Single Sign-on - CheckPoint or ISA?

[ppnair@gmail.com]

Hi All,

We are redesigning our infrastructure soon bringing ISA behind CheckPoint Firewall. In this case what is the best authentication method to use for Single Sign-on. The following needs to be accomblished with the new design:

1. Single Sign on to the network
2. No more authentication using OWA or any other windows applications

Appreciate your advice in advance..

[RayPesek]

OWA from the inside or from the outside?

Is OWA only available from company computers from the outside?

What version of ISA & OWA & CP?

Ray

[ppnair@gmail.com]

OWA from outside the network [Internet]
OWA URL might plan to open to all even without company computers. But considering to use SSL VPN access.

[RayPesek]

I saw a demo on some RSA stuff that can do SSO by passing credentials via their software to different applications, kind of like my ThinkPad's Password Manager software.

I have a lot of heartburn over the concept of doing SSO with just user names and passwords. If we ever do it, it will be token-based somehow.

Ray

[derspot]

Put ISA behind CP and forget about your sso problems. With ISA you can do the authentication ( for OWA , SharePoint or any IIS service for that matter ) at the ISA itself or let the IIS do the authentication or both !.

Everything is done in easy wizards.

[ppnair@gmail.com]

Hi Derspot,

Would you please point me some URLs for achiving this with ISA 2004/2006? Appreciate your help. I am also searching this in the google/microsoft sites.

Praveen

[ppnair@gmail.com]

Also any guide and considerations bringing ISA behind CP please? Any info or documents, URLs will help me...

Praveen

[derspot]

search ISA 2006 at microsoft.com.

Go to the ISA home page and spend time around. Download a trial version install and test.

There is no painless route to accomplish this. U need to research.

[Acidio]

I agree with Ray, single sign on is a security problem. Not sure what SOX etc says about this, but compliance issues may arise from doing it - to all systems at least.

[chillyjim]

Quote:

Originally Posted by Acidio

I agree with Ray, single sign on is a security problem. Not sure what SOX etc says about this, but compliance issues may arise from doing it - to all systems at least.

There is nothing wrong with a well implemented SSO. RSA has an OK solution for a hetrogenious enviornment. If you're a pure MS environment you can get 90+% with NTLM/Kerbrose that's part of Win2K+

The Check Point solution, IMHO isn't worth the trouble.

One of the reasons I like RSA's solution is the end-user doesn't even need to know their passwords, only their password to the SSO and that can be an SecureID token and/or combined with a smartcard.

As for SOX you need a password policy, but it can be as simple as "You must use a password for you login account and not share this password"

[RayPesek]

"I have a lot of heartburn over the concept of doing SSO with just user names and passwords."

SSO based on the above is what i consider dangerous. I agree that RSA does have a nice solution.

SOX is semi-useless for general security. External auditors seem to take a very narrow focus over what could cause problems and Jim is right. They don't care what the policy is unless it is really simple. If it cannot directly affect financial reporting, they do not care. After all, if they bounce too many clients, they won't get any more and they'll get replaced. That's why government inspectors in the US can be so effective. They're not paid by the entity they are inspecting (at least not legally!)

Ray