fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Check Point - Authentication

When adding an authentication action to a rule there are 3 types,

  1. User
  2. Session
  3. Client

User authentication works by intercepting connects going through the FW-1 and prompting the user for authentication. To do this the firewall has to modify the traffic, so this authentication type can only be used with FTP, HTTP, Telnet and RLOGIN.

  • Advantages - Most secure, as authenticating is done on each connection
  • Disadvantages - Only available on FTP, HTTP, Telnet and RLOGIN protocols

Session authentication uses software installed on the clients machine. When the rule with session authentication is hit, the firewall tries to connect to the agent on the clients machine on port 261, a authentication dialog box is then presented to the user. This works on all protocol.

  • Advantages - Works on all protocols
  • Disadvantages - Software has to be installed on the clients machine (Windows only)

Client authentication acts on authenticating the machine. The user is required to connect to the FW-1 gateway address on either port 259 (telnet) or 900 (HTTP). Once the user has authenticated the machine IP will be permitted. 

  • Advantages - Works on all protocols
  • Disadvantages - Not as secure as the previous 2 as it is associated with an IP rather then a user. We recommend this is only used on single-user machine.

Rule Base Order

With authentication rules the standard top to bottom doesn't apply. The firewall will check to see if there are any rules that match any non authentication rules first.

So where do I put my rules ??

  1. Add them above your stealth rule (stealth rule being the rules that allow access to your firewall) so that it allows the user to authenticate with the firewall (Client Authentication). 
  2. Place the authentication rule above the accept rule. Then add a deny rule for the spefic host. As you can see below.

Using the above example access to any host would be accepted using the accept rule. Where as access to 64.20.35.155 would use the client auth rule.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001