Advanced Identity Awareness Deployment

In This Section: Introduction to Advanced Identity Awareness Deployment Deployment Options Deploying a Test Environment Deployment Scenarios

Introduction to Advanced Identity Awareness Deployment

Deploy Check Point Identity Awareness enabled Security Gateways for better security for your network environment and corporate data. This section describes recommended deployments with Identity Awareness.

Important - NAT between two Identity Awareness Security Gateways that share data with each other is not supported.

• Perimeter Security Gateway with Identity Awareness – This deployment is the most common scenario. Deploy the Security Gateway at the perimeter where it protects access to the DMZ and the internal network. The perimeter Security Gateway also controls and inspects internal traffic going to the Internet. In this deployment, create an identity-based Access Control Policy.
• Data Center protection – If you have a Data Center or server farm separated from the users' network, protect access to the servers with the Security Gateway. Deploy the Security Gateway in front of the Data Center. All traffic is inspected by the Security Gateway. Control access to resources and applications with an identity-based access policy. Deploy the Security Gateway in bridge mode to protect the Data Center without significant changes to the existing network infrastructure.
• Large scale enterprise deployment – In large networks, deploy multiple Security Gateways. For example: deploy a perimeter Firewall and multiple Data Centers. Install an identity-based policy on all Identity Awareness Security Gateways. The Security Gateways share user and computer data of the complete environment.
• Network segregation – The Security Gateway helps you migrate or design internal network segregation. Identity Awareness lets you control access between different segments in the network with an identity-based policy. Deploy the Security Gateway close to the access network to avoid malware threats and unauthorized access to general resources in the global network.
• Distributed enterprise with branch offices – For an enterprise with remote branch offices connected to the headquarters with VPN, deploy the Security Gateway at the remote branch offices. When you enable Identity Awareness on the branch office Security Gateway, users are authenticated before they reach internal resources. The identity data on the branch office Security Gateway is shared with other Security Gateways to avoid unnecessary authentication.
• Wireless campus – Wireless networks have built-in security challenges. To give access to wireless-enabled corporate devices and guests, deploy Identity Awareness Security Gateways in front of the wireless switch. Install an Identity Awareness policy. The Security Gateways give guest access after authentication in the web Captive Portal, and then they inspect the traffic from WLAN users.

Deployment Options

You can deploy an Identity Awareness Gateway in two different network options:

• IP routing mode
• Transparent mode (bridge mode)

IP routing mode - This is a regular and standard method used to deploy Identity Awareness Gateways. You usually use this mode when you deploy the Identity Awareness Gateway at the perimeter. In this case, the Identity Awareness Gateway behaves as an IP router that inspects and forwards traffic from the internal interface to the external interface and vice versa. Both interfaces should be located and configured using different network subnets and ranges.

Transparent mode - Known also as a "bridge mode". This deployment method lets you install the Identity Awareness Gateway as a Layer 2 device, rather than an IP router. The benefit of this method is that it does not require any changes in the network infrastructure. It lets you deploy the Identity Awareness Gateway inline in the same subnet. This deployment option is mostly suitable when you must deploy an Identity Awareness Gateway for network segregation and Data Center protection purposes.

Deploying a Test Environment

Best Practice - If you want to evaluate how Identity Awareness operates in a Security Gateway, we recommend that you deploy it in a simple environment. The recommended test setup below gives you the ability to test all identity sources and create an identity-based Policy.

The recommendation is to install 3 main components in the setup:

1. User host (Windows)
2. Check Point Security Gateway R75.20 or higher
3. Microsoft Windows server with Active Directory, DNS and IIS (Web resource)

Deploy the Security Gateway in front of the protected resource, the Windows server that runs IIS (web server). The user host computer will access the protected resource via the Security Gateway.

Testing Endpoint Identity Agents

Enable and configure Identity Agents, and configure Identity Agents self-provisioning through Captive Portal.

1. Open a browser and connect to the web resource.

   You are redirected to the Captive Portal.

2. Enter user credentials.
3. Install the client as requested by the Captive Portal.

   When the client is installed wait for an authentication pop-up to enter the user credentials through the client.

4. Test connectivity.

Deployment Scenarios

Perimeter Identity Awareness Gateway

Security Challenge

The Security Gateway at the perimeter behaves as a main gate for all incoming and outgoing traffic to and from your corporate network. Users in internal networks access the Internet resource and applications daily. Not all Internet applications and web sites are secure and some are restricted according to corporate policy. If you block all internal access, it will affect productivity of employees that must have access as part of their daily work definition. You can control access to allowed applications with the Application Control blade. However, you require a more granular access policy for user and computer identity.

Access roles let you configure an identity aware policy with Application Control, to allow access only to specified user groups to the applications on the Internet.

Enable Identity Awareness on the perimeter Security Gateway.

Deployment scenario

1. Deploy the Security Gateway at the perimeter in routing mode and define an external interface towards the ISP (the Internet) and an internal interface points to the internal corporate network LAN.

   Optional: you can define another internal interface, which protects DMZ servers.

2. Make sure there are no NAT or Proxy servers between the gateway and your network.

   Best Practice - We recommend that the Proxy server be in the DMZ network.

3. Check that the Security Gateway has connectivity to the internal AD domain controllers.
4. Make sure that users can reach the internal interface of the Security Gateway.
5. Configure the Application Control blade.

   See the R80.10 Next Generation Security Gateway Administration Guide.

6. If you have several perimeter Security Gateways leading to the Internet, we recommend that you manage these Security Gateways with one Security Management Server and SmartConsole to deploy the relevant security policy.

Configuration

1. Enable Identity Awareness and select the appropriate identity sources.
2. Create Access Roles based on users and computers. You can create multiple Access Roles that represent different departments, user and computer groups and their location in the network.
3. Add the Access Roles to the source column of the relevant Firewall and application control policies.

This is a sample diagram for a small to medium corporate headquarters.

Item	Description
1	Corporate data center
2	Identity Awareness Gateway protects the data center
3	Perimeter Identity Awareness Gateway User IDs are sent to the gateway that protects the data center
4	Internal network resources
5	LDAP server (for example Active Directory)
6	Internet

Data Center Protection

Security Challenge

The Data Center contains sensitive corporate resources and information that you must securely protect from unauthorized access. You must also protect it from malwares and viruses that can harm databases and steal corporate information. Access to the Data Center and particularly to certain applications must be granted only to compliant users and computers.

Deployment Scenario

1. Deploy the Security Gateway inline in front of the Date Center core switch, protecting access to the Data Center from the LAN.
2. Best Practice - We recommend that you deploy the Security Gateway in the bridge mode, to avoid any changes in the network. However, IP routing mode is also supported.
3. Define at least two interfaces on the Security Gateway and configure them to be internal or bridged.
4. Make sure that the Security Gateway has connectivity to the Active Directory and all relevant internal domain controllers in the network (LAN).
5. Make sure that users from the LAN can connect to the Data Center through the Security Gateway with an "Any Any Accept" policy.
6. Make sure that you do not have a proxy or NAT device between the Security Gateway and users or the LAN.

Configuration

1. Enable Identity Awareness on the Security Gateway and select identity sources.
2. Create Access Roles for users and apply the Access Roles to relevant Access Control Policy rules.

Large Scale Enterprise Deployment

Security Challenge

In complex large-scale enterprise networks, you must control access from the local network to the Internet and to multiple Data Center resources. The Data Center contains sensitive corporate resources and information that must be securely protected from unauthorized access. Grant access only to policy-compliant users and computers. Protect your network and Data Center from malware, bots, and viruses.

Users in the internal networks access Internet resources and applications daily. Not all Internet applications and web sites are secure, and some are restricted by the corporate policy. If you block all internal access, it will affect productivity of employees who must have access in the context of their daily work definition. You can control access to the allowed applications with the Application Control blade. If you require a granular access policy based on user and computer identity, use Access Roles with Application Control.

Deployment Scenario

1. Deploy or use existing Security Gateways at the perimeter and in front of the Data Center.
2. Install the Security Gateway at the perimeter in routing mode, and use at least one external interface to the Internet and one to the internal network (define it as an internal interface).
3. Deploy the Security Gateway as an inline device in front of the Data Center in bridge mode to avoid network changes. This is not required, but is recommended. Nonetheless, IP routing mode is also supported.
4. Make sure that all Security Gateways in the Data Centers and perimeter can communicate directly with each other.
5. Best Practice - We recommend that you manage the Security Gateway from one Security Management Server and SmartConsole.
6. Make sure that there is connectivity from each Security Gateway to the Active Directory internal domain controllers.
7. Make sure that in an "Any Any Accept" Policy, users from the LAN can connect to the desired resources.
8. Make sure there are no NAT or Proxy servers between the gateway and your network. Best Practice - We recommend that you put your Proxy server in the DMZ network.

Configuration

1. Enable Identity Awareness on the Security Gateway.
2. Choose the identity source method for each Security Gateway, at the perimeter and at the Data Center.
3. Create Access Roles for users, and apply Access Roles to the applicable Firewall security rules.
4. Add Access Roles to the Policy.
5. In the Gateway Properties > Identity Awareness tab, select Share local identities with other gateways.
6. Install the Policy on the perimeter Security Gateway.

Item	Description
1	Corporate data centers
2	Identity Awareness Gateway protects the data center
3	Perimeter Identity Awareness Gateway User IDs are sent to the gateways that protect the data centers
4	Internal network resources
5	LDAP server (for example Active Directory)
6	Internet

Best Practice - AD Query Recommended Configuration

When you enable AD Query to obtain user and computer identity, we recommend that you enable the feature on all Security Gateways that participate in the network environment. All Security Gateways should have the Active Directory domain defined with the list of all applicable domain controllers in the internal network.

Best Practice - Endpoint Identity Agents Recommended Configuration

If you choose to use Endpoint Identity Agents to authenticate users and computers, you have to select the Security Gateway that will be used to maintain Endpoint Identity Agents.

For a single Data Center and perimeter Security Gateway, we recommend that you define Endpoint Identity Agents that connect to a single Security Gateway. Then the identity obtained by the Security Gateway is shared with the other Security Gateways in the network. Select a high capacity / performance Security Gateway, which can also behave as an authentication server, and configure this Security Gateway’s IP / DNS on the Endpoint Identity Agents (see Endpoint Identity Agents section).

For complex multi Data Center environments, where there are several Security Gateways that protect different Data Centers and the perimeter, we recommend that you balance Endpoint Identity Agents authentication using different Security Gateways. You can configure a list of Security Gateways in the Endpoint Identity Agent settings, where the Endpoint Identity Agent will connect to different Security Gateways. This provides load balancing across the Security Gateways. Identities learned from the agents are shared between all Security Gateways in the network.

To define a list of Security Gateways, between which identity information is shared:

1. Open Gateway properties > Identity Awareness.
2. Select Get identities from other gateways.
3. Select the Security Gateways with the identities.

Network Segregation

Security Challenge

Networks consist of different network segments and subnets where your internal users reside. Users that connect to the network can potentially spread viruses and malwares across the network that can infect other computers and servers on the network. You want to make sure that only compliant users and computers can pass and connect across multiple network segments, as well as authenticate users connecting to the servers and the Internet.

Deployment scenario

• Best Practice - We recommend that you deploy Security Gateways close to access networks before the core switch.
• Access between the segments is controlled by the Security Gateway.
• Access between the LAN and Data Center is controlled by the Security Gateway.
• Access between the LAN and the Internet is controlled by the Security Gateways either at each segment or at the perimeter Security Gateway.
• Best Practice - We recommend that you deploy the Security Gateway in bridge mode to avoid network and routing changes.
• Each Security Gateway of a particular segment authenticates users with the selected method.
• Share identities learned from the segment Security Gateways with the perimeter Firewall to create an outgoing traffic Firewall policy or use an Application Control policy as well.

Configuration

1. Deploy Security Gateways in each segment in bridge mode.
2. Make sure that there is no proxy or NAT device between the Security Gateways and the LAN.
3. Make sure that the Security Gateways can communicate with the Active Directory domain controller deployed in each segment (replicated domain controllers).

   If there is a general domain controller that serves all users across the segments, make sure that all Security Gateways can connect to this domain controller.

4. Enable Identity Awareness on each Security Gateway and select an appropriate identity source method.
5. In the Identity Awareness tab, clear the Share local identities with other gateways option.

   If you want to share identities with one Security Gateway, for example, the perimeter Security Gateway, keep this option selected and disable Get identities from other gateways in the segment Security Gateway. Then go to the perimeter Security Gateway and select Get identities from other gateways.

6. If you want to use Endpoint Identity Agents, then define the particular Security Gateway DNS/IP in the agent Security Gateway configuration per access segment.

Distributed Enterprise with Branch Offices

Security Challenge

In distributed enterprises, there is a potential risk of malware and viruses spreading from remote branch offices over VPN links to the corporate internal networks. There is also a challenge of how to provide authorized access to users that come from remote branch offices that request and want to access the Data Center and the Internet.

Deployment Scenario

1. Best Practice - We recommend that you deploy Security Gateways at the remote branch offices and at headquarters in front of the Data Center and at the perimeter.
2. At remote branch offices, you can deploy low capacity Security Gateways due to a relatively low number of users.

   Deploy the remote branch Security Gateways in IP routing mode and have them function as a perimeter Firewall and VPN gateway, establishing a VPN link to the corporate Security Gateways.

3. Best Practice - At the corporate headquarters, we recommend that you deploy Data Center Security Gateways to protect access to Data Center resources and applications, as well as a perimeter Security Gateway. You can install the Data Center Security Gateway in bridge mode to avoid changes to the existing network.
4. In this scenario, users from the branch office are identified by the local branch office Security Gateway before connecting to the corporate network over VPN.
5. The identities learned by the branch office Security Gateways are then shared with the headquarters' internal and perimeter Security Gateways. When a user from a branch office attempts to connect to the Data Center, the user is identified by the Security Gateway at the headquarters Data Center without the need for additional authentication.

Item	Description
1	Internal network resources - branch office
2	Branch Identity Awareness Gateway User IDs are sent to the corporate gateways
3	LDAP server (for example Active Directory)
4	Internet
5	Perimeter corporate Identity Awareness Gateway
6	Identity Awareness Gateway that protects the data center
7	Corporate data center
8	Internal network resources - corporate office

Configuration

1. Select a Security Gateway according to a performance guideline for your remote branch offices.
2. Deploy the Security Gateways at the branch offices in routing mode. Define VPN site-to-site if necessary.
3. Deploy Security Gateways inline at the Data Center. We recommend using bridge mode.
4. Deploy a Security Gateway at the perimeter that protects the internal network in routing mode. The perimeter Security Gateway can serve as a VPN Security Gateway for branch offices as well.
5. If you have Active Directory domain controllers replicated across your branch offices make sure that local Security Gateways can communicate with the domain controller. In case you do not have a local domain controller, make sure that the Security Gateways can access the headquarters' internal domain controller over VPN.
6. Enable Identity Awareness and select the appropriate methods to get identity.
7. Create an Access Role and apply the roles in the security policy on the branch office Security Gateways, perimeter and Data Center Security Gateway.
8. Share identities between the branch offices with the headquarters and Data Center Security Gateways. In the Identity Awareness tab, select Get identities from other gateways and Share local identities with other gateways.

Best Practice - AD Query Recommended Configuration

When you use AD Query to authenticate users from the local and branch offices, we recommend that you only configure a local domain controller list per site in the relevant Security Gateways. For example, if you have a branch office Security Gateway and a Data Center Security Gateway, enable AD Query on all Security Gateways. On the branch office Security Gateway, select the Active Directory domain controllers replications installed in the branch office only. On the Data Center Security Gateway, configure a list of domain controllers installed in the internal headquarters network.

It is not necessary to configure all domain controllers available in the network, since the identity information is shared between branch and internal Security Gateways accordingly.

Best Practice - Endpoint Identity Agents Recommended Configuration

When using Endpoint Identity Agents, we recommend that you configure the local branch office Security Gateway DNS/IP on the agent. The agents connect to the local Security Gateway and the user is authenticated, identities are shared with the internal headquarters Security Gateways.

Wireless Campus

Security Challenge

You use wireless networks to grant access to employees that use Wi-Fi enabled devices, guests and contractors. Guests and contractors in some cases cannot use the corporate wired network connection and must connect through WLAN. Furthermore, it is not intended for guests and contractors to install any endpoint agents on their devices.

Wireless access is also intensively used to connect mobile devices such as smartphones where agents can be installed. These devices are not part of the Active Directory domain. Wireless networks do not give a desired level of security in terms of network access.

Deployment Scenario

1. Deploy the Security Gateway in bridge mode in front of the Wireless Switch.
2. Make sure that the Security Gateway can access the Internet or any other required resource in the network.
3. Make sure that the Security Gateway can communicate with the authentication server, such as Active Directory or RADIUS.
4. Check that there is no NAT or proxy device between the Security Gateway and the WLAN network.

Configuration

1. Enable Identity Awareness on the Security Gateway.
2. Select Browser-Based Authentication as an identity source.
3. In the Gateway properties > Identity Awareness tab > Browser-Based Authentication Settings, select Unregistered guests login and in Settings, select the fields you want guests to fill when they register.
4. Select Log out users when they close the portal browser.

Dedicated Identity Acquisition Security Gateway

Security Challenge

You have several Security Gateways that protect the Data Center or Internet access where access is based on identity acquisition. The Security Gateways run different blades and deal with heavy traffic inspection.

To avoid an impact on performance of the Security Gateways in terms of user identity acquisition and authentication, it is possible to offload this functionality to a separate Security Gateway. The dedicated Security Gateway is responsible for acquiring user identity, performing authentication and sharing learned identities with all Security Gateways in the network.

Deployment Scenario

In this deployment scenario, you have to choose an appropriate appliance to deploy as the dedicated Identity Awareness enabled Security Gateway. All users authenticate with this Security Gateway.

If you enable AD Query, the dedicated Security Gateway should communicate with all Active Directory domain controllers over WMI.

1. On the dedicated identity acquisition Security Gateway, enable the Identity Awareness feature and select the identity method.
2. On the Security Gateways, enable Identity Awareness and select Get identities from other gateways and Share local identities with other gateways.

Item	Description
1	Internal network resources
2	Security Gateway with Identity Awareness that protects the internal network User IDs are sent to the corporate gateways
3	Corporate data center
4	Security Gateway with Identity Awareness that protects the data center
5	LDAP server (for example Active Directory)
6	Dedicated Identity Awareness Security Gateway
7	Perimeter corporate Security Gateway with Identity Awareness
8	Internet