1. Home
  2. Networking Firewalls
  3. Checkpoint problem

Checkpoint problem

May be an idiot question but I could not find a satisfactory response up to now.

A company has a Checkpoint Internet firewall and 3000 Windows users. The access to the Internet requires authentication.

Actually Checkpoint is authenticating users thru a basic HTTP protocol (username + password). So the users' passwords are travelling unprotected thru the network and numerous WAN links.

Is there any way to prevent this security problem and make this authentication thru HTTPS or any other secure protocol like NTLM?

I'd be surprised if Checkpoint doesn't offer such an option...

or may we need to switch to Microsoft ISA?

Reply to
boomboom999
Loading thread data ...

I run ISA behind Check Point. It's best to let a firewall be a firewall and the security servers can be real resource hogs. We use NTLM for authenticated access to the Internet via ISA and the caching function dropped our bandwidth usage by a solid 30+%.

You get the best of both worlds. In fact, if you go over to

formatting link
you'll see this is one of their recommended configurations for large companies.

HTH,

Ray

Reply to
Me

Configuring Client Authentication ports in Manual or Partially Automatic mode to work with SSL

Solution ID: sk12421 Creation Date: 06/18/2002 Revised Date: 01/09/2004 Preferred Product: FireWall-1 Latest Version: NG Category: Authentication

The information in this article applies to: FireWall-1 VPN-1 Client Authentication Partially Automatic Fully Automatic SSL fwauthd.conf

950 HTTPS

Solution

For example in order to use port 950 do as follow:

  1. Run cpstop on the FireWall-1 module machine
  2. Edit the fwauthd.conf file under $FWDIR/conf/ on the module and add the following line

950 fwssd in.ahclientd wait 950 ssl:polo (where 'polo' is the Nickname of the Certificate on FireWall-1 module)

  1. Run cpstart
  2. Open the GUI and create a new TCP Service for port 950 (for example tcp_950)
  3. Add the new defined service to the FW1_clntauth group under the Services tab
  4. Install the policy

In order to successfully initiating connection and authentication use the following URL path example:

https://:950

Note: Any port can be used but make sure to create the correct TCP Service fulfill/reflecting your needs.

NOTE: Any desired number can be defined and then added into the 'FW1_clntauth' Services group

Wayne McGlinn Brisbane, Oz

Reply to
Wayne

Thank you

Reply to
boomboom999

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.