Advanced Identity Awareness Environment

Configure a Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with enabled Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. for better security for your network environment and corporate data. This section describes recommended deployments with Identity Awareness.

Important:

  • NAT between two Identity Awareness Security Gateways that share data with each other, is not supported.

  • Perimeter Identity Awareness Gateway - This deployment is the most common scenario. Deploy the Security Gateway at the perimeter where it protects access to the DMZ and the internal network. The perimeter Security Gateway also controls and inspects internal traffic going to the Internet. In this deployment, create an identity-based Access Control Policy .

  • Data Center protection - If you have a Data Center or server farm separated from the users' network, protect access to the servers with the Security Gateway. Deploy the Security Gateway in front of the Data Center. All traffic is inspected by the Security Gateway. Control access to resources and applications with an identity-based Access Control Policy. Deploy the Security Gateway in bridge modeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. to protect the Data Center without significant changes to the existing network infrastructure.

  • Large-scale enterprise deployment - In large networks, deploy multiple Security Gateway. For example: deploy a perimeter Firewall and multiple Data Centers. Install an identity-based policy on all Identity Awareness Security Gateway. The Identity Awareness Gateways share user and computer data of the complete environment.

  • Network segregation - The Security Gateway helps you migrate or design internal network segregation. Identity Awareness lets you control access between different segments in the network with an identity-based policy. Deploy the Security Gateway close to the access network to avoid malware threats and unauthorized access to general resources in the global network.

  • Distributed enterprise with branch offices - For an enterprise with remote branch offices connected to the headquarters with VPN, deploy the Security Gateway at the remote branch offices. When you enable Identity Awareness on the branch office Security Gateway, users are authenticated before they reach internal resources. The identity data on the branch office Security Gateway is shared with other Security Gateway to avoid unnecessary authentication.

  • Wireless campus - Wireless networks have built-in security challenges. To give access to wireless-enabled corporate devices and guests, deploy Identity Awareness Security Gateway in front of the wireless switch. Install an Identity Awareness policy. The Security Gateway give guest access after authentication in the web Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication., and then they inspect the traffic from WLAN users.

Advanced Options

You can deploy an Identity Awareness Gateway in two different network options:

  • IP routing mode

  • Transparent mode (bridge mode)

IP routing mode - This is a regular and standard method used to deploy Identity Awareness Gateways. You usually use this mode when you deploy the Identity Awareness Gateway at the perimeter. In this case, the Identity Awareness Gateway behaves as an IP router that inspects and forwards traffic between the internal interface and the external interface in both directions. Both interfaces should be located and configured using different network subnets and ranges.

Transparent mode - Known also as a "bridge mode". This deployment method lets you install the Identity Awareness Gateway as a Layer 2 device, rather than an IP router. The benefit of this method is that it does not require any changes in the network infrastructure. It lets you deploy the Identity Awareness Gateway inline in the same subnet. This deployment option is mostly suitable when you must deploy an Identity Awareness Gateway for network segregation and Data Center protection purposes.

Deploying a Test Environment

Best Practice - If you want to evaluate how Identity Awareness operates in a Security Gateway, we recommend that you deploy it in a simple environment. The recommended test setup below gives you the ability to test all identity sources and create an identity-based Policy.

The recommendation is to install 3 main components in the setup:

  1. User host (Windows)

  2. Check Point Security Gateway R75.20 or higher

  3. Microsoft Windows server with Active Directory, DNS and IIS (Web resource)

Deploy the Security Gateway in front of the protected resource, the Windows server that runs IIS (web server). The user host computer will access the protected resource via the Security Gateway.

Testing Identity Agents

Enable and configure Identity Agents, and configure Identity Agents self-provisioning through Captive Portal (see Identity Awareness Clients Administration Guide).

  1. Open a browser and connect to the web resource.

    You are redirected to the Captive Portal.

  2. Enter user credentials.

  3. Install the client as requested by the Captive Portal.

    When the client is installed wait for an authentication pop-up to enter the user credentials through the client.

  4. Test connectivity.