CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: AAA Solution Recommendations?

  1. #1
    Join Date
    2015-05-27
    Posts
    2
    Rep Power
    0

    Default AAA Solution Recommendations?

    Hi there, first time poster, been lurking here a while though.

    My organization is looking for a AAA solution to authenticate our Checkpoint admins. We run a central management server (R77.20) with multiple regional and satellite offices through the world running various flavors and a mix of appliances and OpenPlatform.

    Up to this point, we were using Checkpoint password accounts with GUI Clients locked down to reserved IP addresses, however, in order to be in compliance with new, nore stringent requirements, we are looking to leverage something more sophisticated.

    Our requirements state that passwords be encrypted in transit and at rest, so RADIUS (which I've built and tested with OpenRadius) will not work for us. TACACS also probably won't do the trick either. I've seen TACACS+, but is that not essentially a home-brewed set of functions added to TACACS?

    I was hoping to gain some guidance from the community as to what is out there and currently in use that meets our requirements?

    Thanks kindly for any insight you can share.

  2. #2
    Join Date
    2006-09-26
    Posts
    3,150
    Rep Power
    15

    Default Re: AAA Solution Recommendations?

    Quote Originally Posted by mojorising View Post
    Our requirements state that passwords be encrypted in transit and at rest, so RADIUS (which I've built and tested with OpenRadius) will not work for us. TACACS also probably won't do the trick either. I've seen TACACS+, but is that not essentially a home-brewed set of functions added to TACACS?
    Something you need to understand about RADIUS and TACACS+. Both RADIUS and TACACS+ will encrypt password in transit and at rest.

    RADIUS will transit username in clear text; TACACS+ will transmit both username and password in encrypted form.

    with Checkpoint, you will get redundancy with RADIUS but you will NOT get redundancy with TACACS+

  3. #3
    Join Date
    2015-05-27
    Posts
    2
    Rep Power
    0

    Default Re: AAA Solution Recommendations?

    Quote Originally Posted by cciesec2006 View Post
    Both RADIUS and TACACS+ will encrypt password in transit and at rest.
    Thanks for the information. Allow me to clarify; I was using a web-based front end for OpenRadius (a product called daloRADIUS) for easier management purposes. This product has a SQL back-end and while you MD5 hash the password in the database, this will not work with MS-Chap, which Checkpoint supports. It works with PAP, however at that point we are transmitting the credentials in clear text.

    So, I am looking for something that encrypts authentication credentials at all stages. I'm sure there has to be a product that does this, even to meet moderate compliance sets.

  4. #4
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    5

    Default Re: AAA Solution Recommendations?

    Quote Originally Posted by mojorising View Post
    Thanks for the information. Allow me to clarify; I was using a web-based front end for OpenRadius (a product called daloRADIUS) for easier management purposes. This product has a SQL back-end and while you MD5 hash the password in the database, this will not work with MS-Chap, which Checkpoint supports. It works with PAP, however at that point we are transmitting the credentials in clear text.

    So, I am looking for something that encrypts authentication credentials at all stages. I'm sure there has to be a product that does this, even to meet moderate compliance sets.
    It would be interesting to see / find this in the documentation. I still have a struggle to understand how the website is structured and find a way to get along with it.

  5. #5
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    5

    Default Re: AAA Solution Recommendations?

    Hi,

    using RADIUS and one-time-passwords should work. Further the shared-secret between should encrypt the user credentials between checkpoint and the RADIUS server.
    So it could be discussable if the shared-secret and encrypt is weak or not but if you are using one-time-passwords it should be strong enough to make it hard for an attacker to get the password within - let's say - 30 seconds.
    If you are doing this over unsecure networks (WAN) the you should use any VPN to make sure your data transmission is secure.

    Hopefully this helps you a little bit!

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    250
    Rep Power
    12

    Default Re: AAA Solution Recommendations?

    A bit of thread necromancy, but I thought I could add to this for future visitors.

    At my day job, I currently use Cisco SecureACS for central authentication. Routers and such use TACACS, but I have my firewalls and SmartCenters set up to talk RADIUS. As mentioned earlier, you only set GUI admins to authenticate against one TACACS server at a time, but you can specify a whole group of RADIUS servers. This means if your TACACS box goes down (or if the whole datacenter is down and you've flipped to a secondary SmartCenter in a DR datacenter), you can't get in until you switch all of the admins to use a different TACACS server. Meanwhile, if one RADIUS server fails to respond, the SmartCenter just moves on to the next one.

    For lab use, I find SecureACS a bit overkill. I just use OpenBSD. Its radiusd service has two "modules" to provide authentication data. One is "radius", which just passes the request on to another RADIUS server. The other is "bsdauth". This takes RADIUS requests and tries them against the OS-level authentication database. You use normal UNIX commands to manage the users, reset passwords, and so forth. Here's my radiusd.conf (with secrets trimmed, of course):

    Code:
    listen on 0.0.0.0
    
    client 10.0.1.1/32 {
            secret "[trimmed]"
            msgauth-required no
    }
    
    module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth"
    module set bsdauth  restrict-group operator
    
    authenticate * {
            authenticate-by bsdauth
    }
    Zimmie

Similar Threads

  1. Recommendations for producing a future-state rule set for review and documentation...
    By gusbrown in forum Firewall Policy Management Software
    Replies: 4
    Last Post: 2014-10-17, 20:24
  2. Disk Partition Recommendations on GAiA initial setup
    By sanhy85 in forum R75.40 (GAiA)
    Replies: 1
    Last Post: 2012-08-23, 14:01
  3. Power-1 5070 recommendations
    By ggts2008 in forum Check Point UTM-1 Appliances
    Replies: 6
    Last Post: 2009-08-19, 21:59
  4. What Are Your Recommendations for "Best Practices"?
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 1
    Last Post: 2009-04-21, 16:34
  5. Provider-1 MLM hardware recommendations
    By dys152 in forum Provider-1 (Multi-Domain Management)
    Replies: 2
    Last Post: 2008-04-09, 21:29

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •