Remote connection by AD certificates - What do you think about it?

[ppawlo]

Hym, from few years we have been using remotely connection. We create certificate on our FW. Next we import this certificate to user and set the password to this. People to connection need the CP certificate.
I think it is very good solution, very secure.
Now, we need to reinstall SmartCenter. Unfortunately after that we will have lost all certificates. Now we have got about 80 users with certificates. So, before we reinstall SmartCenter we need change the authentication of connection. By the way we have only three choice:

Authentication by checkpoint’s password
Authentication by user password of Active Directory
Authentication by user certificate of Active Directory.

Ad 1. I think it is very unsecure. Checkpoint password has only 8 letters.
Ad 2. I think it also unsecure. When I know login name and password of my colleague I will be able not only to their computers but also to their other sites.
Ad 3. I think it is a good solution. I heard a lot about it and everything looks great. What do you think about this solution? Do you know some weaknesses of it?

Will our user be able to revoke their certificate remotely or automatically without administrator?
Are we able to set using the password (strong private key protection).

Thank you for help,
Pawel

[chillyjim]

I've never done it myself, but if implemented well it should work as well if not better than ICA certs.

Personally I never found the idea of having, as part of a two-factor authentication, the 2nd factor (the Cert) on the same laptop as the VPN client, especially as most people set the cert password to something simple.

I prefer something like SecureID or certs stored on SmartCards (Or the USB-key like smartcard).

Now the real question is whey do you need to reinstall the SmartCenter and disttroy the ICA?

[ppawlo]

Quote:

Originally Posted by chillyjim

I've never done it myself, but if implemented well it should work as well if not better than ICA certs.

Personally I never found the idea of having, as part of a two-factor authentication, the 2nd factor (the Cert) on the same laptop as the VPN client, especially as most people set the cert password to something simple.

I prefer something like SecureID or certs stored on SmartCards (Or the USB-key like smartcard).

Now the real question is whey do you need to reinstall the SmartCenter and disttroy the ICA?

Hi
When we talk about SmartCenter, unfortunately from few years old administrator has done only upgrade. A check the filesystem and there is R55 also (now we have NGX R65). At the moment we have a lot of troubles (we could not innstal the policy, we could not login correctly to SC) so we could not do upgrade_export. We have to use command like cp_merge .


Regards
Pawel