UserAuthority

Chia sẻ: Nguyen Tien Lich | Ngày: | Loại File: PDF | Số trang:186

0
51
lượt xem
10
download

UserAuthority

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'userauthority', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: UserAuthority

  1. TM UserAuthority Administration Guide Version NGX R65 700358 March 7, 2007
  2. © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
  3. Contents Preface Who Should Use This Administration Guide........................................................ 10 Summary of Contents ....................................................................................... 11 Appendices ................................................................................................ 12 Related Documentation .................................................................................... 13 More Information ............................................................................................. 16 Feedback ........................................................................................................ 17 Chapter 1 Introduction The Need for UserAuthority............................................................................... 20 Identity-based Access Control for Outbound Connections via VPN-1 Power Gateway 21 Underlying Concept and Advantage ................................................................... 22 Typical Deployment.......................................................................................... 23 UserAuthority SSO for VPN-1 Power Deployment ........................................... 23 OPSEC Protocols ............................................................................................. 25 How to Use this Administration Guide................................................................ 26 Chapter 2 UserAuthority Deployments and Installation Overview ......................................................................................................... 28 Deployments ................................................................................................... 29 Outbound Access Control............................................................................. 29 Citrix MetaFrame or Windows Terminal Services............................................. 34 Supported Platforms ........................................................................................ 37 Installation and Configuration ........................................................................... 38 Installing and Configuring UAS on VPN-1 Power ............................................ 38 Installing and Configuring the UAS on the Windows DC .................................. 49 Chapter 3 Outbound Access Control The Challenge ................................................................................................. 60 The UserAuthority Solution ............................................................................... 61 Identification using SecureAgent .................................................................. 63 Identity Sharing .......................................................................................... 63 Retrieving Windows Groups with UserAuthority ................................................... 68 Outbound Access Control using Citrix Terminals as TIP ....................................... 69 Scenario - An Organization using Multiple Windows DCs...................................... 70 Scenario - An Organization Using Multiple Domains ............................................ 72 Configurations ................................................................................................. 74 Adding Additional Windows DCs ................................................................... 74 Outbound Access Control on Citrix or Windows Terminals ............................... 75 Configuring UserAuthority Domain Equality ................................................... 75 Table of Contents 5
  4. Chapter 4 User Management in UserAuthority Overview ......................................................................................................... 80 Managing Users and Groups ............................................................................. 81 Users in UserAuthority ................................................................................ 81 User Groups in UserAuthority ....................................................................... 81 Using a Local Check Point Database.................................................................. 83 Using an External Database .............................................................................. 84 Using the Windows User Identity....................................................................... 85 Users in the Windows Domain ...................................................................... 85 Configuring UserAuthority to Recognize Windows User Groups ........................ 85 Chapter 5 Auditing in UserAuthority Overview ......................................................................................................... 88 Using Logs for Auditing .................................................................................... 89 Auditing Outbound Traffic Using UserAuthority Outbound Access Control......... 90 Configuring UserAuthority for Auditing ............................................................... 94 Configuring Auditing of Requests for External Resources ................................ 94 Chapter 6 High Availability and Load Balancing Overview ......................................................................................................... 96 High Availability ......................................................................................... 96 Load Balancing........................................................................................... 96 High Availability and Load Balancing in UserAuthority.................................... 97 Using Multiple Windows DCs ............................................................................ 98 Using a VPN-1 Power Cluster ............................................................................ 99 Chapter 7 UserAuthority CLIs Chapter 8 UserAuthority OPSEC APIs Overview ....................................................................................................... 110 Programming Model ....................................................................................... 111 Defining a UAA Client ............................................................................... 114 Client Server Configuration ........................................................................ 114 OPSEC UserAuthority API Overview ............................................................ 114 Function Calls ............................................................................................... 125 Session Management ................................................................................ 125 Assertions Management............................................................................. 126 Managing Queries ..................................................................................... 129 Managing Updates .................................................................................... 130 Managing Authentication Requests............................................................. 131 Assertions Iteration ................................................................................... 132 Managing UAA Errors ................................................................................ 134 Debugging................................................................................................ 135 Event Handlers.............................................................................................. 136 UAA_QUERY_REPLY Event Handler ........................................................... 136 UAA_UPDATE_REPLY Event Handler ......................................................... 137 6
  5. UAA_AUTHENTICATE_REPLY Event Handler .............................................. 138 Chapter 9 Monitoring the UserAuthority Environment Overview ....................................................................................................... 142 System Monitoring ......................................................................................... 143 Monitoring the System Status .................................................................... 143 User Monitoring............................................................................................. 148 Monitoring User Activities.......................................................................... 148 Monitoring Example: SecureAgent Cannot Provide User Identity .................... 149 Chapter 10 Troubleshooting UserAuthority Overview ....................................................................................................... 152 General Problems .......................................................................................... 153 Why is there no established SIC?................................................................ 153 Why are Domain Controller Queries not Sent Properly?.................................. 156 User-Related Problems................................................................................... 157 Why does SecureAgent not identify the user?............................................... 157 Why are Terminal Server Clients not Identified by UAS? ............................... 160 Why does the Firewall Report Identify Users as Unknown? ............................ 161 Appendix A Integrating UserAuthority with Meta IP Overview ....................................................................................................... 164 Required Components .................................................................................... 165 Preliminary Steps .......................................................................................... 166 Windows DC Configuration.............................................................................. 167 VPN-1 Power Policy Configuration ................................................................... 168 DHCP Server Configuration ............................................................................. 170 Appendix B Glossary Acronyms and Abbreviations ........................................................................... 176 Index........................................................................................................... 183 Table of Contents 7
  6. 8
  7. Preface P Preface In This Chapter Who Should Use This Administration Guide page 10 Summary of Contents page 11 Related Documentation page 13 More Information page 16 Feedback page 17 9
  8. Who Should Use This Administration Guide Who Should Use This Administration Guide This Administration Guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This Administration Guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). 10
  9. Summary of Contents Summary of Contents This Administration Guide provides step-by-step instructions for configuring UserAuthority. In order to assist you in the deployment of UserAuthority, this Administration Guide contains various scenarios that suit the deployments of most enterprises. These scenarios are followed by detailed workflow that can be used to help with your deployment. You can also combine the deployments and workflow described in this Administration Guide to best suit the deployment in your enterprise. Table A-1 Chapter Description Chapter 1, “Introduction” describes the User Authority concept, deployment and management solution. Chapter 2, “UserAuthority provides the foundation for the deployment of Deployments and UserAuthority in its most basic form Installation” Chapter 3, “Outbound Access describes UserAuthority’s part in access to Control” external resources. Chapter 4, “User provides information about managing users and Management in groups with a Check Point database and external UserAuthority” databases. Chapter 5, “Auditing in explains how UserAuthority uses the SmartView UserAuthority” Tracker, Check Point's advanced tracking tool, to enable auditing of both UserAuthority Server (UAS). Chapter 6, “High Availability describes how the UserAuthority Server (UAS) and Load Balancing” can be configured to provide both high availability and load balancing. Chapter 7, “UserAuthority explains the UserAuthority command line CLIs” interfaces. Chapter Preface 11
  10. Appendices Table A-1 Chapter Description Chapter 8, “UserAuthority describes OPSEC APIs OPSEC APIs” Chapter 9, “Monitoring the describes how system and user monitoring allows UserAuthority Environment” the system administrator to view the system status for debugging and problem solving in the system. Chapter 10, “Troubleshooting provides help for common problems that might UserAuthority” arise when using UserAuthority. Appendices This Administration Guide contains the following appendices: Table A-2 Appendix Description Appendix A, “Integrating explains how UserAuthority can easily be UserAuthority with Meta IP” integrated with the Meat IP product to provide authenticated IP addresses from an authenticated IP pool to authenticated users. Appendix B, “Glossary” describes the acronyms and abbreviations used in this Administration Guide. 12
  11. Related Documentation Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Contains an overview of NGX R65 and step by step Suite Getting Started product installation and upgrade procedures. This Guide document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc. Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. SmartCenter Explains SmartCenter Management solutions. This Administration Guide guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Firewall and Describes how to control and secure network SmartDefense access; establish network connectivity; use Administration Guide SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. Virtual Private Networks This guide describes the basic components of a Administration Guide VPN and provides the background for the technology that comprises the VPN infrastructure. Chapter Preface 13
  12. Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Description Eventia Reporter Explains how to monitor and audit traffic, and Administration Guide generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. SecurePlatform™/ Explains how to install and configure SecurePlatform Pro SecurePlatform. This guide will also teach you how Administration Guide to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Provider-1/SiteManager-1 Explains the Provider-1/SiteManager-1 security Administration Guide management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments. TABLE P-2 Integrity Server documentation Title Description Integrity Advanced Explains how to install, configure, and maintain the Server Installation Integrity Advanced Server. Guide Integrity Advanced Provides screen-by-screen descriptions of user Server Administrator interface elements, with cross-references to relevant Console Reference chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Integrity Advanced Explains how to managing administrators and Server Administrator endpoint security with Integrity Advanced Server. Guide Integrity Advanced Provides information about how to integrating your Server Gateway Virtual Private Network gateway device with Integrity Integration Guide Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package. 14
  13. Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Description Integrity Advanced Provides information about client and server Server System requirements. Requirements Integrity Agent for Linux Explains how to install and configure Integrity Agent Installation and for Linux. Configuration Guide Integrity XML Policy Provides the contents of Integrity client XML policy Reference Guide files. Integrity Client Explains how to use of command line parameters to Management Guide control Integrity client installer behavior and post-installation behavior. Chapter Preface 15
  14. More Information More Information • For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/. • See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents 16
  15. Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com Chapter Preface 17
  16. Feedback 18
  17. Chapter 1 Introduction In This Chapter The Need for UserAuthority page 20 Underlying Concept and Advantage page 22 Typical Deployment page 23 OPSEC Protocols page 25 How to Use this Administration Guide page 26 19
  18. The Need for UserAuthority The Need for UserAuthority In today’s business environment, enterprises need to provide employees, partners and customers with the ability to access and work with many different applications and services. It is important that access to these applications be simple and convenient, and, at the same time, secure, reliable, and easy to manage. UserAuthority is able to leverage the security needs of your existing or new environment to higher levels. UserAuthority can improve access control management in your enterprise with identity-based access control for outbound connections via the VPN-1 Power gateway. 20

CÓ THỂ BẠN MUỐN DOWNLOAD

Đồng bộ tài khoản