Merits and Demerits of Checkpoint Authentication Methods

[sivakumar]

Hi,

My client needs to implement AD intergration to checkpoint now running R60 and planning to upgrade R62. now the authentican used is by certificates.

anyone can point some documents relating to merits and demerits of checkpoint authentication methods and which one is more secure.

thanks

siva

[vijayant]

User Authentication is more secure as compared to Client and session authentication. But it all depends on your setup whic option can suit better.

[RayPesek]

What are they authenticating for? If it's remote access, certificates are far more secure than user name and password. Anything based solely on user name and password is insecure.

Ray

[lodown]

While I agree that using certificates is a more secure method of authentication, they are also more difficult to manage in a large environment. I migrated a previous company from certificates to Active Directory because of this. Internal users would leave, often in offices that had little centralized process for terminations. Clients or business partners needed VPN access to specific applications in scenarios that did not fit in to a site-site VPN. Because AD was already a part of the termination process, we felt there was better control of access to internal and DMZ resources. We were also able to hand over user management from the firewall/networking team to regional resources without giving them access to the firewall management system. Lastly, password management was better. Our Password policy in AD was already 90 days. With certificates we had no way to force users to change their passwords on a regular basis, another security risk.

If I had my choice I would have preferred to use RSA SecurID, but the cost was prohibitively expensive. I feel that in this case, putting controls around a less secure authentication method was more secure than using certificates.

lodown

[RayPesek]

Some valid points to be sure, particularly if the termination process is flawed.

There's really no reason to change a certificate password, which is actually the private key and would require a new certificate, because you need to be in possession of the certificate as well as the password to compromise a system.

It would be nice if we could use certificates in conjunction with AD.

Ray

[sivakumar]

Really what lodown expressed is my site scenario, no control on VPN user id termination process. Already we have well built two domains for internal and dealers, and if AD to be integrated, i will use two ldap databases for internal vpn and dealers services access. As well said finally AD and certficate intergarted authentication will give best results, considering business needs, i feel as above.

thanks for all posted for my query.