CHECKPOINT's certification has 2 most: basic certification support, comprehensive license service.
Basic certification support
The so-called basic authentication support is that the firewall first confirms the identity of the body first before the authorization is selected. This is actually a very awkward thing, but this is because the firewall has a self-package filtering, it seems that naturally, the IP is a more awkward fact. Example: When there is no firewall F, the protocol of FTP, the user A accesses the FTP server S, and the FTP is a basic authentication mechanism, which is to enter the username and password, so the user A inputs the username and password assigned to their own. Can be visited smoothly. After inserting the firewall, the firewall can additionally set an authentication, the firewall knows the IP-based connection, and does not know which user corresponds to this connection, so user a additional authentication. This is the meaning of firewall certification support.
In fact, any network application can support authentication. The firewall is not a network application, but between C and S between network applications, you can understand all the communication content, so supporting certification is also very strange.
However, 2 issues that support certification can make people strange if it is solved: 1. Each application has a username and password for authentication, then 10 applications require a user to remember 10 users. Name and 10 corresponding passwords. Even this is a safe, effective practice, but it is absolutely an annoying, inefficient practice. 2. When is the user enters a password? How does the password transfer? How to perform verification? This problem is easy to get a conclusion: Safety is a property - a public property that needs any software, expresses and realizes too natural way in the AOP mode (OPSec thinking is also Everyone concentrates on this matter). Unfortunately, the world is not so beautiful, there have been many different authentication programs to be implemented and deployed separately.
In order to solve this problem, Checkpoint has made some efforts, but there is nothing in all, and it will not be perfect. He is divided into three ways as needed, divided into three ways: users, sessions, terminals.
1 In order to solve when to enter the password, you need to parse the contents of Telnet FTP, HTTP, HTTPS, and RLogin packets to be able to install additional clients when users use these protocols, but for other protocols, the sure is not supported. User Authentication method.
2 So, the certification of other agreements returned to the old road: not only need to install the client, but also enter the firewall authentication information over and over again. Firstly, the client is based on session, and is called a session-based authentication. In fact, if the input authentication information is the username and password, it can be called the user-based authentication (the basic authentication of checkpoint, I think I think I feel It is better than NetSreen, but it is simply boring after discovering.
3WEB Applications Certified the session-based certification into dead prison. At this time, I finally returned to the real old road: the firewall no longer executed certification, put the authentication to the client, called Client Certification (Note: This is not a client-based IP authentication, but the customer installed on the user machine end to perform authentication of different sessions Client authentication can be used to authenticate any service. It allows access from a specific IP address for an unlimited number of connections. the user working on a client performs the authentication by successfully meeting an authentication challenge, but It is the client machine.............
This is a CP ourselves about these three ways of authentication: with user authentication, the administrator can allow the user who is away from His orher Desk, To Work on the local network welsout extending access to all Users on theame host. Howeever, User Authentication is available only for the services TELNET, FTP, HTTP, HTTPS, and RLOGIN.Client Authentication is less secure than User Authentication because it allows multipleusers and connections from the authorized IP address or host. The authorization is permachine. for example, if FINGER is authorized for a client machine, then all users onthe client are authorized to use FINGER, and will not be asked to supply a passwordduring the authorization period. for this reason, Client Authentication is best enabledfor single user machines.The advantage of Client Authentication Is That It can be used for any number ofconnections, for any service, and the authentication can be set to be valid for a specificrative support, limited or any service, anddemands that users supply their credentials per connection (session). It thereforerequires either UserAuthority, or a Session Authentication agent for everyauthenticating client. It is therefore not suitable for authenticating HTTP, which opensmultiple connections per session. As with Client Authentication, Only Use IT ON SingleUser Machines, WHERE ONE ONEER CAN COME from a given ip at Any One Time. This is really chaotic, it is estimated that the domestic company is also provided by the domestic company. Push the hodgepodge of the temporary solution.
Comprehensive license service
However, Userage seems to be an ultimate perfect program, but it is necessary to apply development manufacturers, and "Certification" key module wants to let the application manufacturer to kill the CHECKPOINT's OPSec this road to go to black, that is not realistic.
UserAuthority is the security glue connecting Check Point network applications, andso UserAuthority components are installed on both the VPN-1 / FireWall-1 gateway andthe application server. This simple API (Application Programming Interface) implements a secured (encrypted) protocol that enables any application To be integratedwith UserAuthority. The Same Capabilities (Single Sign "(Single Sign, ETC.) Are Available.UserauThority must install the client and server, the server is UAM, called the user authentication module, can be installed with FW1 or independently Install on a Windows Active Directory server or on a Terminal server. The client has a selection, one is SecureClient, a SecureRemote, these 2 software are packaged together, the installation is one of the actual deployments. (It is to be explained, this second is the client based on the client-based CLIENT).
I support the authorization of web applications, I have been confused ................