Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergej_Gurenko
Collaborator
Jump to solution

Identity Based Security - collection of odd questions - hopefully not to many in one post

Hello Experts,

I'm watching recording sessions and reviewing the documentation for Identity Agents / Identity-Based Security. This is part of an architectural review for an enterprise running  CP. The goal is to refresh and modernise the design (from CP to CP) and make it more secure, robust and resilient. The roadmap for Identity is one part of the overall re-design. Not trying to pinpoint LLD, but rather understand where the CP is moving (perhaps based on what the customers are demanding). Hopefully, this understanding will help to outline the Identity upgrade stages (e.g. phase1 - deploy identity collectors, phase2 - deploy identity agents, phase3 - introduce Machine Identities, phase4 - add AzureAD integration etc.)

Since I do not follow release notes and ,all tech talks I'm looking for information about the following:

q1: USER and MACHINE identity discovery at the same time:

I recall from the past the was only a single level/layer of identity - you can discover the USERNAME and map it to the IP address. The videos are showing the output like "ID Session FGAA9911: user1@laptop1@10.0.0.100" as you can see there is both, USER and MACHINE in the session. Was it always like this, or is it introduced from some version?

q2:The requirements and gotchas for USER and MACHINE identity discovery:

What are the requirements for discovering both User and Machine? So far i found this Introduction to Identity Awareness > Identity Sources > Identity Agents "Full agent includes packet tagging and computer authentication."

Can it be done via Active Directory / Identity collector, or do you need FULL "Identity Agent" on the machines?

What are other alternatives? Looks like Cisco ISE integration can be used to get machine names into Identity Collector (I believe the customer is using ISE on LAN (802.1x with Machine Cert is in place). There is great video on Checkmates on ISE integration

q3: Where to read more about conflict resolution

What if the same user is visible behind multiple machines? If I'm not mistaken, in the past same user behind the new IP would prune the old mapping. Machine names add another dimension to this.

q4: What are the logical checks one can perform on MACHINE?

I recall one could LDAP query USER to check group membership. What are the checks one can do for machines? For example, can you create the rule to allow User1 on the Domain machine, but block the same User1 if the machine not discovered?

q5: Azure AD integration is it worth it with on-prem only, no Harmony / VPN?

talking about Quantum on-prem gateways (and no Harmony with some third-party VPN in place) is there an advantage of integrating with Azure AD at all? Can you please recommend a deep-dive video on Identity Collector and Azure AD?

I'm not clear on the advantages for Hybrid AD (e.g. on-prem AD and Azure AD connected with AD Sync). It clearly has some point if one uses Azure AD only setup (becouse there is no on-prem AD). But what about Hybrid AD?

I know what AAD Conditional Access is, but struggling to see how Check Point Quantum can benefit from Conditional Access.

In some video, it was mentioned that CP is considering integration with Intune. Is this on the committed roadmap?

q6: Is "Identity Awareness Packet Tagging / Connection Integrity Solution" a widely used feature?

As per "Identity Agent and this sk60221 it looks like packet tagging in the checkpoint codebase for a while, at least since R75. Is it widely used and recommended for new deployments?

q7: Packet Tagging compatibility with third-party VPN/ZTA?

Does Packet Tagging survive Microsoft Direct Access IPv6/IPv4 conversion?

q8: Is it all worth it with 90% of ppl working remotely, outside of the perimeter...

Does the Identity Agents (mostly) useless when using non-Check Point VPN. 90% users can be at home with small proportion on site. Third-party VPN hide-natting many VPN users behind one IP address.  Will the identity design be handicapped without some Harmony client type?

Please reply even if you only know the answer to one or two questions 😉 THANKS!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

1. It’s more or less always been that way. Having said that, in R80.40, some additional information is communicated via MUHv2 agents.

2. Machine Identity should be discovered with ADQuery, Identity Collector, or Identity Agents.

3. A user can exist and be authenticated on multiple systems. ADQuery had a way to automatically detect (and figure out) service accounts and exclude those. In R81.20, Identity Collector also does this.

4. Not sure I understand this question. Pretty much all the use cases I’ve seen focus on the user, with the machine being an additional dimension (not the only one).

5. To integrate with Azure AD, you need to use Captive Portal with HTTPS Inspection, as far as I know. This is definitely required in order to access, say, Office 365. The SAML assertion returned by Azure AD will include the relevant groups the user is a part of.

6. MUHv2 (used on Terminal Servers) definitely uses packet tagging. We don’t see a lot of queries related to Identity Agents on the community, with the ones we do see being related to MUH mostly.

7. For MUHv2 (at least) we use an existing TCP header to tag the packet. I believe the other agents do the same thing. Whether that is preserved by another VPN/ZTNA solution is a separate question.

8. Remote Access users don’t necessarily need an Identity Agent if they are always or mostly remote since the VPN client itself is a source of identity.

View solution in original post

1 Reply
PhoneBoy
Admin
Admin

1. It’s more or less always been that way. Having said that, in R80.40, some additional information is communicated via MUHv2 agents.

2. Machine Identity should be discovered with ADQuery, Identity Collector, or Identity Agents.

3. A user can exist and be authenticated on multiple systems. ADQuery had a way to automatically detect (and figure out) service accounts and exclude those. In R81.20, Identity Collector also does this.

4. Not sure I understand this question. Pretty much all the use cases I’ve seen focus on the user, with the machine being an additional dimension (not the only one).

5. To integrate with Azure AD, you need to use Captive Portal with HTTPS Inspection, as far as I know. This is definitely required in order to access, say, Office 365. The SAML assertion returned by Azure AD will include the relevant groups the user is a part of.

6. MUHv2 (used on Terminal Servers) definitely uses packet tagging. We don’t see a lot of queries related to Identity Agents on the community, with the ones we do see being related to MUH mostly.

7. For MUHv2 (at least) we use an existing TCP header to tag the packet. I believe the other agents do the same thing. Whether that is preserved by another VPN/ZTNA solution is a separate question.

8. Remote Access users don’t necessarily need an Identity Agent if they are always or mostly remote since the VPN client itself is a source of identity.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events