Contents

315
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
315
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Contents

  1. 1. SecurID AuthNode Configuration Guide for Firewall-1 Author: Dave Abraham Date: Version: 2 Classification:
  2. 2. SecurID AuthNode Configuration Guide for Firewall-1 Contents SecurID AuthNode Configuration Guide for Firewall-1................................................1 Contents.....................................................................................................................2 Introduction.................................................................................................................2 Pre-requisites:.............................................................................................................3 Configuration..............................................................................................................4 Step 1 – Obtain Signify Authentication Server Settings...........................................4 Step 2 - Enable RADIUS authentication on your Firewall........................................4 Step 3 - Create the Workstation objects..................................................................6 Step 4 - Create the RADIUS Server objects............................................................8 Step 5 - Enable Users...........................................................................................10 5a - Create a test user.......................................................................................10 5b - Enable existing users..................................................................................14 Step 6 - Test Authentication..................................................................................15 Introduction Check Point Firewall-1 is a Firewall deployed by many organizations around the world. It is typically deployed as software on a range of platforms including Windows NT/2000, a variety of Unix platforms, and is also available as an appliance from Nokia. This guide steps you through configuring your Firewall-1 software on any of the above platforms to be able to support strong authentication using RSA SecurID from Signify. Once configured, you can then apply strong authentication to wherever you perform user authentication on your Firewall, for example authenticating people before they are allowed to connect through your Firewall into your company network, or to authenticate a user prior to setting up a VPN tunnel. ©2001. Signify Solutions Ltd. Page 2 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  3. 3. SecurID AuthNode Configuration Guide for Firewall-1 Pre-requisites: In order to set up your Firewall-1 system to use the Signify service for authentication you will need: • Checkpoint FireWall-1 3.0b, 4.0 or 4.1* • GUI access to the firewall, with read/write permissions • A list of your users who will be using the Signify service • A list of hosts and IP based services which require authenticated access You will also need a service from Signify with at least one SecurID user, and an Authentication Node (AuthNode) service. These instructions assume that you have already requested an AuthNode service from Signify, and this has been enabled, and that you have registered your token with Signify. On completion of this procedure, your firewall will be ready to use Signify's Authentication Servers. It is expected to take somewhere between 15 and 30 minutes to complete. * This document explains the procedure on FireWall-1 4.1, earlier versions may differ slightly ©2001. Signify Solutions Ltd. Page 3 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  4. 4. SecurID AuthNode Configuration Guide for Firewall-1 Configuration Step 1 – Obtain Signify Authentication Server Settings You can then obtain all the details that you need to know about the Authentication Servers that your Authnode will need by visiting the My Signify area of Signify’s web site at www.signify.net. Here you can follow a link to ‘My AuthNodes’ where you can obtain the following details which you will need during this configuration: • IP Address of 2 Authentication servers • The RADIUS shared secret which used to secure communication between your authentication node and Signify's Authentication Points of Presence. Step 2 - Enable RADIUS authentication on your Firewall To enable your firewall to authenticate using the RADIUS protocol: Select Manage -> Network Objects... Select your FireWall-1 gateway object Click 'Edit' Select the 'Authentication' tab Ensure that the RADIUS tickbox is checked ©2001. Signify Solutions Ltd. Page 4 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  5. 5. SecurID AuthNode Configuration Guide for Firewall-1 ©2001. Signify Solutions Ltd. Page 5 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  6. 6. SecurID AuthNode Configuration Guide for Firewall-1 Step 3 - Create the Workstation objects FireWall-1 needs to know which hosts the RADIUS service is running on, so the Signify Authentication Servers need to be created on your firewall as Workstation objects. Run the Checkpoint Security Policy Editor and log in with read/write permissions. First create the network host objects: From the menu, select Manage -> Network Objects... Now you will need the Authentication server details that you obtained in the pre- requisites section. Select New -> Workstation Enter a name for this object. (eg. Signify-Auth-Server1)) for the server Enter the IP address of the first authentication server as obtained in the Requirements section above. Then click O.K. Repeat the New Workstation process for a Signify-Auth-Server2. ©2001. Signify Solutions Ltd. Page 6 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  7. 7. SecurID AuthNode Configuration Guide for Firewall-1 ©2001. Signify Solutions Ltd. Page 7 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  8. 8. SecurID AuthNode Configuration Guide for Firewall-1 Step 4 - Create the RADIUS Server objects Now you need to create the RADIUS server objects: From the menu, select Manage -> Servers... Select New -> RADIUS... Enter the name of the Signify Authentication Server, preceded by RADIUS (eg. RADIUS-Signify-Auth-Server1) In the Host field, select the Workstation object previously defined from the drop-down list The service should be set to 'udp RADIUS' Check the Priority setting with the Signify Authentication Server information provided, each server should have a different priority. You should set the server defined as your Primary Authentication Server on the form to priority 1, and the secondary server to 2. The Version should be set to Ver 2.0 Compatible. Now you will need to enter the Shared Secret, which you as obtained in the pre- requisites section above. Click O.K. Repeat the above process for the Second new RADIUS server, this time setting the priority to 2. ©2001. Signify Solutions Ltd. Page 8 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  9. 9. SecurID AuthNode Configuration Guide for Firewall-1 Once you have created both the RADIUS Server objects, you need to add them to a RADIUS group. From the menu, select Manage -> Servers... Select New -> RADIUS Group... Add each of the Signify RADIUS servers to the group. Name the group 'SIGNIFY-radius-servers' ©2001. Signify Solutions Ltd. Page 9 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  10. 10. SecurID AuthNode Configuration Guide for Firewall-1 Step 5 - Enable Users If you do not have any existing users on your firewall, it is suggested that you read through Checkpoint's literature to help you understand how to define users and groups, and how to define rules that involve the different authentication schemes. Whether or not you have existing users defined, you will need to create a Signify test user. Refer to the FAQ for guidelines in creating your Signify enabled users. 5a - Create a test user It will help Signify to diagnose potential problems should they arise if there is a test user defined on your firewall. You will need to create this user, but you should not apply them to any rules. To create this test user: From the menu, select Manage -> Users... Click 'New', then choose 'Default' You should now see the User Properties box for a new user. Under the 'General' tab, enter the user name as 'sig-test', and ensure the expiration date is ahead of todays date. Please ensure you set the expiry date to a reasonable date in the future. Signify can use this test user to monitor the status of your authnode if you wish, and also to perform performance tests. However you should not put this user in any groups, and therefore this user will not allow any access to any of your internal systems. ©2001. Signify Solutions Ltd. Page 10 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  11. 11. SecurID AuthNode Configuration Guide for Firewall-1 You should not add the user to any Groups Under the 'Authentication' tab, select RADIUS from the Authentication Scheme drop- down list. Under Settings, select the RADIUS Group 'SIGNIFY-radius-servers' you created earlier. Under the 'Location' tab, both Source and Destination should be set to 'Any'. ©2001. Signify Solutions Ltd. Page 11 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  12. 12. SecurID AuthNode Configuration Guide for Firewall-1 ©2001. Signify Solutions Ltd. Page 12 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  13. 13. SecurID AuthNode Configuration Guide for Firewall-1 Under the 'Time' tab, all days of the week should be ticked, and the allowed times should be from 00:00 to 23:59 The 'Encryption' tab does not need any editing. Once you have completed the test user configuration, Click 'OK' Click 'Install', select your firewall, and click 'OK' That's the test user completed and installed. ©2001. Signify Solutions Ltd. Page 13 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  14. 14. SecurID AuthNode Configuration Guide for Firewall-1 5b - Enable existing users If you have existing users that use passwords, to 'upgrade' them to use Signify Tokens, simply need to change their authentication scheme. From the menu, select Manage -> Users... For each user you wish to activate: Click 'Edit', and select the 'Authentication' tab. Select RADIUS from the Authentication Scheme drop-down list. Under Settings, select the RADIUS Group 'SIGNIFY-radius-servers' you just created. Now you are ready to make changes to the ruleset. Before doing this, it is always advisable to save a new policy under a different name so that you can revert back should you encounter any problems. Wherever these users are required to authenticate within your ruleset, they will now be required to use their Signify Tokens. ©2001. Signify Solutions Ltd. Page 14 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  15. 15. SecurID AuthNode Configuration Guide for Firewall-1 Step 6 - Test Authentication Once you have configured your user to use RADIUS authentication with the Signify Servers, and provided you have an active Signify Token, you are ready to test authentication. How you test this will depend on whether or not you have any existing Authentication rules defined within your ruleset, and what sort they are. We'd suggest if you are familiar with FireWall-1 and you have existing rules, to test whichever way you feel happy with. The example below assumes that you use Client Authentication on the default port. If you are unsure and would like some guidance, follow these steps (you do not need any Authentication Rules defined to test it). From the firewall itself, start a DOS session. Telnet to the firewall's Client Authentication port with the following command: telnet firewall 259 You should now see the following: Check Point FireWall-1 Client Authentication Server User: Enter your valid Signify enabled username, then you should be prompted for your password: RADIUS password: When prompted, enter your Passcode (your PIN followed by your Tokencode - the number showing on your token) If authentication is successful, you will get the following message ©2001. Signify Solutions Ltd. Page 15 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc
  16. 16. SecurID AuthNode Configuration Guide for Firewall-1 User 'xxxxx' authenticated by RADIUS authentication If you are enabled for any rules, choose '1. Standard Sign-on' On Windows 9x, and NT4, the telnet session will immediately follow this with a dialog box 'Connection to host lost'. You are now authenticated and can perform any actions that the appropriate rules have enabled. The Signify Service can be used with each of Firewall-1's authentication schemes, User-Auth, Client-Auth, Session-Auth and Client-Encrypt, although Client-Encrypt can only be used with the FWZ encryption scheme, and is not supported by IKE since only passwords are currently supported with this scheme. ©2001. Signify Solutions Ltd. Page 16 of 16 /home/pptfactory/temp/20100504080648/contents1996.doc

×