Implementation Guide for protecting. CheckPoint Firewall-1 / VPN-1. with. BlackShield ID

Similar documents
Implementation Guide for protecting. SonicWall Security Appliances. with. BlackShield ID

Token Guide for USB MP. with. BlackShield ID

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Checkpoint VPN-1 NG/FP3

CRYPTOCard Migration Agent for CRYPTO-MAS

Cisco 802.1x Wireless using PEAP Quick Reference Guide

Implementation Guide for Funk Steel-Belted RADIUS

KT-1 Token. Reference Guide. CRYPTOCard Token Guide

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

Implementing CRYPTOCard Authentication. for. Whale Communications. e-gap Remote Access SSL VPN

Citrix Access Gateway Implementation Guide

BlackShield ID. Windows Logon Agent CRYPTOCard Corp. All rights reserved.

Token Guide for KT-4 for

SafeNet Authentication Service Cisco AnyConnect Agent. Configuration Guide

ISA 2006 and OWA 2003 Implementation Guide

Integration Guide. SafeNet Authentication Service. Strong Authentication for Citrix Web Interface 4.6

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

ESET SECURE AUTHENTICATION. Microsoft RRAS with NPS PPTP VPN Integration Guide

WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

NetScaler Radius Authentication. Integration Guide

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

VPN Tracker for Mac OS X

Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Checkpoint SecureClient Integration

Security Provider Integration RADIUS Server

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

Remote Support Security Provider Integration: RADIUS Server

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Citrix GoToMyPC

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Integration Guide. LoginTC

VPN Tracker for Mac OS X

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Yubico with Centrify for Mac - Deployment Guide

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for VMware Horizon 6

Welcome Guide for KT Series Token

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Welcome Guide for MP-1 Token for Microsoft Windows

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

VPN Tracker for Mac OS X

Sending Secure and Encrypted Messages with GroupWise 6.5: User s Guide

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

DIGIPASS Authentication for Check Point VPN-1

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft NPS Technical Manual Template

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with CA SiteMinder

Protecting SugarCRM with SafeNet Authentication Manager

SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

RED IM Integration with Bomgar Privileged Access

Partner Information. Integration Overview Authentication Methods Supported

Integration Guide. SafeNet Authentication Service. SAS using RADIUS Protocol with WatchGuard XTMv. SafeNet Authentication Service: Integration Guide

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Plug-in Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.1

VPN Tracker for Mac OS X

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Hitachi File Services Manager Release Notes

Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server

SafeNet Authentication Manager

DIGIPASS Authentication for Check Point VPN-1

Checkpoint R80.10 Integration Guide (ASA)

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Installation Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.0

Document Signing Certificate Getting Started Guide

SC-1 Smart Card Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Configuring and Using Dynamic DNS in SmartCenter

Hitachi File Services Manager Release Notes

Content Matrix. Evaluation Guide. February 12,

Integrate Check Point Firewall. EventTracker v8.x and above

CRYPTOCard BlackBerry Token Implementation Guide

Defender Configuring for Use with GrIDsure Tokens

Service Provider QUICKStart Guide

SecurEnvoy Microsoft Server Agent

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Barracuda Networks SSL VPN

Barracuda SSL VPN Integration

ESET SECURE AUTHENTICATION. Juniper SSL VPN Integration Guide

Vendor: RSA. Exam Code: CASECURID01. Exam Name: RSA SecurID Certified Administrator 8.0 Exam. Version: Demo

Perceptive Content Licensing

SailPoint IdentityIQ 6.4

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

How to setup Remote VPN access using Windows Radius Server and Unifi USG/Controller

Version 2.0 HOW-TO GUIDELINES. Setting up a Clustered VPN between StoneGate and Check Point NG TECHN11SG2.1-3/4/03

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

DigitalPersona Pro Enterprise

Defender Desktop Login GrIDsure Token User Guide

RADIUS Authentication and Authorization Technical Note

Dell Management Portal. Apple Device Enrollment Program

VPN Tracker for Mac OS X

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

Configuring site-to-site VPN between two VPN-1/FireWall-1 Gateways using mesh topology

Security Gateway Virtual Edition

Endpoint Security. Gateway Integration Guide R72

RSA SecurID Implementation

Transcription:

Implementation Guide for protecting CheckPoint Firewall-1 / VPN-1 with BlackShield ID Copyright 2009 CRYPTOCard Inc. http:// www.cryptocard.com

Copyright Copyright 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com. Publication History Date Changes Version January 26, 2009 Document created 1.0 July 9, 2009 Copyright year updated 1.1 BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 i

Table of Contents Overview...1 Applicability...1 Assumptions...1 Operation...1 Preparation and Prerequisites...2 Configuration...2 Defining the RADIUS server object...2 Defining the RADIUS Server...3 Configuring the VPN-1 Settings and IKE (Internet Key Exchange) Encryption...5 Creating an Authentication Group (VPN-1)...8 Adding CRYPTOCard Users in FireWall-1 / VPN-1...9 Configuring a Generic User Entry...12 Creating a FireWall-1 / VPN-1 Rule Set...14 Troubleshooting...14 Failed Logons...14 Additional information...14 BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 ii

Overview By default CheckPoint VPN connections requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a onetime password generated by a CRYPTOCard token using the instructions below. Applicability This integration guide is applicable to: Security Partner Information Security Partner Product Name and Version Protection Category CheckPoint Firewall-1 / VPN-1 Remote Access CRYPTOCard Server Authentication Server Version BlackShield ID Small Business Edition 1.2+ Professional Edition 2.3+ Assumptions BlackShield ID has been installed and configured and a Test user account can be selected in the Assignment Tab. There is no further configuration required to allow a user to use their token with this solution. Operation The CheckPoint Firewall-1 or VPN-1 server will send all RADIUS authentication requests to the BlackShield ID server. The BlackShield ID server will then return back a message to either allow or reject the connection. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 1

Preparation and Prerequisites 1. RADIUS Server installed Eg. Microsoft Internet Authentication Service 2. Appropriate BlackShield ID plug-in installed on RADIUS server. Configuration Defining the RADIUS server object 1. Login to the CheckPoint management console. Refer to the CheckPoint documentation for instructions on performing this step. 2. From the CheckPoint SmartDashboard, select Manage > Network Objects. 3. Click New, select Node, and then click Host. 4. Under General Properties, enter the Host Node Properties: a) Name b) IP Address of the Microsoft IAS Server c) Comment d) Color 5. Click OK, then Close. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 2

Defining the RADIUS Server Once the actual network object has been created, the server needs to be configured so that it is aware of a server object. 1. From the Check Point SmartDashboard, select Manage Servers. 2. From the Check Point SmartDashboard, select Manage Servers. 3. Define your RADIUS Server Properties: a) Name b) Comment c) Color d) Host (this should be the Host Node you defined in the previous section) e) Service (NEW-RADIUS should be selected) f) Shared Secret g) Version NOTE: The Shared Secret entered above must match the Shared Secret that is defined on the RADIUS server. When choosing your RADIUS protocol version select RADIUS Version 2.0. 4. Click OK, and then Close. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 3

5. Click the Policy menu then click Install. Applying RADIUS Authentication 1. From the Check Point SmartDashboard, click Manage Network Objects. 2. Select the FireWall-1 / VPN-1 object (in this case it s win2k-8) and click Edit. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 4

3. Under General Properties, select Authentication then verify the boxes to the left of VPN-1 & FireWall-1 Password and RADIUS are checked. Configuring the VPN-1 Settings and IKE (Internet Key Exchange) Encryption The following steps allow the SecuRemote end-users to download the VPN-1 topology from the FireWall, and to encrypt connections to the Inside network. 1. From the FireWall-1 / VPN-1 network object, under General Properties choose VPN. 2. Select your VPN Community (RemoteAccess). 3. Click Traditional mode configuration. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 5

1. Ensure to place a check in the box next to Exportable for SecuRemote/SecureClient Note: If the FireWall-1 is in the Remote Access community already then this check box is checked and cannot be unchecked. 2. In the VPN section under General Properties verify that a Certificate exists in the Certificate List. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 6

3. Verify that Hybrid Mode Authentication has been enabled. Select Policy, Global Policy, Remote Access, VPN Basic. 4. Under Support authentication methods verify that Hybrid Mode has been check marked. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 7

Creating an Authentication Group (VPN-1) 1. From the Manage Menu, select Users and Administrators then click New and select Group. This group will be used to reference all users being authenticated by BlackShield ID. 2. In the Group Properties box enter the: a) Name b) Comment c) Colour 3. Click OK BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 8

Adding CRYPTOCard Users in FireWall-1 / VPN-1 CRYPTOCard token users can be configured to use RADIUS authentication in two methods on FireWall-1 / VPN-1. Each CRYPTOCard token user can be added to the FireWall-1 / VPN- 1 database individually, or a generic user entry can be configured. Use the method that best meets your network authentication requirements. 1. In the Check Point SmartDashboard, Select Manage > Users and Administrators. Click New, then Template. 2. In the User Template Properties dialog box, under the General Tab, define the Login Name. See the screen shot example on the next page). 3. Click the Personal Tab to define the Expiration Date, Comment, and Color. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 9

4. Click on the Groups Tab. 5. Select the SecuRemote group created previously and click the Add button 6. Click on the Authentication Tab and define the Authentication Scheme as RADIUS. 7. Select the RADIUS Server you just created in the previous section 8. Click the Location Tab and Time Tab to define these settings as per your network security policy. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 10

9. Select the Encryption Tab and check the box to the left of IKE 10. Click the Edit button to configure the IKE Encryption settings. 11. Select the Encryption Tab to validate the Encryption Algorithm. 12. Click the Install button to add the user to the FireWall-1 user database. 13. Close the Users and Administrators dialog box. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 11

Configuring a Generic User Entry 1. From the Users and Administrators window, click New, External User Profile then choose Match all users. 2. In the External User Profile Properties window, select the Groups tab then add the appropriate Group. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 12

3. On the Authentication tab choose RADIUS as the Authentication Scheme then select the RADIUS Server. 4. Select the Encryption tab and place a checkmark in IKE. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 13

Creating a FireWall-1 / VPN-1 Rule Set Below is an example of two simple rule sets that will require users to authenticate with CRYPTOCard tokens. Configure the rule sets as per your network requirements. Troubleshooting Failed Logons Symptom: Authentication using the VPN client is rejected. Possible Causes: Verify that the shared secret is correct on both the RADIUS server, and the Checkpoint Firewall-1 / VPN-1 Ensure that the BlackShield IAS NPS Agent has been installed and configured properly. Verify that the token is in sync with BlackShield ID. Additional information For additional information, please visit http://www.cryptocard.com BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback