Getting Identities with Identity Agents

Scenario

Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. Environment and User Group Access

The ACME organization wants to make sure that only the Finance department can get an access to the Finance Web server. The current Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. uses static IP addresses to give access for the Finance department.

Amy, the IT administrator wants to leverage the use of Identity Agents so:

• Finance users are automatically authenticated one time with SSO when they log in (through Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS)., which is built-in into Microsoft Active Directory).

• Users that roam the organization have a continuous access to the Finance Web server.

• Access to the Finance Web server is more secure because IP spoofing attempts are prevented.

Amy wants Finance users to download the Identity Agent from the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.. She needs to configure:

• Identity Agents as an identity source for Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA..

• Identity Agent environment for the Finance department group from the Captive Portal. She needs to configure the Full Identity Agent so she can set the IP spoofing protection. No configuration is necessary on the client for IP spoofing protection.

• A rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Rule Base with an Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. for Finance users, from all managed computers and from all locations with IP spoofing protection enabled.

After configuration and policy install, users that browse to the Finance Web server get the Captive Portal and can download the Identity Agent.

User Experience

A Finance department user does this:

1. Browses to the Finance Web server.

   The Captive Portal opens because the user is not identified and cannot get an access to the server. A link to download the Identity Agent is shown.

2. The user clicks the link to download the Identity Agent.

   The user automatically connects to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. A window opens asking the user to trust the server.

   Note - The trust window opens because the user connects to the Identity Awareness Gateway, with the File name based server discovery option. There are other server discovery methods, in which user trust confirmation in not necessary (see Identity Awareness Clients Administration Guide).

3. Click OK. The user automatically connects to the Finance Web server.

   The user can successfully browse to the internet for a specified time.

Necessary SmartConsole Configuration

To make this scenario work, the IT administrator must:

1. Enable Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on a Security Gateway.

2. Select Identity Agents and Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. as Identity Sources.

3. Click the Browser-Based Authentication Settings button.

4. In the Portal Settings window in the Users Access section, select Name and password login.

5. In the Identity Agent Deployment from the Portal, select Require users to download and select Identity Agent - Full option.

   Note - This configures Identity Agent for all users. Alternatively, you can set Identity Agent download for a specific group (see the Identity Awareness Clients Administration Guide).

6. Configure Kerberos SSO.

7. Create a rule in the Firewall Rule Base that lets only Finance department users get an access to the Finance Web server and install the Access Control Policy:

   1. From the Source of the rule, right-click to create an Access Role.

   2. Enter a Name for the Access Role.

   3. In the Networks tab, select Specific users and add the Active Directory Finance user group.

   4. In the Users tab, select All identified users.

   5. In the Machines tab, select All identified machines and select Enforce IP spoofing protection (requires Full Identity Agent).

   6. Click OK.

      The Access Role is added to the rule.

8. Install the Access Control Policy.

Other options for Configuring Identity Agents

• A method that determines how Identity Agents connect to an Identity Awareness Gateway and trusts it (see Identity Awareness Clients Administration Guide). In this scenario, the File Name server discovery method is used.

• Access Roles to leverage computer awareness (see Creating Access Roles).

• End user interface protection so users cannot get an access to the client settings.

• Let users defer client installation for a set time and ask for user agreement confirmation:

  Configure what users can do in the Captive Portal to become identified and get an access to the network.

  • Name and password login - Users must enter a current username and password. Only known users can authenticate.

  • Unregistered guests login - Unauthenticated Guests get access to the network after they enter the necessary data.

User Identification in the Logs

The log in the Logs & Monitor > Logs tab shows how the system recognizes a guest.

The log entry shows that the system maps the source IP address with the user identity. In this case, the identity is "guest" because that is how the user is identified in the Captive Portal.