CCNSP V3.0EL Module 4.ppt

7/21/2019 CCNSP V3.0EL Module 4.ppt

1/90

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com

Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)


Cyberoam Certifed Network & Security Proes

Module 4

User Authentication


2/90



User Authentication > Agenda

Introduction

Types of Authentication

Levels of Authentication

Authentication Methods

Identity Based Policies

Group Management

User Management

Identity Based ire!all "ule


3/90



Authentication

#y$eroam%s Layer & identifies all traffic $y 'Username( in

place of IP Address)MA# address*

+ It $ecomes essential for a user to authenticate through the fire!all

#y$eroam functions using AAA principles* It not only

'authenticates( $ut also 'authori,es( and -eeps the 'account(

of user activity*

To Authenticate. there are t!o types of users and hence t!o

types of flo!s

+ Local

+ /0ternal


4/90




Introduction





Group Management

User Management



5/90



Local Authentication

1

2

User Authentication/

Authorization request

User Authentication/Authorization result


6/90



/0ternal Authentication

1 2

4 3

User Authentication/

Authorization request

Authentication

request forwarded

User Authentication

response

User Authentication

result

AD


7/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com


/0ternal Authentication

#y$eroam can $e integrated to authenticate !ith e0ternal

servers li-e

+ Active 1irectory

+ L1AP ) L1AP2

3pen L1AP

4ovell e1irectory Apple 1irectory

Any standard L1AP 1irectory

+ "A1IU2 2erver

Third Party integration !ith #y$eroam%s API

22L and 2TA"TTL2 are supported for Active 1irectory and L1AP




#onfiguration of Authentication 2ervers

Local 5 /0ternal authentication servers can $e configured at

same time

Multiple type of e0ternal authentication servers also can $e

configured at same time




Active 1irectory Integration





Upon User%s irst 2uccessful login

+ A user !ill $e created on #y$eroam%s local data$ase

+ If loose integration is selected !hile adding A1 server. user falls into 1efault

'3pen Group(

+ If tight integration is selected !hile adding A1 2ever. user falls into their

respective group on #y$eroam 6if the groups are already created or present7

Importing Groups

+ 8ou can use the import group !i,ard* In this method. #y$eroam !ill

automatically create groups $y 2yncing !ith A1 2erver*




Active 1irectory Integration > Import Groups





Introduction





Group Management

User Management





Level of Authentication

Authentication is done at three levels in #y$eroam

+ ire!all

+ 9P4

+ Admin




Level of Authentication > Authentication in ire!all


16/90



Level of Authentication > Authentication in 9P4

3nly 2ecure T!o actor Authentication is the most preferredmethod at this level


17/90



Level of Authentication > Admin Authentication

Active 1irectory or 2ecure T!o actor Authentication are the

most preferred methods at this level


18/90




Introduction





Group Management

User Management



19/90




#y$eroam can authenticate a user !ith four methods

+ #lient Based

+ #lient Less

+ 223 62ingle 2ign:3n7

+ 2M2 6Te0t Based7 6Guest Users7


20/90



#lient $ased

#lient $ased authentication mechanism is applied !hen a

user is using a stand:alone computer or a mo$ile device*

#aptive portal

+ Prompts !ith !e$ page to input user credentials

+ #ustomi,a$le Portal 9ie!

+ #an $e secured using ;TTP2


21/90



#lient $ased


22/90



#aptive Portal > #aptive Portal 2ettings

4ote< #y$eroam !ill try sending ' =eep Alive( pac-et to the live user times at

an interval of minutes*


23/90



#lient $ased > #lient 2oft!are

#orporate #lient is the only authentication method that !ill !or-. !hen U2/")MA#Binding is ena$led 6!or-s for IPv? only7

#an $e do!nloaded from !!!*cy$eroam*com)cy$eroamclients*html


24/90




General Authentication #lient for Android is used to authenticate mo$ile users

Availa$le on Play 2tore


25/90




iAccess #lient for i32 devices is used to authenticate mo$ile users

Availa$le on App 2tore


26/90




3n successful login. a username appears on the 'live user%s(

list*

+ Identity :> Live Users

IPv4

Users

IPv

Users


27/90



#lientless User

2tatic mapping of user !ith fi0ed IP address

#lientless user does not re@uire user to authenticate !ith

#y$eroam

Useful for Adding a clientless user

To add a clientless user navigate to Identity :> Users :>

#lientless Users :> Add

To chec- if the user is listed. go to Identity :> Users:> #lientless Users and clic- on the username


29/90



2ingle 2ign:3n

#y$eroam can $e integrated !ith Active 1irectory or 4ovell

e1irectory to provide 2ingle 2ign:3n 62237 for transparentuser authentication*

ith 223. users only need to sign in once to access net!or-

1omain credentials can $e used to authenticate user for anytraffic type !ithout providing username)pass!ord to

#y$eroam*

Benefits

+ /ase of use+ Transparency to users

+ Improves user e0perience


30/90



2ingle 2ign:3n 6#ontinued7

#y$eroam provides 223 through

+ #TA2 6#y$eroam Transparent Authentication 2uite7

or Active 1irectory 5 4ovell e1irectory

+ 4TLM 64T LA4 Manager7

or Active 1irectory

+ #AT# 6#y$eroam Authentication for Terminal #lients7 or Microsoft 5 #itri0 Terminal 2ervices

b i d # i ' i l ( )


31/90



#TA2

#y$eroam Transparent Authentication 2uite 6#TA27 is

soft!are component to $e installed on Active 1irectory serverfor 223*

It eliminates the installation of 223 clients on each

!or-station and delivers a high level of protection*

As of no!. #TA2 !or-s on IPv?

C b C i d ! # $ % i P ' i l (CC!%P)


32/90



#TA2 > Login lo!

!"A#

#oftware

#uccessful lo$on

/vent I1 CD 6!in DEE7.

?C& 6!in DEE&)DEFD7

#ecurit%

Audit &o$AD

#TA2 sends Audit Log information to #y$eroam on Port EE

C b C ti d ! t # $ % it P ' i l (CC!%P)


33/90



#TA2 > 1eployment 2cenarios

Pri'ar%

Do'ain

!ontroller(AD)

*ac+up

Do'ain

!ontroller(AD),vent &o$

#uccessful &o$in

!"A# #uite

Agent #ollector

Port

!"A#

AgentPort

Port

EE

Port

EE

,vent &o$

#uccessful &o$in



34/90



#TA2 > Login lo! for 4on:1omain #omputer

!"A#Pri'ar%AD

!"A# #uite

Agent #ollector

#econdar%

ADAgent

Port

Port

EE

Port

Port

EE

,vent ID ,vent ID

Port

CC

MI

ping

"emote "egistry

"esult #omponents

#TA2 suite consists of t!o components

+ Agent

Traps user authentication events using Microsoft /vent logs. sends such

events to collector

This component is needed in case of /vent Logs Login Method

+ #ollector

Processes events received from Agent6s7 and stores in it%s data$ase for

trac-ing

Authenticate user in #y$eroam



36/90



#TA2 > #onfiguration



37/90



#TA2 > User Log off 1etection

/ventLog 5 4/TAPI are Microsoft%s utilities that help in

detecting accurate successful domain user login*

;o!ever. there is no $uilt in utility that detects user log:off

and hence #y$eroam provides t!o different methods for Log:

off detection*

hen ena$led. #y$eroam #ollector $y default chec-s user

log off at FE minutes of interval*



38/90




!"A#Pri'ar%AD

!"A# #uite

Agent #ollector

#econdar%

ADAgent

,vent ID ,vent ID

User< "ic-y

IP< FE*FDE*F*?

User< "o$ert

IP< FE*FDE*F*F

User< Michael

IP< FE*FDE*F*



39/90




!"A#Pri'ar%AD

!"A# #uite

Agent #ollector

#econdar%

ADAgent

,vent ID ,vent ID

User< "ic-y

IP< FE*FDE*F*?

User< "o$ert

IP< FE*FDE*F*F

User< Michael

IP< FE*FDE*F*

&o$out Method

Ping )or-station Polling 6MI )"emote "egistry7

&o$out IntervalE seconds 61efault7



40/90




!"A#Pri'ar%AD

!"A# #uite

Agent #ollector

#econdar%AD

Agent

,vent ID ,vent ID

User< "ic-y

IP< FE*FDE*F*?

User< "o$ert

IP< FE*FDE*F*F

User< Michael

IP< FE*FDE*F*

AT/" F MI4UT/2H

1I2#344/#T/1



41/90




!"A#Pri'ar%AD

!"A# #uite

Agent #ollector

#econdar%AD

Agent

,vent ID ,vent ID

User< "ic-y

IP< FE*FDE*F*?

User< "o$ert

IP< FE*FDE*F*F

User< Michael

IP< FE*FDE*F*

1I2#344/#T/1

Logout Poll

Logout '"ic-y(



42/90






43/90



#TA2 ault tolerance

#ollector $eing an essential component in Transparent

authentication mechanism. it is re@uired that #ollectorfailover $e configured also -no!n as #TA2 ault Tolerance*

#y$eroam allo!s $uilding up group of Bac-up collectors for

fault tolerance*

3ne of these collectors !ill act as primary. !hile remaining

are $ac-up collectors*

#y$eroam allo!s adding up to collectors in a single group*



44/90



#TA2 Trou$leshooting

rom #TA2. you can

+ #hec- 3nline users

+ 2ee Log file

+ Increase log file si,e

+ Perform MI Juery test

+ Trou$leshoot



45/90



#TA2 Trou$leshooting

#TA2 Live users page

Logon Type value F stands for or-station Polling

Logon Type value D stands for Authentication from A1



46/90



4TLM

Bro!ser initiated 2ingle 2ign:3n Authentication

It is a challenge:response authentication protocol to

authenticate the user !hile accessing internet or an

application*

Pre:re@uisites+ #y$eroam must $e integrated !ith Active 1irectory

+ In order to run 4TLM. follo!ing re@uirements must $e met< 2erver< indo!s DEE or indo!s DEE&*

Protocol< 4TLMvF or 4TLMvD* Bro!ser< Google #hrome. irefo0 5 Internet /0plorer

+ As of no!. 4TLM !or-s on IPv?



47/90



4TLM Authentication Methodologies

There are t!o methodologies for 4TLM Administration :> Appliance Access* Under

Authentication 2ervices. ena$le access of 4TLM for the

re@uired ,ones* ;ere. !e have ena$led 4TLM for LA4 ,one*



50/90



Authentication ailover Approach

Authentication precedence

+ #lientless Users

+ #lientless 2ingle 2ign:3n

+ #orporate #lient

+ 4TLM

+ #aptive Portal



51/90



#AT# 6Thin #lient Authentication7

hat is Thin #lient

+ A server that provides a$ility to host multiple. simultaneous client sessions is

termed as Terminal 2ervers* 2uch server is capa$le of hosting multi:user

des-tops*

+ User uses remote access soft!are. allo!ing client computer to serve as

terminal emulator* Users shall connect to Terminal 2erver and access the

resource or internet from virtual user des-top*+ #AT# !or-s on IPv?

#hallenge 2tep F< Integrate !ith 2M2 Gate!ay



60/90


2M2 > 2tep D< /na$le 2M2 Gate!ay



61/90


2M2 > 2tep D< /na$le 2M2 Gate!ay



62/90



Introduction





Group Management

User Management




63/90


Identity $ased Policies > Access time policy

It defines the time period during !hich users can $e

allo!ed)denied the net!or- access* Li-e for e0ample. onlyoffice hours% access*

It ena$les to set time interval + days and time for net!or-

access !ith the help of a 2chedule*

Identity :>Policy :> Access Time



64/90


Identity $ased Policies > 2urfing Juota Policy

It defines the duration of net!or- surfing time*

It is the allo!ed time in hours for a group or an individual user

to access Internet*

Identity :>Policy :> 2urfing Juota



65/90


Identity $ased Policies > 1ata Transfer Policy

This policy is used to restrict the users to upload and

do!nload

1ata transfer restriction can $e $ased on Policy :> 1ata

Transfer



66/90


Identity $ased Policies > #reating a 1ata Transfer Policy



67/90



Introduction





Group Management

User Management




68/90


Group Management

A Group is a collection of users having common policies

Instead of attaching individual policies to the user. create

group of policies and simply assign the appropriate

A group can contain default as !ell as custom policies*

9arious policies that can $e grouped areGroups



72/90


Adding clientless groups

To add clientless groups go to Identity :>Groups :>Add


73/90



74/90


User Management

Users can $e identified $y an IP)MA# address or a user

name and assigned to a user group*

All the users in a group inherit the policies defined for that

group*



75/90


User Types

#y$eroam supports three types of users

+ 4ormal

+ #lientless

+ 2ingle 2ign:3n



76/90


Adding 4ormal User

To create the users. Identity :> Users :> User :>Add



77/90


Adding #lientless Users

To create the clientless users. Identity :>User :>#lientless

User



78/90


Adding 2ingle 2ign:3n Users

#y$eroam !ill automatically create 2ingle 2ign:3n user on

first successful authentication

2uch users cannot $e created manually



79/90


Manage Users

4avigate to Identity :> User



80/90


Manage #lientless Users

2elect Identity :> User :> #lientless Users to vie! list of

Users and clic- User name to $e modified*



81/90


User)MA# address $inding

This is not applica$le to #lientless Users

4avigate to Identity :> Users :> User



82/90


User%s My Account

User My Account gives details li-e @uarantine. change

pass!ord. email. and Internet usage of a particular user*

User can change his)her pass!ord using this ta$*

Users can vie! their My Account details from GUI*



83/90


#hange Pass!ord 5 Account 2tatus



84/90



Introduction





Group Management

User Management




85/90


Identity $ased fire!all rule

In the rule matching criteria a normal UTM does everything

from matching source and destination addresses. to ports*But. ne0t generation UTM li-e #y$eroam adds Identity to the

fire!alling solution*

hen #y$eroam receives the re@uest. it chec-s for the

source address. destination address and the services andtries to match !ith the fire!all rule*

If Identity 6User7 found in the Live User #onnections and all

other matching criteria fulfils then action specified in the rule

!ill $e applied*



86/90


#reate Identity $ased ire!all rule 6#y$eroam 9)2 4ormal ire!all7

.or'al irewall

ule 'atchin$ criteria

: 2ource address

: 1estination address

: 2ervice 6port7

: 2chedule

Action

: Accept

: 4AT

: 1rop

: "eect

: Identit% (or IPv4/IPv)

!%-eroa' Identit% *ased U"M

Unified "hreat !ontrols (per ule Matchin$ !riteria) IP# Polic%

5e- ilter 6 Application ilter Polic%

7o# Polic%

Anti 8irus 6 Anti #pa'

outin$ decisions

3n IPv #y$eroam 2upports. Jo2 and "outing 1ecisions

;o!ever. fails in 1;#P. i:i environment



87/90


#reate Identity $ased IPv? ire!all rule 6#ont*7



88/90


#reate Identity $ased IPv ire!all rule 6#ont*7



89/90


La$s

La$ FD /nforce Authentication

+ Action change in default fire!all rule

+ 4e! ire!all "ule in case users are using I2P provided 142

La$ F Authenticating a user through #aptive

Portal)#y$eroam #orporate #lient

+ Authenticating !ith #orporate #lient

La$ F? #hange default #aptive Portal 2ettings

La$ F Integration !ith Active 1irectory 63ptional7

+ #onfiguring A1 authentication



90/90

4e0t :> Module 6e$ ilter7

Documents

CCNSP V3.0EL Module 4.ppt