Identity Broker

Identity BrokerClosed Identity Sharing mechanism between Identity Servers (PDP): (1) Communication channel between PDPs based on Web-API (2) Identity Sharing capabilities between PDPs - ability to add, remove, and update the identity session. is an identity sharing method between Policy Decision Points (PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. Gateways). The Policy Decision Points can share identities across different management domains in a distributed environment with multiple Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Security Gateways.

In a distributed environment with multiple Identity Awareness Security Gateways, you can use Identity Broker to propagate any received identity from one PDP Gateway to another. This helps to create a more scalable and robust sharing of hierarchy and topologies.

Identity Broker is a Web-API based functional part of the PDP instance. Identity Broker adds a new communication channel between PDPs.

The Identity Broker Solution

Identity Broker propagates identities between PDP Gateways. A PDP Gateway learns the Identities from the Identity Sources. This PDP Gateway performs the group membership query, calculates Access Roles, and then shares the identities to other PDP Gateways. This reduces the load on the PDP Gateways receiving the identities, identity sources, and/or User Directories.

The sharing can be performed between PDP Gateways managed by different Security Management Servers / Domain Management Servers.

Identity sharing between the Identity Brokers can be controlled through filters. You can:

  • Filter identities by network , user/machine name, domain, identity source, access roles, and distinguished name.

  • Share only local Identity sessions. When enabled, the PDP forwards only its own sessions, and not the sessions it learned from other PDPs.

The Identity Broker solution shares all the received identities by default. By applying filters, you can avoid sharing identities that are not required for other PDPs.

Terms and Descriptions

Publisher

A Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. defined to share identities with one or more Subscribers.

Subscriber

A Security Gateway defined to receive identities from one or more Publishers.

Identity Broker Communication

Identity Broker uses WEB-API to communicate. Security Gateways share information in JSON format over HTTP post requests.

Each Identity Broker node verifies the other:

  • The Publisher identifies the Subscriber by verifying the presented SSL Certificate.

  • The Subscriber identifies the Publisher by verifying a pre-shared secret key.

    Publisher PDP Security Gateway

    New Identity Sharing method

    Publish identity

    Delete identity

    Update identity

    Subscriber PDP Security Gateway

Example Scenario

Logical topology:

Item

Description

1

Security Gateway #1

2

Security Gateway #2

3

A user on a computer (3) behind the Security Gateway #1

4

Identity Source (for example, Active Directory)

5

A resource (for example, a server) behind the Security Gateway #2

General Flow of Events:

  1. The Security Gateway #1 is configured as an Identity Broker Publisher.

    It gets and learns the identity from the Identity Source (4), and shares it with the remote Security Gateway #2.

  2. The Security Gateway #2 is configured as an Identity Broker Subscriber.

    It gets the identities of the users from remote the Security Gateway #1.

  3. When the user connects to the resource (5), the Security Gateway #2 identifies the user and enforces identity-based rules.

  4. Optional: You can apply filters to control which identities the Security Gateway #1 publishes and to which identities the Security Gateway #2 subscribes.

  5. Optional: You can manage the Security Gateway #1 and Security Gateway #2 with different Management Servers.

Important - In addition to the topology configuration in the presented scenario, you can configure Security Gateway 2 as a Publisher and Security Gateway 1 as a Subscriber. That way, the two Security Gateways simultaneously give and receive identities to each other. Each Broker Publisher to Broker Subscriber relation is independent, and does not change any other Publisher-Subscriber relationship.

Configuration File "identity_broker.C"

You configure the Identity Broker in the file called $FWDIR/conf/identity_broker.C that is located on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster..

Important:

  • If this file does not exist, then create it manually in the Expert mode:

    ls -l $FWDIR/conf/identity_broker.C

    touch $FWDIR/conf/identity_broker.C

  • Each parameter you configure in this file must have a value inside the parentheses ":<parameter> (<value>)"

    If an optional parameter does not have a value, you must delete it from the file.

  • Before you edit this file, create a backup copy:

    cp -v $FWDIR/conf/identity_broker.C{,_BKP}

  • If you edit this file on Windows OS, then after you transfer it back to the Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member, you must convert this file from the DOS format to the UNIX format:

    dos2unix $FWDIR/conf/identity_broker.C

Templates for the "$FWDIR/conf/identity_broker.C" file

These are the example templates for the $FWDIR/conf/identity_broker.C file:

  • Security Gateway that works as a PDP Publisher

  • Security Gateway that works as a PDP Subscriber

  • Security Gateway that works as a PDP Publisher and as a PDP Subscriber

Configuring an Identity Broker

Identity Broker Filters

By default:

  • A Publisher sends all Identity Sessions to all its Subscribers.

  • A Subscriber receives all Identity Sessions from all its Publishers.

You can configure filters in the $FWDIR/conf/identity_broker.C file to control identity sharing between Identity Brokers.

On a Publisher, you can configure:

  • Global filters that apply to all identity sessions this Publisher sends to all Subscribers that are configured on this Publisher. Global filters take precedence over local filters.

  • Local filters that apply to identity sessions this Publisher sends to specific Subscribers that are configured on this Publisher.

On a Subscriber, you can configure:

  • Global filters that apply to all identity sessions this Subscriber receives from all Publishers that are configured on this Subscriber. Global filters take precedence over local filters.

  • Local filters that apply to identity sessions this Subscriber receives from specific Publishers that are configured on this Subscriber.

Best Practice - Configure a filter to control which Identity Sessions a Publisher sends to its Subscribers.

Configure the applicable local filters for specific subscribers, or configure the applicable global filters.

There two types of filters- include filters and exclude filters.

Algorithm on the Security Gateway:

  1. Apply the "include" filter, if it is configured.

    "AND"

  2. Apply the "exclude" filter, if it is configured.

    When an exclude filter includes multiple statements, the Security Gateway performs a logical "OR" between these "exclude" statements.

Filters

See Global Filters (Optional) and Example of a Configured Identity Broker.

Global Filters (Optional)

Filters can be configured globally for Identity Brokers using the global_outgoing_filter and global_incoming_filter parameters:

Important - Global filters take precedence over local filters. For example, if you configure an outgoing global filter to exclude Identities from network 10.10.10.0/24 and configure a contradicting local filter to include and publish the 10.10.10.0/24 network identities, this network's identities are not published.

Parameter

Description

global_outgoing_filter

Specify global outgoing filters on the Publisher.

These filters apply to all the identity sessions published to ALL the configured Subscribers.

global_incoming_filter

Specify global incoming filters for the Subscribers.

These filters apply to all the identity sessions received from ALL configured Publishers.

Configuring Identity Filters

These are all the Possible Filter configuration templates.

Note - All fields are optional.

Important:

  • Each parameter you configure in this file must have a value inside the parentheses ":<parameter> (<value>)"

  • If an optional parameter does not have a value, you must delete it from the file.

Example of a Configured Identity Broker

Logical topology:

Security Gateway #1

10.10.10.1

 

 

 

Security Gateway #2

10.10.10.2

 

 

 

 

 

10.10.10.3

Security Gateway #3

192.168.10.3

 

 

 

 

 

 

 

 

 

 

192.168.10.4

Security Gateway #4

Security Gateway

Gets identities from these PDP Publishers

Shares identities with these PDP Subscribers

Security Gateway #1

None

Security Gateway #3 over 10.10.10.x

Security Gateway #2

None

Security Gateway #3 over 10.10.10.x

Security Gateway #3

Security Gateway #1 over 10.10.10.x

Security Gateway #2 over 10.10.10.x

Security Gateway #4 over 192.168.10.x

Security Gateway #4

Security Gateway #3 over 192.168.10.x

None

CLI Commands

You can use the "pdp broker <commands>" commands to monitor and do an inspection on the Identity Broker.

For full syntax and description of all the available CLI commands, see Command Line Reference.