This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Robert_H
Participant
3 weeks ago

Identity awareness - Linux bastion users

Hi guys, just a quick brainstorm.
We currently have a couple of windows terminal jump servers with MUH agents, and they're working fine. However, the admins would like to use a linux jump server (rhel-based) to access linux servers. Check Point doesn't have software comparable to the MUH client on linux.
The problem is, multiple users can be logged in to a single bastion server, and it has only one egress IP. I'm not sure whether using an Identity Collector would help, since it maps IP addresses to users. The MUH client on windows creates a port range and assigns it to a user.

Each group of admins would have its own bastion, and all users logged on to the bastion would access the same destination resources.

Any ideas on how to solve this challenge?

Labels
0 Kudos
7 Replies
Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago

Hi,

"Each group of admins would have its own bastion, and all users logged on to the bastion would access the same destination resources."

Reading this, why not doing this very simple?
When a group of admins have it's own bastion host and all of them are allowed to access the same destinations, why not just use e.g. TACACS/LDAP authentication on the bastion host, allowing only the relevant group to login and then create the firewall policies for the IP of the Linux server? And on the destination servers, restrict access to connections from the bastion IP only?
Fair approach?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Robert_H
Participant
3 weeks ago
In response to Vincent_Bacher

Login to the bastion is already managed via LDAP authentication. However, managing nearly 200 groups of admins and bastion servers using ip-to-ip rules will be difficult. In nowadays all network rules are enforced by identity, and using ip-to-ip acl is a step backward.

This is the last-resort solution. I know it will only be for a specific use case, but…

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago
In response to Robert_H

OK 200 Servers and groups is too much for this approach. 
Thinking about it.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago

The only way to differentiate multiple users on the same IP is an agent which tags the appropriate packets with the relevant identity information. 
This is what MUHv2 does for Windows.

Not sure how feasible this would be to implement on Linux, especially given the different kernel versions and such.
It's an RFE, in any case.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago
In response to PhoneBoy

I’d been thinking about using the IA API, but now that I’ve read the reference, I realise that’s not an option here either.

In other words, the challenge described in this thread cannot be solved using IA.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Robert_H
Participant
3 weeks ago
In response to Vincent_Bacher

I’m thinking about this dirty approach: Send login events from linux logins to the identity collector, parsing only login events (not logout). The last logged-in user overrides the previous session, while keeping the correct acl group. Change the connection persistence from rematch connection to keep all connections. After the identity collector replaces the user session due to a user change, it may not affect existing connections. I hope...

However, from a security perspective, a large number of session takeover events could create significant noise in the SOC

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago
In response to Robert_H

Maybe this could work. Good luck!

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    In-Person

    Thu 07 May 2026 @ 11:30 AM (CDT)

    Nashville: Humans & AI: A Real Conversation
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events