Transcription
DIGIPASS Authentication forCheck Point VPN-1With Vasco VACMAN Middleware 3.0DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007IntegrationVASCO Data Security.All rights reserved.GuidelinePage 1 of 51
DisclaimerDisclaimer of Warranties and Limitations of LiabilitiesThis Report is provided on an 'as is' basis, without any other warranties, or conditions.No part of this publication may be reproduced, stored in a retrieval system, ortransmitted, in any form or by any means, electronic, mechanical, photocopying,recording, or otherwise, without the prior written permission of VASCO Data Security.TrademarksDIGIPASS & VACMAN are registered trademarks of VASCO Data Security. Alltrademarks or trade names are the property of their respective owners. VASCOreserves the right to make changes to specifications at any time and without notice.The information furnished by VASCO in this document is believed to be accurate andreliable. However, VASCO may not be held liable for its use, nor for infringement ofpatents or other rights of third parties resulting from its use.Copyright 2007 VASCO Data Security. All rights reserved.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 2 of 51
Table of ContentsDIGIPASS Authentication for Check Point VPN-1 . 1Disclaimer . 2Table of Contents. 31Overview . 62Problem Description . 63Solution . 64Technical Concept . 754.1General overview . 74.2Check Point VPN-1 prerequisites. 74.3VACMAN Middleware Prerequisites . 7VPN-1 Configuration . 85.167General configuration. 85.1.1RADIUS Configuration . 85.1.2User Configuration .115.1.3Usergroup Configuration .125.1.4Change Server Configuration .135.2VPN Authentication .145.3Firewall Authentication .155.4Apply Changes .23VACMAN Middleware . 256.1Policy configuration .256.2Component configuration .27User configuration . 287.1ODBC installation .287.1.1User creation .287.1.2Import DIGIPASS .30DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 3 of 51
7.1.37.28Active Directory installation .347.2.1User creation .347.2.2Import DIGIPASS .367.2.3DIGIPASS assignment .38VPN-1 test. 408.1SSL/VPN Authentication .408.1.1Response Only .408.1.2Challenge / Response .418.29DIGIPASS Assignment .32Firewall Authentication .438.2.1Response Only .438.2.2Challenge / Response .46VACMAN Middleware features . 479.1Installation .479.1.1Support for Windows 2000, 2003, IIS5 and IIS6 .479.1.2Support for ODBC databases and Active Directory .479.2Deployment .479.2.1Dynamic User Registration (DUR) .479.2.2Autolearn Passwords .479.2.3Stored Password Proxy .479.2.4Authentication Methods .479.2.5Policies .489.2.6DIGIPASS Self Assign .489.2.7DIGIPASS Auto Assign .489.2.8Grace Period .489.2.9Virtual DIGIPASS .489.3Administration .499.3.1Active Directory Users and Computers Extensions .499.3.2Administration MMC Interface .49DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 4 of 51
109.3.3User Self Management Web Site .509.3.4Delegated administration .509.3.5Granular access rights .50About VASCO Data Security . 51DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 5 of 51
1 OverviewThe purpose of this document is to demonstrate how to configure VACMAN Middleware3.0 (VM) to work with Check Point VPN-1 based devices. Authentication is arranged onone central place where it can be used in a regular VPN or SSL/VPN connection orthrough the firewall rules that can request user authentication.2 Problem DescriptionThe basic working of VPN-1 is based on authentication to an existing media (LDAP,RADIUS, local authentication ). To use the VACMAN Middleware with VPN-1, theexternal authentication settings need to be changed or added manually.3 SolutionAfter configuring VACMAN Middleware and VPN-1 in the right way, you eliminate theweakest link in any security infrastructure – the use of static passwords – that areeasily stolen guessed, reused or shared.In this integration guide we will make use of a VPN-1 UTM installation. This combinesa firewall, an IPSec or SSL/VPN and a UTM suite in one. For authentication, wefocused on the SSL/VPN and the firewall part.VACMAN MiddlewareIP:10.0.10.10Port: 1812Shared Secret: vascoCheck Point VPN-1 UTMExternal Host: checkpoint.vpn-1.utmExternal IP: 62.58.226.10Internal IP: 10.0.10.10062.58.226.0/2410.0.10.0/24Domain ControllerDNS serverActive DirectoryDomain: labs.vasco.comIP: 10.0.10.10Web ServerIP:10.0.10.10URL: cp.labs.vasco.comFigure 1: SolutionDIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 6 of 51
4 Technical Concept4.1General overviewThe main goal of the VPN-1 is to perform authentication to secure all kind of VPN andfirewall connections. As the VPN-1 can perform authentication to an external serviceusing the RADIUS protocol, we will place the VACMAN Middleware as back-end service,to secure the authentication with our proven VACMAN Middleware software.4.2Check Point VPN-1 prerequisitesPlease make sure you have a working setup of a VPN-1. It is very important this isworking correctly before you start implementing the authentication to the VM.At this time this is a list of products that are supported to use authentication and canbe managed with SmartCenter: VPN-1VPN-1VPN-1VPN-1UTMUTM PowerPowerPower VSX VPN-1 UTM EdgeSafe@OfficeThese have also a stand-alone management tool.The products mentioned above are each available for different platforms.The SmartCenter is available for Windows 98/ME/2000/XP/2003 and Solaris.4.3VACMAN Middleware PrerequisitesIn this guide we assume you already have VACMAN Middleware 3.0 (VM) installed andworking. If this is not the case, make sure you get VM working before installing anyother features.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 7 of 51
5 VPN-1 Configuration5.1General configurationIn this chapter you will learn how to configure an external RADIUS authenticationserver, our VACMAN Middleware. This server will then be used in different applications.When talking about the tabs in the left window, we refer to this tab bar.Network objects Services Recources Servers - OPSEC Users VPN Communities5.1.1RADIUS ConfigurationLet‟s start with creating the RADIUS configuration in the SmartDashboard. OpenSmartDashboard and on the tabs in the left window select the Servers and OPSECApplications tab. Right-click Servers and select RADIUS Figure 2: RADIUS Configuration (1)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 8 of 51
We will create an external RADIUS server. To do that, we will first create a host wherethe VACMAN Middleware is located. Click the New button behind the Host field.Figure 3: RADIUS Configuration (2)Type in a name and the IP address where the VACMAN Middleware is installed. Ifyou type in a resolvable hostname (FQDN or Netbios) you can click the Get addressbutton to resolve the hostname to the IP address. When done, click OK.Figure 4: RADIUS Configuration (3)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 9 of 51
Back in the first screen, your host will now be filled in automatically with the one youjust created. Enter a Name and Shared Secret.RADIUS version 2.0 is necessary to enable all features for VACMAN Middleware.e.g. PIN change passwords larger than 16 characters Password PIN OTP NewPIN NewPINPasswords larger than 16 characters are cut off after the 16 th character if RADIUSversion 1.0 is used.As Service it depends on which port you installed VACMAN Middleware.1812 NEW-RADIUS1645 RADIUSFigure 5: RADIUS Configuration (4)Click OK when finished. You will now see the RADIUS server in the list. You can stilledit this server by right-clicking the object and selecting Edit . The host you createdcan be found in the Network Objects tab, under Nodes.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 10 of 51
5.1.2User ConfigurationWe will now create a method so users will be authenticated through the newly createdRADIUS server. Go to the Users tab and right click External User Profiles and selectNew External User Profile Match all users .Figure 6: User Configuration (1)On the Authentication tab, select RADIUS as Authentication Scheme. As a RADIUSserver select the newly created RADIUS server pointing to VACMAN Middleware.Figure 7: User Configuration (2)Figure 8: User Configuration (3)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 11 of 51
5.1.3Usergroup ConfigurationWe will now create a group for the generic* RADIUS user to work with. Only groupscan be used in the rules to allow access.In the same user tab, right-click User Groups New Group.Figure 9: Usergroup Configuration (1)Fill in the RADIUS Group Name and move the generic* RADIUS user to the InGroup list.Figure 10: Usergroup Configuration (2)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 12 of 51
5.1.4Change Server ConfigurationTo make sure the VPN-1 server is configured correctly for RADIUS authentication wewill check it‟s general configuration in the following chapter.Go to the Network Objects tab and select your VPN-1 server from the Check Point list.Right-click your server and select Edit Figure 11: Change Server Configuration (1)In this case we only want to allow users to make a VPN connection when they verifythemselves with a One Time Password to our VACMAN Middleware.Go to the Remote Access Office Mode and select Offer office mode to group:and select your RADIUS group you recently created.Figure 12: Change Server Configuration (2)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 13 of 51
5.2VPN AuthenticationIn this chapter we will show you how to use the RADIUS authentication to make anSSL/VPN connection.Go to the VPN Communities tab and right-click the Remote Access RemoteAccess and select Edit Figure 13: VPN Authentication (1)Select the Participant User Group and add the RADIUS group to this list.Figure 14: VPN Authentication (2)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 14 of 51
5.3Firewall AuthenticationIn this chapter we will show you how to protect a firewall rule by using the externalRADIUS server and so require the use of OTP‟s.First, make sure you are in the Firewall (Security) tab (1). Select one of the rules yousee in the list. Then, click the button to add a firewall rule below the current one.(2)A new rule will appear, with an empty Name-field. Double click the empty Namefield.12Figure 15: Firewall Authentication (1)Give the new rule a Name and click OK.Figure 16: Firewall Authentication (2)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 15 of 51
In the Source field, we will enter the group that has access to the website we will bepublishing. Right-click this field and choose Add User Access Figure 17: Firewall Authentication (3)Select the RADIUS group you created earlier, check the No restriction option andclick OK.Figure 18: Firewall Authentication (4)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 16 of 51
For the Destination, right-click the field and choose Add Figure 19: Firewall Authentication (5)If the server that hosts your website is not in the list, click the New button andselect Node Host Figure 20: Firewall Authentication (6)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 17 of 51
Fill in the Name and the IP Address. If the Name is an FQDN or Netbios host, youcan click the Get address button to resolve the IP Address. When done, click OK.Figure 21: Firewall Authentication (7)You will now find the newly created host in the list, select it and click OK.Figure 22: Firewall Authentication (8)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 18 of 51
There are only three services supported for user authentication: HTTP, FTP and Telnet.In this firewall rule we only want to allow HTTP traffic. Right-click the Service fieldand select Add Figure 23: Firewall Authentication (9)Choose http from the list and click OK.Figure 24: Firewall Authentication (10)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 19 of 51
To request user authentication, right-click the Action field and select Client Authfrom the list.Figure 25: Firewall Authentication (11)Instead of Client Authentication there are 2 other possibilities, a little moreinformation about this field type:User Authentication:User authentication grants access on a per-user basis. This method can only be usedfor telnet, ftp, rlogin, http and https, and requires separate authentication for eachconnection.User Authentication is secure, because the authentication is valid only for oneconnection, but intrusive, because each connection requires another authentication.For example, accessing a single web page could display several dozen UserAuthentication windows, as different components are loaded.Session Authentication:Session Authentication is not like user authentication because it requiresauthentication for each session, and can be used with any service. Sessionauthentication is secure, but requires a session authentication agent to be running onthe authentication client, or on another machine in the network. Sessionauthentication can be used to authenticate any service on a per-session basis. Afterthe user initiates a connection directly to the server, the security gateway - locatedbetween the user and the destination - intercepts the connection. The gatewayrecognizes that user-level authentication is required, and initiates a connection with asession authentication agent.The session authentication agent is a utility provided with VPN-1 NGX, and must beinstalled on any object running session authentication. The Agent performs requiredauthentication, which allows connections to continue to the requested server, ifpermitted.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 20 of 51
Client Authentication:Client authentication grants access on a per-host basis. Client authentication allowsconnections from a specific IP address, after successful authentication. it can be usedfor any service, for any number of connections and the authentication is valid for thelength of time specified by the administrator. It is slightly less secure than userauthentication, because it allows any user access from the IP address or host, but isalso less intrusive than session authentication. Client authentication is best used whenthe client is a single - user machine, such as a pc.It is best practice to enable "specific sign on" in the properties of the clientauthentication method. If specified, only connections that match the originalconnection are allowed without additional authentication. If a rule specifies more thanone service or host, the user on the client must re-authenticate for each service orhost. Specific Sign On is useful if you want to limit access to services and target hosts.If you choose Manual, you have to authenticate by making a telnet connection to thefirewall on port 259 or by browsing to http:// firewall :900 .DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 21 of 51
Finally, to change the authentication settings, right-click the Client Auth field andselect Edit Properties Figure 26: Firewall Authentication (12)In the Source box, select ignore user database. As Required Sign On selectStandard and change the Sign On Method to Fully automatic. Click OK to continue.Figure 27: Firewall Authentication (13)We now created a firewall rule allowing the firewall to request user authenticationbefore accessing a website. We also changed the VPN settings sending the usercredentials to the external RADIUS server. Both ways will make use of the VACMANMiddleware to perform authentication, allowing you to make use of DIGIPASS OneTime Passwords.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 22 of 51
5.4Apply ChangesThe SmartCenter is only a dashboard to show the configuration of the VPN-1 software.We still have to save all changes we made to the back-end.Click Policy Install to deploy all the changes to the VPN-1 back-end.Figure 28: Apply Changes (1)You will receive the question to which Check Point target you want to deploy thechanges. In our case, “member” is the name of our VPN-1 server.Select the correct Installation Target and click OK.Figure 29: Apply Changes (2)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 23 of 51
Once the installation of the policy has finished, click Close.Figure 30: Apply Changes (3)We have now configured the VPN-1 in such a way, the SSL/VPN and a firewall rule willbe protected by our VACMAN Middleware. This allows you to make use of OTP‟s indifferent places of the VPN-1.We will now show how VACMAN Middleware has to be configured. Next we will lookinto the end-users experience when using a DIGIPASS to logon.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 24 of 51
6 VACMAN Middleware6.1Policy configurationSetting up the VM only requires you to set up a policy to go to the right back-end andto add an extra Radius component pointing to the ISA server.To add a new policy, right-click Policies and choose New Policy.Figure 31: VM configuration (1)There are a few policies available by default. You can also create new policies to suityour needs. Those can be independent policies, inherit or copy their settings fromdefault or other policies.Fill in a policy name and choose the option most suitable in your situation. If youwant the policy to inherit setting from another policy, choose the inherit option. If youwant to copy an existing policy, choose the copy option and if you want to make a newone, choose the create option.Figure 32: VM configuration (2)We chose to create a new policy and specify all details about the authentication policy.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 25 of 51
In the policy properties configure it to use the right back-end server. This could bethe local database, but also Windows (Active Directory) or another radius server(RADIUS).This could the same authentication service as you were previously using in the ISAserver. Main Settings tabo Local auth.:o Back-End Auth.:o Back-End Protocol:User Settings tabo Dynamic User Registration:o Password Autolearn:o Stored Password Proxy:o Windows Group Check:Challenge Settings tabo 2-Step Challenge Responseo Primary Virtual DIGIPASSDigipass/PasswordIf NeededWindowsYesYesYesNo CheckNoneNoneAfter configuring this Policy, the authentication will happen, if needed (when it doesnot know the user locally), in the back-end to Active Directory. User credentials arepassed through to the VM, it will check these credentials with the AD and will answerto the ISA server with an Access-Accept or Access-Reject RADIUS message.Figure 33: VMconfiguration (3)Figure 34: VMconfiguration (4)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Figure 35: VMconfiguration (5)Page 26 of 51
6.2Component configurationFor testing purposes you can change the existing RADIUS Client (default RADIUSclient that listens for all connections) by right-clicking and choose Properties.If you already use the default RADIUS client, it would be better to create a newRADIUS component.Figure 36: VM configuration (6)In the policy field you should find your newly created policy. Fill in the sharedsecret you entered also in the RADIUS server properties on the ISA server. ClickCreate.Figure 37: VM configuration (7)All configuration is done by now. The next chapter shows you how to add a usermanually. In our policy we enabled the Dynamic User Recognition (DUR). So userswho get verified through the Active Directory, and are not known in the localdatabase, are automatically added. It also shows how to assign a DIGIPASS to a user.DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 27 of 51
7 User configurationThe user creation steps you will find in this chapter are optional when you didn‟tactivate the option Dynamic User Registration (DUR) and/or PasswordAutolearn in your policy settings.The assignment of a DIGIPASS can happen manually as explained in the steps below.The user creation and DIGIPASS assignment steps depend on which database backend you installed VACMAN Middleware. Either you installed it with an ODBC back-endor with an Active Directory back-end.7.17.1.1ODBC installationUser creationUser creation, while using an ODBC back-end, will happen in the DIGIPASSAdministration MMC. Right-click the Users folder and select New User .Figure 38: ODBC User Creation (1)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 28 of 51
Fill in the username and password fields. Optionally choose the right domain andOrganizational Unit and click the Create button.Figure 39: ODBC User Creation (2)The user will now show up in the Users list of you DIGIPASS Administration MMC. Atthis point it will be exactly the same as when Dynamic User Recognition (DUR) wasenabled.Figure 40: ODBC User Creation (3)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 29 of 51
7.1.2Import DIGIPASSRight-click the DIGIPASS folder and select Import DIGIPASS. .Figure 41: Import DIGIPASS (1)Browse for your *.DPX file, fill in the Transport Key and look at your availableapplications by pushing the Show Applications button. You can either import allapplications or only the ones you selected, by the Import buttons above and belowthe Show Applications button.Figure 42: Import DIGIPASS (2)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 30 of 51
When the DIGIPASS is imported successfully you will receive a confirmation message.Figure 43: Import DIGIPASS (3)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 31 of 51
7.1.3DIGIPASS AssignmentThere are two possible ways to assign a DIGIPASS to a user. You can search for aDIGIPASS and assign it to a user or you can search for a user and assign it to aDIGIPASS. You can see the difference in the following two figures.Right-click a user and select Assign DIGIPASS. or .Figure 44: DIGIPASS assignment (1) you can right-click a DIGIPASS and select Assign .Figure 45: DIGIPASS assignment (2)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 32 of 51
If you leave the User ID blank and press the Find button, you will get a list of all theavailable users in the same domain as the DIGIPASS. The usernames are partlysearchable too.Notice: If no users show up, make sure the domains of the DIGIPASS and the usermatch.Figure 46: DIGIPASS assignment (3)When assigning a DIGIPASS to a user the same procedure will be applicable. You caneither select the desired option to search for a DIGIPASS or search through serialnumber. Leaving all options blank will show all possibilities in the same domain.When the DIGIPASS gets successfully added to your user you will get a confirmationmessage.Figure 47: DIGIPASS assignment (4)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 33 of 51
7.27.2.1Active Directory installationUser creationUser creation, while using an Active Directory back-end, will happen in the ActiveDirectory Users and Computers MMC. Right-click a user and select Properties.This can happen automatically when the Dynamic User Registration (DUR) option inthe policy settings is active.Figure 48: Active Directory User Creation (1)DIGIPASS Authentication for Check Point VPN-1 - Integration Guideline V1.0 2007 VASCO Data Security. All rights reserved.Page 34 of 51
In the DIGIPASS User Account tab you will see a field to manually add a password.This can also be automatically filled by enabling the Password Autolearn option in thepolicy settings.Figure 49: Active Directory User Creatio
Go to the Remote Access Office Mode and select Offer office mode to group: and select your RADIUS group you recently created. Figure 12: Change Server Configuration (2)
