Perimeter Identity Awareness Gateway

Security Challenge

The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. at the perimeter behaves as a primary gate for all incoming and outgoing traffic to and from your corporate network. Users in internal networks get access to the Internet resource and applications daily. Not all Internet applications and web sites are secure and some are restricted based on corporate policy. If you forbid all internal access, it affects productivity of employees that must have access as part of their daily work definition. You can control access to allowed applications with the Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. blade. But you must have a more granular Access Control Policy for user and computer identity.

Use Access Roles to configure an Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. policy with Application Control to let an access to the applications on the Internet only to specified user groups.

Enable Identity Awareness on the perimeter Security Gateway.

Configuration Scenario

1. Configure the Security Gateway at the perimeter in Routing Mode. Create a specified external interface to the ISP (the Internet) and an internal interface points to the internal corporate network LAN.

   Optional: You can create a different specified internal interface that protects DMZ servers.

2. Make sure there are no NAT or Proxy servers between the gateway and your network.

   Best Practice - We recommend to use the Proxy server that is in the DMZ network.

3. Make sure that the Security Gateway connects to the internal AD domain controllers.

4. Make sure that users have an access to the internal interface of the Security Gateway.

5. Configure the Application Control blade.

   See the R81.10 Quantum Security Gateway Guide.

Best Practice - If you have more than one perimeter Security Gateways that connect to the Internet, we recommend that you manage these Security Gateways with one Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to configure the applicable Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

Configuration Procedure

1. Enable Identity Awareness and select the applicable identity sources.

2. Create Access Roles functions that are based on Users and Computers. You can create multiple Access Roles that show different departments, user and computer groups and their location in the network.

3. Add the Access Roles to the source column of the applicable Firewall and application control policies.

This is a sample diagram for a small to medium corporate headquarters.