Explanation:
Session Authentication
Session authentication represents the third and final option for providing user-based authentication to determine access through a VPN-1/ FireWall-1 enforcement module. Session authentication is an out-ofband authentication mechanism (the other out-of-band mechanism is client authentication) that is designed to address the flexibility issues of user authentication and the security issues of client authentication. With user authentication, you learned that this mechanism only applies for HTTP, FTP, TELNET, and RLOGIN services, which rules it out as an authentication mechanism for other services. Client authentication provides flexibility by providing authentication for any service, but has issues with security as access is provided on a per-host (per-IP address) basis, allowing any number of connections from an authenticated host, regardless of the user on the host. Session authentication provides the security of per-connection authentication for any service, making it appear as the most obvious choice for authenticating access to services outside of HTTP, FTP, TELNET, and RLOGIN. The only downside to session authentication is that it requires a custom application to be installed on each client host using session authentication. This application, which is written by Check Point, is called the session authentication agent, and provides out-of-band authentication for each connection (or session) that requires authentication on an enforcement module. When the session authentication agent is installed and running, it
listens on TCP port 261, which allows enforcement modules that need to authenticate a user for session authentication to contact the agent for authentication information.

---