CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Authentication
Reload this Page Partially Automatic Client Authentication Is Slow
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-13
BarryStiefel BarryStiefel is offline
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 534
Rep Power: 10
BarryStiefel has disabled reputation
Default Partially Automatic Client Authentication Is Slow
Partially Automatic Client Authentication (i.e. Implicit Client Authentication, or Session Auth of HTTP is slow)



Using Session Authentication for HTTP will result in performance problem, at least in the standard way. This is because like you've said, the browser opens HTTP connection for each item in the page, so an authentication session will be done for each item. Even if you cache the passwords, there is still a significant overhead for each connection. There are two standard ways to provide efficient user-level authentication for HTTP:
  • Standard HTTP User Authentication
  • Client Authentication

There is another way to do this called "Implicit Client Auth," or Partially Automatic Client Auth. In FireWall-1 4.0 and later, you perform the following steps:
  • Create a rule like so:

Source Destination Service Action All-Users@Any Any http Client Auth
  • Edit the properties on the Client Auth action and change the Sign-On Method to Fully Automatic Sign-On

So what does this do for you?
  • The first time a user tries HTTP through the firewall, the "Client Auth" rule will not be available because the user has not authenticated. FireWall-1 will then attempt to authenticate the user via Session Authentication.
  • After the user successfully authenticates, the firewall will "mimic" a Client Auth for the user, i.e. performing a "standard sign-on" for all Client Auth rules that apply for that user.
  • Future HTTP sessions will hit the "Client Auth" rule. FireWall-1 will remember that it has already authenticated you.
  • If you want the user to reauthenticate every 15 minutes or after so many accesses, you can set the Client Auth timeouts accordingly. When the user has reached his timeout value, new connections will not succeed until a successful Session Authentication has been performed.

Note that you can also do this with Session Auth as well. Set the sign-on method to "Fully Automatic" (uses User Auth for supported services, Session Auth for other services) or "Agent Automatic" (Session Authentication used for all services) instead of "Partially Automatic."

-- PhoneBoy - 30 Dec 2003

FAQForm FAQs.Class: AuthenticationFAQs, ContentSecurityFAQs, TroubleshootingFAQs OperatingSystem?: FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 02:38.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0