Identity Sources

    Multiple sources for learning identities


    • Identity Collector
    ̶ Integrating to AD and Cisco TrustSec
    • Browser Based Authentication
    ̶ allows integrating into Kerberos Ticketing
    • RADIUS Accounting
    ̶ opening the door for integrating into NAC
    • Open API
    ̶ 3rd party integration

    ©2017 Check Point Software Technologies Ltd. 4


    Identity Awareness Key Components And Functions
    AD Query – A simple method but you want to know the limitations
    • AD Query – based on WMI
    ̶ The PDP subscribes to the WMI service running on the AD logon server
    ̶ A userID with role “Domain Administrators” is required to learn the logon event

    ̶ WMI service is based on IIS PEP The Identity Collector presents a


    running on the Windows much more elegant solution as it
    requires only event log reader rights
    server
    PDP on the AD Logon Server
    ̶ Keep latency in mind that
    occurs from users login
    event until the notification WMI LDAP Group Membership Queries
    arrives at PDP

    R80.x
    adlog Login
    Management

    ©2017 Check Point Software Technologies Ltd. 5


    Identity Sources: Identity Collector
    Reviewing most important facts

    • Identity Collector subscribes to the Security • Login Events are forwarded to PDP
    Events on Active Directory Server – PDP performs LDAP group membership query
    – Login Events are learned via Microsoft API – Once completed Identity Session is created
    – A userID with event log reader rights is – Identity Sessions are shared
    sufficient to subscribe the service
    – Up to 35 AD Logon Servers can be configured
    supporting up to 1900 login events/second Management Domain
    Active Directory Identity
    Logon Server 1 Collector App3
    PDP PEP

    Site 1
    PEP
    Login Events
    LDAP Queries
    PDP learning Login Events Active Directory
    Identity Session shared to PEP(s) Cisco ISE
    Site 2 Logon Server 2 Identity Services Engine
    App2

    ©2017 Check Point Software Technologies Ltd. 6


    Identity Awareness Components – ID Agent
    A Client for Windows and Mac OS
    • Identity Agent
    ̶ Using the ID Agent customers can manage roaming users (change of source IP Addresses)
    ̶ ID Agents are connecting to the PDP, advising it about the Login Event “user@machine@ip_address”
    ̶ “Keep alive” packets are sent from ID Agent to PDP

    “user@machine@ip”
    Support users and machines roaming
    PDP between network segments

    PDP performs
    Group Membership Queries
    User performs
    authentication
    Identities learned via ID Agent take precedence over those
    AD Logon Server learned by ID Collector or AD Query.

    ©2017 Check Point Software Technologies Ltd. 7


    Identity Awareness Components – Multi-User Host Agent
    A Terminal Server Client for Windows Servers – sk66761
    • A TDI driver intercepts the users connection
    • Source port ranges are allocated per user
    • For each users connection a source port from the pool will be allocated allowing the PDP to identify
    the traffic related to this user
    [Soure Port Range Pool “user@machine@ip”]

    Terminal Server environment


    PDP PEP Supporting TCP and UDP applications
    Terminal Server
    Multi-User Agent

    PDP performs
    Group Membership Queries
    User performs
    authentication

    ©2017 Check Point Software Technologies Ltd. 8


    The Absolute Minimum You Must Know About MUH2
    Leave the past Multi-User Host Agent v1 behind if you want to scale
    • MUHv1 agent mapping source ports to user
    ̶ Source ports selected by MUH agent had to be free on the gateway running PDP instance
    ̶ A high amount of resources have been consumed on server running MUH and on PDP terminating the MUH
    • Scaling was limited
    ̶ Per MUH: max. 20 users
    ̶ Per PDP: max. 5 MUH connections
    ̶ MUH was running out of source ports per users, if user requested applications
    consuming a lot of TCP connections

    user1 Multi-User Host Agent


    user1 @src-port-100
    PDP PEP
    Up to 20 users per
    user2 user2 @src-port-200
    MUH agent

    Table
    user1<> src port range1
    Up to 5 MUH agents per PDP user2<> src port range2

    ©2019 Check Point Software Technologies Ltd. 9


    The Absolute Minimum You Must Know About MUH2
    Embracing MUH2 – Requires R80.40 on PDP and PEP instances
    • MUH2 agent is mapping IDs to users
    ̶ ID ranges are assigned to each user connecting to the server running MUH2
    ̶ MUH2 communicates ‘ID assigned to user’ to the PDP
    ̶ PDP includes ID information in the Identity Session information shared with PEP(s) (and PDP Broker Subscribers)
    ̶ MUH2 inserts ID into IP Identification Header of packets forwarded to applications
    ̶ PEP is reading ID and relates it to the Identity Session
    • MUH2 supporting scale
    ̶ Up to 256 users per Terminal Server and up to 50 MUH2 agents connecting to one PDP
    user1 Multi-User Host Agent
    user1 == ID abc123
    PDP PEP
    Up to 256 users
    user2 == ID def456
    per MUH agent user2

    Table
    user1<> ID range1
    Up to 50 MUH2 agents per PDP user2<> ID range2

    ©2019 Check Point Software Technologies Ltd. 10


    Understanding IP Header Identification Field RFC 791

    • Review RFC 791


    – Identification header is used to carry the
    ID number used by MUHv2 to identify the
    user@terminal_server

    ©2019 Check Point Software Technologies Ltd. 11


    Identity Awareness Components – Captive Portal
    Browser based authentication – KERBEROS ticket based integration

    • Users authenticate against the Active Directory and KERBEROS tickets are issued
    • The browser presents the ticket to the PDP instance that verifies this ticket
    • If verification is successful access is provided
    ̶ The Captive Portal allows users performing a manual logon to the gateway
    http://<PDP>/connect
    Captive Portal
    KERBEROS tickets can be
    PDP intercepted to achieve
    transparent authentication

    User performs
    authentication
    AD Logon Server

    ©2017 Check Point Software Technologies Ltd. 12


    Configuring The Identity Provider
    Working in SmartConsole and Azure Active Directory admin center

    ©2017 Check Point Software Technologies Ltd. 13


    Configuring The Identity Provider
    Working in SmartConsole and Azure Active Directory admin center

    ©2017 Check Point Software Technologies Ltd. 14


    ©2017 Check Point Software Technologies Ltd. 15
    ENFORCING SECURITY
    BASED ON IDENTITIES

    ©2017 Check Point Software Technologies Ltd.


    Identity Awareness – Enforcement

    • Identity based access control and threat


    prevention is enforced using the Access Role
    object
    – Clicking on the ‘+’ allows adding
    users/machines from various sources such as
    Active Directory domains, LDAP groups or
    Identity Tags
    – Selecting Active Directory domain(s) initiates
    the management server to contact the Active
    Directory logon server configured in the
    relevant LDAP Account Unit object

    Management Active Directory


    SmartConsole
    Server

    ©2017 Check Point Software Technologies Ltd. 18


    Identity Awareness Access Role Object

    • The security is enforced using an Access Role object in the rule base

    • The Access Role object can be used as source and/or destination

    ©2017 Check Point Software Technologies Ltd. 19


    Identity Awareness – Enforcement

    • Make sure the Identity Role is learned for the given user
    [Expert@gwr8010:0]# pep sh us que usr eng1
    Command: root->show->user->query

    PDP: <127.0.0.1, 00000000>; UID: <25e8eba1>


    ==================================================
    Client ID : <192.168.169.115, 00000000>
    Authentication Key : <Unavailable>
    Brute force counter: 0
    Username : eng1
    Machine name :
    User groups : <Unavailable>
    Machine groups : <Unavailable>
    Compliance : <Unavailable>
    Identity Role : <EngineeringGroup>
    Time to live : 43230
    Cached time : 86400
    TTL counter : 43170
    Time left : 43210
    Last update time : Thu Mar 30 18:37:58 2017

    ©2017 Check Point Software Technologies Ltd. 20


    Identity Awareness – pep and pdp tables

    pdp monitor user <usr> pep show user query usr <usr>

    ©2017 Check Point Software Technologies Ltd. 21


    Identity Sources - summary

    Scale Integration End user Experience Resource Identity Identity


    Point Consumption Information Assurance

    Active Directory
    Active Directory Limited Clientless High on DCs
    Domain User & machine
    Query scale Easy to apply & GWs
    Controllers

    Active Directory,
    Identity Clientless Low on DCs &
    High Scale Cisco ISE, Syslog, User & machine
    Collector Easy to apply GWs
    eDirectory

    Log Off events


    Limited Active Directory Requires deployment User & machine
    Identity Agent High on GW Roaming
    scale (SSO Kerberos) of agents
    IP Spoofing

    Terminal Server Limited Active Directory Requires Per connection


    High on GW
    Agent scale (SSO Kerberos) implementation identification

    RADIUS Clientless Very Low on Additional group Depending on


    High Scale NAC Solutions
    Accounting Easy to apply GW information NAC solution

    Med-high Various NAC A one time API Low to Additional group


    IDA Web API
    scale solutions implementation medium information

    Might require manual Support Log Off


    Med-high AD, RADIUS, authentication. Low to
    Captive Portal User Only
    scale SAML 2.0 Kerberos supported for medium
    SSO.

    ©2017 Check Point Software Technologies Ltd. 22


    Secure Knowledge Articles

    • Identity Awareness AD Query sk60301


    • Identity Collector - Technical Overview sk108235
    • ATRG Identity Awareness sk86441
    • Troubleshooting Kerberos in Identity Awareness sk104055
    • Best Practices – Identify Awareness Large Scale Deployment sk88520
    • Identity Awareness Agent for MacOS sk63920
    • Identity Awareness Agent Network Communication and Processes sk11323

    ©2017 Check Point Software Technologies Ltd. 23


    The Absolute Minimum You Must Know
    Recommended Readings
    • Introducing Identity Awareness
    ̶ 25 min video posted on CheckMates at http://bit.ly/32vDoNB
    • Understanding Identity Sharing
    ̶ Whitepaper posted on CheckMates at http://bit.ly/2VrcvsX
    • Getting started with PDP Broker
    ̶ Whitepaper based on initial R80.10 custom hot fix and provides a general overview of the solution
    ̶ Posted on CheckMates at http://bit.ly/3cfo782
    • Integrating Check Point ID Awareness into Cisco ISE environments
    ̶ 12 min video posted on CheckMates at http://bit.ly/389e8yd
    • Establishing Trust between Cisco ISE and Check Point ID Collector using certificates issued by a
    Microsoft CA
    ̶ Whitepaper posted on CheckMates at http://bit.ly/2uvszyy

    ©2019 Check Point Software Technologies Ltd. 24


    THANK YOU

    ©2017 Check Point


    ©2017 Software
    Check Point Technologies Ltd.
    Software Technologies Ltd. 25

    You might also like