English Русский Contacts Site map Add to favorites
Profile
Registration
Login
Braindumps
Master braindump list
New braindumps
Submit a dump
Get latest dump
Forums
braindumps.com.ua
flame
Vendor
3COM (7)
Adobe (1)
BEA (1)
Checkpoint (22)
Cisco (20)
Citrix (17)
CIW (15)
Compaq (0)
CompTIA (51)
CWNA (2)
EMC (2)
Exin (4)
GEJOS (4)
HDI (1)
HP (4)
IBM (13)
Juniper (1)
Linux Prof Institute (LPI) (2)
Lotus (11)
Microsoft (2461)
Network Appliance (2)
Novell (16)
Oracle (414)
PLSQL (1)
PMI (4)
SAS (1)
Sun (87)
Teradata (4)
Authorization
Login:
Password:
RSS feed

Contacts
Certification links
Links
Authorized users can post comments.
Please log in or sign up.

back to list
Back to main forum		Check Point Certified Security Administrator NG, Management I 

АвторSubject: Q240
written 18 May 2008 18:07   View profile Jonnik  Edit/Delete  Answer  Answer with quotation
Explanation:
After comparing the difference between Client authentication and session authentication , client authentication better fit our need.
Client Authentication
Check Point VPN-1/FireWall-1 provides two other authentication methods, which provide authentication for any service. The first of these is client authentication, which provides authentication for any service by using Leading the way in IT testing and certification tools, outof- band authentication, rather than in-band authentication (which is used for user authentication). With user authentication, all authentication is performed within the HTTP, FTP, TELNET, or RLOGIN connection on the client host-this means that authentication is performed in-band, as part of the application-layer protocol. With client authentication, a user on a client host must first of all establish a separate connection to the enforcement module and authenticate, after which the client can then establish a connection using the permitted services in the client authentication rule on the enforcement module. The authentication is totally separate from the actual application-layer protocols that the user is accessing, hence the term outofband. The out-of-band connections to the enforcement module can be established using either of the following mechanisms:
HTTP You can point your web browser to Port 900 on the enforcement module, which provides a connection to the HTTP security server for client authentication purposes. A special web page is presented, which allows you to specify your username and password, after which you can choose to gain access to all services permitted in the client authentication rule, or specific hosts and services on each. TELNET You can establish a TELNET connection to Port 259 on the enforcement module, which provides a connection to the TELNET security server for client authentication purposes. You specify your username and password, after which you can choose to gain access to all services permitted in the client authentication rule, or specific hosts and services on each. Once a user has successfully authenticated, access to the hosts and services specified by the client authentication rule (or access to the hosts and services specified by the user during the authentication process) is provided. It is important to note that the IP address of the host is permitted, meaning that one or more users on the host can establish as many connections to permitted hosts and services as they like. For example, if a user called alice on a PC with an IP address of 192.168.1.10 performs client authentication successfully, another user could use Alice's PC and be permitted access through the enforcement module, even though the access is intended for alice. This is less secure than user authentication, where access is granted on a perconnection basis. With client authentication, although authentication is performed on a user basis, access is actually granted on a per-IP address basis.
Session Authentication
Session authentication represents the third and final option for providing user-based authentication to determine access through a VPN-1/ FireWall-1 enforcement module. Session authentication is an out-ofband authentication mechanism (the other out-of-band mechanism is for client authentication) that is designed to address the flexibility issues of user authentication and the security issues of client authentication. With user authentication, you learned that this mechanism only applies for HTTP, FTP, TELNET, and RLOGIN services, which rules it out as an authentication mechanism for other services. Client authentication provides flexibility by providing authentication for any service, but has issues with security as access is provided on a per-host (per-IP address) basis, allowing any number of connections from an authenticated host, regardless of the user on the host. User authentication does not have the security issues of client authentication, as HTTP, FTP, TELNET, and RLOGIN access is only provided on a perconnection basis, meaning another user cannot obtain unauthorized access by establishing a new connection from the host on which the previous user authenticated. Session authentication provides the security of per-connection authentication for any service, making it appear as the most obvious choice for authenticating access to services outside of HTTP, FTP, TELNET, and RLOGIN. The only downside to session authentication is that it requires a custom application to be installed on each client host using session authentication.
This application, which is written by Check Point, is called the session authentication agent, and provides out-of-band authentication for each connection (or session) that requires authentication on an enforcement module. When the session authentication agent is installed and running, it listens on TCP port 261, which allows enforcement modules that need to authenticate a user for session authentication to contact the agent for authentication information. Figure 7.26 demonstrates how session authentication works.

Current tread:
back to list

Q240 - Go to question 18:07 18.05.08

back to list
Up ^ gen. 0.074 Server date 04:32 04-12-2008 Developed by Zip © 2006 Up ^
Checkpoint 156-210
Forum
Start online exam simulation
Master braindump
User braindumps
Forum
Main forum
Question comments