Check Point FireWall-1 provides customers, including remote users and telecommuters, with secure, authenticated access to enterprise resources using multiple authentication schemes. FireWall-1 authentication services securely validate that the users attempting to make a connection are who they say they are before the communication is allowed to proceed. Modifications to local servers or client applications are not required. Authentication services are fully integrated into the enterprise-wide security policy and can be centrally managed through FireWall-1's graphical user interface. All authentication sessions can be monitored and tracked through the Log Viewer.

FireWall-1 provides three authentication methods:

  1. User Authentication
  2. Client Authentication
  3. Transparent Session Authentication

User Authentication

FireWall-1's transparent User Authentication provides access privileges on a per user basis for FTP, TELNET, HTTP, and RLOGIN, regardless of the user's IP address. If a local user is temporarily away from the office and logging in on a different host, the security administrator may define a rule that allows that user to work on the local network without extending access to all users on the same host.

The FireWall-1 Security Servers implement user authentication on the gateway. FireWall-1 intercepts a user's attempt to start an authenticated session on the requested server and directs the connection to the appropriate Security Server. After the user is authenticated, the FireWall-1 Security Server opens a second connection to the host. All subsequent packets of the session are intercepted and inspected by FireWall-1 on the gateway.

Client Authentication

Client Authentication enables an administrator to grant access privileges to a specific user at a specific IP address. In contrast to User Authentication, Client Authentication is not restricted to specific services, but provides a mechanism for authenticating any application, standard or custom. FireWall-1 Client Authentication is not transparent, but it does not require any additional software or modifications on either the client or server. The administrator can determine how each individual is authenticated, which servers and applications are accessible, at what times and days, and how many sessions are permitted. Under Version 4, Client Authentication can now be performed from a Web browser through an HTTP connection or via a Telnet session.

Transparent Session Authentication

Transparent Session Authentication can be used to authenticate any service on a per-session basis. After the user initiates a connection directly to the server, the FireWall-1 gateway, located between the user and the destination, intercepts the connection, recognizes that it requires user-level authentication, and initiates a connection with a Session Authentication Agent. The Agent performs the required authentication, after which FireWall-1 allows the connection to continue to the requested server if permitted.

  1. Authentication Schemes

    FireWall-1 supports the following authentication schemes:

    1. SecurID — The user is challenged to enter the number displayed on the Security Dynamics SecurID card.
    2. S/Key — The user is challenged to enter the value of requested S/Key iteration. In addition, It has also been enhanced with MD5 data integrity
    3. OS Password — The user is challenged to enter his or her OS password.
    4. Internal — The user is challenged to enter his or her internal FireWall-1 password on the gateway.
    5. Axent — The user is challenged for the response, as defined by the Axent server.
    6. RADIUS — The user is challenged for a response, as defined by the RADIUS server.
    7. LDAP — The user is prompted for a response from the LDAP server
    8. TACACS — The user is prompted for response from the TACACS server

There are a number of OPSEC Certified RADIUS authentication
solutions offered by OPSEC Alliance partners.

@1999 Check Point Software Technologies Ltd. All rights reserved. Used with permission