RE: [FW1] SecurID and Checkpoint

["Ghosh, Debashis (CORP, CIM)" <Debashis.Ghosh@FW1-NOSPAMgeasn.ge.com>]

Title: RE: [FW1] SecurID and Checkpoint

Here is the answer .....this is from the phoneboy site.

Configuring SecurID-based Authentication
Q:
How can I configure FireWall-1 to authenticate my users against a SecurID server? I'd also rather not type in all the users I have defined in the SecurID server either.

A:
Tina Bird sent me the following (which has been modified and generalized a bit):
Note: This document assumes that the ACE/Server installation is functioning correctly; that the FW-1 is already enforcing a valid security policy, with whatever address translation is required for internal users to access the Internet; and that network connectivity between the ACE/Server and the FW-1 is unimpeded.  You may need to explicitly define a rule on your FW-1 allowing SecurID traffic to and from the ACE/Server.

On ACE/Server, define your firewall as a communications server within the "Add Client" menu of the administrative tool.

On ACE/Server, be sure that the client hostname and IP address of the firewall agree with firewall's own definitions. This means that the nodename (as defined by the command "hostname") and the IP that name resolves to match that which is configured on the ACE/Server.

On ACE/Server, list the other interfaces of the firewall under Secondary Nodes in the client configuration field. These must be listed in order for the ACE/Server to accept authentication requests from the firewall.

From FW-1 Management GUI, define a user group called SecurIDUsers.  (From the "Manage" menu, select Users, New, Group.)

From FW-1 Management GUI, define a new user (using the default template) named generic*.  Add this user to the group SecurIDUsers.  Under properties for this user, define SecurID as the authentication method.  [Note that only one generic* user can be configured on a FW-1 at any given time.]

Add a FW-1 security rule with a source of SecurIDUsers@any, whatever destination and service you want to authenticate, and an action of UserAuth.  Save, verify and install the security policy.

Check the Network Address Translation rules on the FW-1 GUI to be sure that communications between the firewall and the ACE/Server are not address translated (address translation will really complicate the node secret exchange between the two boxes).

On a Unix or IPSO platform, create the directory /var/ace.
Copy /opt/ace/data/sdconf.rec from the ACE/Server (via FTP or disk) to /var/ace/sdconf.rec (on NT, this should be %SystemRoot%\system32\sdconf.rec).

Bounce FireWall-1 (fwstop; fwstart)
Test authentication by initiating a connection to whatever destination and service you defined in Step 6.

-----Original Message-----
From: Wolfgang Kueter [mailto:wk@shlink.de]
Sent: Tuesday, September 18, 2001 7:15 AM
To: CP-FW-1
Subject: Re: [FW1] SecurID and Checkpoint

Prem" <mlistin@yahoo.com> wrote:
> Hi,
>
> I have Checkpoint 2000 running on NT, and need to integrate with RSA
> SecurID and Ace Server, Does any one have an idea on how to configure
> checkpoint for SecurID auth.

If you are not able to find that in the manual, get professional help
from a consultant. You'll probably be able to pay him, since you could
also afford the ACE Server.

Wolfgang
--
Wolfgang Kueter Netzwerkadministration & Security
SHLINK Internet Service http://www.shlink.de info@shlink.de
Postfach 1044, 25310 Elmshorn, Fed. Rep. Germany
Telefon: +49 4121 269 006 Fax: +49 4121 269 007

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================