Date post: | 13-Apr-2018 |
Category: |
Documents |
Upload: | sivabalan-rajan |
View: | 236 times |
Download: | 0 times |
of 90
7/21/2019 CCNSP V3.0EL Module 4.ppt
1/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certifed Network & Security Proes
Module 4
User Authentication
7/21/2019 CCNSP V3.0EL Module 4.ppt
2/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
User Authentication > Agenda
Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based ire!all "ule
7/21/2019 CCNSP V3.0EL Module 4.ppt
3/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Authentication
#y$eroam%s Layer & identifies all traffic $y 'Username( in
place of IP Address)MA# address*
+ It $ecomes essential for a user to authenticate through the fire!all
#y$eroam functions using AAA principles* It not only
'authenticates( $ut also 'authori,es( and -eeps the 'account(
of user activity*
To Authenticate. there are t!o types of users and hence t!o
types of flo!s
+ Local
+ /0ternal
7/21/2019 CCNSP V3.0EL Module 4.ppt
4/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
User Authentication > Agenda
Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based ire!all "ule
7/21/2019 CCNSP V3.0EL Module 4.ppt
5/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Local Authentication
1
2
User Authentication/
Authorization request
User Authentication/Authorization result
7/21/2019 CCNSP V3.0EL Module 4.ppt
6/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
/0ternal Authentication
1 2
4 3
User Authentication/
Authorization request
Authentication
request forwarded
User Authentication
response
User Authentication
result
AD
7/21/2019 CCNSP V3.0EL Module 4.ppt
7/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
/0ternal Authentication
#y$eroam can $e integrated to authenticate !ith e0ternal
servers li-e
+ Active 1irectory
+ L1AP ) L1AP2
3pen L1AP
4ovell e1irectory Apple 1irectory
Any standard L1AP 1irectory
+ "A1IU2 2erver
Third Party integration !ith #y$eroam%s API
22L and 2TA"TTL2 are supported for Active 1irectory and L1AP
7/21/2019 CCNSP V3.0EL Module 4.ppt
8/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#onfiguration of Authentication 2ervers
Local 5 /0ternal authentication servers can $e configured at
same time
Multiple type of e0ternal authentication servers also can $e
configured at same time
7/21/2019 CCNSP V3.0EL Module 4.ppt
9/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Active 1irectory Integration
7/21/2019 CCNSP V3.0EL Module 4.ppt
10/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Active 1irectory Integration
7/21/2019 CCNSP V3.0EL Module 4.ppt
11/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Active 1irectory Integration
Upon User%s irst 2uccessful login
+ A user !ill $e created on #y$eroam%s local data$ase
+ If loose integration is selected !hile adding A1 server. user falls into 1efault
'3pen Group(
+ If tight integration is selected !hile adding A1 2ever. user falls into their
respective group on #y$eroam 6if the groups are already created or present7
Importing Groups
+ 8ou can use the import group !i,ard* In this method. #y$eroam !ill
automatically create groups $y 2yncing !ith A1 2erver*
7/21/2019 CCNSP V3.0EL Module 4.ppt
12/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Active 1irectory Integration > Import Groups
7/21/2019 CCNSP V3.0EL Module 4.ppt
13/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
User Authentication > Agenda
Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based ire!all "ule
7/21/2019 CCNSP V3.0EL Module 4.ppt
14/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Level of Authentication
Authentication is done at three levels in #y$eroam
+ ire!all
+ 9P4
+ Admin
7/21/2019 CCNSP V3.0EL Module 4.ppt
15/90 Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Level of Authentication > Authentication in ire!all
7/21/2019 CCNSP V3.0EL Module 4.ppt
16/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Level of Authentication > Authentication in 9P4
3nly 2ecure T!o actor Authentication is the most preferredmethod at this level
7/21/2019 CCNSP V3.0EL Module 4.ppt
17/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Level of Authentication > Admin Authentication
Active 1irectory or 2ecure T!o actor Authentication are the
most preferred methods at this level
7/21/2019 CCNSP V3.0EL Module 4.ppt
18/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
User Authentication > Agenda
Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based ire!all "ule
7/21/2019 CCNSP V3.0EL Module 4.ppt
19/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Authentication Methods
#y$eroam can authenticate a user !ith four methods
+ #lient Based
+ #lient Less
+ 223 62ingle 2ign:3n7
+ 2M2 6Te0t Based7 6Guest Users7
7/21/2019 CCNSP V3.0EL Module 4.ppt
20/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#lient $ased
#lient $ased authentication mechanism is applied !hen a
user is using a stand:alone computer or a mo$ile device*
#aptive portal
+ Prompts !ith !e$ page to input user credentials
+ #ustomi,a$le Portal 9ie!
+ #an $e secured using ;TTP2
7/21/2019 CCNSP V3.0EL Module 4.ppt
21/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#lient $ased
7/21/2019 CCNSP V3.0EL Module 4.ppt
22/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#aptive Portal > #aptive Portal 2ettings
4ote< #y$eroam !ill try sending ' =eep Alive( pac-et to the live user times at
an interval of minutes*
7/21/2019 CCNSP V3.0EL Module 4.ppt
23/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#lient $ased > #lient 2oft!are
#orporate #lient is the only authentication method that !ill !or-. !hen U2/")MA#Binding is ena$led 6!or-s for IPv? only7
#an $e do!nloaded from !!!*cy$eroam*com)cy$eroamclients*html
7/21/2019 CCNSP V3.0EL Module 4.ppt
24/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#lient $ased > #lient 2oft!are
General Authentication #lient for Android is used to authenticate mo$ile users
Availa$le on Play 2tore
7/21/2019 CCNSP V3.0EL Module 4.ppt
25/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#lient $ased > #lient 2oft!are
iAccess #lient for i32 devices is used to authenticate mo$ile users
Availa$le on App 2tore
7/21/2019 CCNSP V3.0EL Module 4.ppt
26/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#lient $ased > #lient 2oft!are
3n successful login. a username appears on the 'live user%s(
list*
+ Identity :> Live Users
IPv4
Users
IPv
Users
7/21/2019 CCNSP V3.0EL Module 4.ppt
27/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#lientless User
2tatic mapping of user !ith fi0ed IP address
#lientless user does not re@uire user to authenticate !ith
#y$eroam
Useful for Adding a clientless user
To add a clientless user navigate to Identity :> Users :>
#lientless Users :> Add
To chec- if the user is listed. go to Identity :> Users:> #lientless Users and clic- on the username
7/21/2019 CCNSP V3.0EL Module 4.ppt
29/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
2ingle 2ign:3n
#y$eroam can $e integrated !ith Active 1irectory or 4ovell
e1irectory to provide 2ingle 2ign:3n 62237 for transparentuser authentication*
ith 223. users only need to sign in once to access net!or-
1omain credentials can $e used to authenticate user for anytraffic type !ithout providing username)pass!ord to
#y$eroam*
Benefits
+ /ase of use+ Transparency to users
+ Improves user e0perience
7/21/2019 CCNSP V3.0EL Module 4.ppt
30/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
2ingle 2ign:3n 6#ontinued7
#y$eroam provides 223 through
+ #TA2 6#y$eroam Transparent Authentication 2uite7
or Active 1irectory 5 4ovell e1irectory
+ 4TLM 64T LA4 Manager7
or Active 1irectory
+ #AT# 6#y$eroam Authentication for Terminal #lients7 or Microsoft 5 #itri0 Terminal 2ervices
b i d # i ' i l ( )
7/21/2019 CCNSP V3.0EL Module 4.ppt
31/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2
#y$eroam Transparent Authentication 2uite 6#TA27 is
soft!are component to $e installed on Active 1irectory serverfor 223*
It eliminates the installation of 223 clients on each
!or-station and delivers a high level of protection*
As of no!. #TA2 !or-s on IPv?
C b C i d ! # $ % i P ' i l (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
32/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > Login lo!
!"A#
#oftware
#uccessful lo$on
/vent I1 CD 6!in DEE7.
?C& 6!in DEE&)DEFD7
#ecurit%
Audit &o$AD
#TA2 sends Audit Log information to #y$eroam on Port EE
C b C ti d ! t # $ % it P ' i l (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
33/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > 1eployment 2cenarios
Pri'ar%
Do'ain
!ontroller(AD)
*ac+up
Do'ain
!ontroller(AD),vent &o$
#uccessful &o$in
!"A# #uite
Agent #ollector
Port
!"A#
AgentPort
Port
EE
Port
EE
,vent &o$
#uccessful &o$in
C b C ti d ! t # $ % it P ' i l (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
34/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > Login lo! for 4on:1omain #omputer
!"A#Pri'ar%AD
!"A# #uite
Agent #ollector
#econdar%
ADAgent
Port
Port
EE
Port
Port
EE
,vent ID ,vent ID
Port
CC
MI
ping
"emote "egistry
"esult #omponents
#TA2 suite consists of t!o components
+ Agent
Traps user authentication events using Microsoft /vent logs. sends such
events to collector
This component is needed in case of /vent Logs Login Method
+ #ollector
Processes events received from Agent6s7 and stores in it%s data$ase for
trac-ing
Authenticate user in #y$eroam
C b C ti d ! t # $ % it P ' i l (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
36/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > #onfiguration
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
37/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > User Log off 1etection
/ventLog 5 4/TAPI are Microsoft%s utilities that help in
detecting accurate successful domain user login*
;o!ever. there is no $uilt in utility that detects user log:off
and hence #y$eroam provides t!o different methods for Log:
off detection*
hen ena$led. #y$eroam #ollector $y default chec-s user
log off at FE minutes of interval*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
38/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > User Log off 1etection
!"A#Pri'ar%AD
!"A# #uite
Agent #ollector
#econdar%
ADAgent
,vent ID ,vent ID
User< "ic-y
IP< FE*FDE*F*?
User< "o$ert
IP< FE*FDE*F*F
User< Michael
IP< FE*FDE*F*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
39/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > User Log off 1etection
!"A#Pri'ar%AD
!"A# #uite
Agent #ollector
#econdar%
ADAgent
,vent ID ,vent ID
User< "ic-y
IP< FE*FDE*F*?
User< "o$ert
IP< FE*FDE*F*F
User< Michael
IP< FE*FDE*F*
&o$out Method
Ping )or-station Polling 6MI )"emote "egistry7
&o$out IntervalE seconds 61efault7
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
40/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > User Log off 1etection
!"A#Pri'ar%AD
!"A# #uite
Agent #ollector
#econdar%AD
Agent
,vent ID ,vent ID
User< "ic-y
IP< FE*FDE*F*?
User< "o$ert
IP< FE*FDE*F*F
User< Michael
IP< FE*FDE*F*
AT/" F MI4UT/2H
1I2#344/#T/1
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
41/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > User Log off 1etection
!"A#Pri'ar%AD
!"A# #uite
Agent #ollector
#econdar%AD
Agent
,vent ID ,vent ID
User< "ic-y
IP< FE*FDE*F*?
User< "o$ert
IP< FE*FDE*F*F
User< Michael
IP< FE*FDE*F*
1I2#344/#T/1
Logout Poll
Logout '"ic-y(
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
42/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 > User Log off 1etection
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
43/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 ault tolerance
#ollector $eing an essential component in Transparent
authentication mechanism. it is re@uired that #ollectorfailover $e configured also -no!n as #TA2 ault Tolerance*
#y$eroam allo!s $uilding up group of Bac-up collectors for
fault tolerance*
3ne of these collectors !ill act as primary. !hile remaining
are $ac-up collectors*
#y$eroam allo!s adding up to collectors in a single group*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
44/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 Trou$leshooting
rom #TA2. you can
+ #hec- 3nline users
+ 2ee Log file
+ Increase log file si,e
+ Perform MI Juery test
+ Trou$leshoot
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
45/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#TA2 Trou$leshooting
#TA2 Live users page
Logon Type value F stands for or-station Polling
Logon Type value D stands for Authentication from A1
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
46/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
4TLM
Bro!ser initiated 2ingle 2ign:3n Authentication
It is a challenge:response authentication protocol to
authenticate the user !hile accessing internet or an
application*
Pre:re@uisites+ #y$eroam must $e integrated !ith Active 1irectory
+ In order to run 4TLM. follo!ing re@uirements must $e met< 2erver< indo!s DEE or indo!s DEE&*
Protocol< 4TLMvF or 4TLMvD* Bro!ser< Google #hrome. irefo0 5 Internet /0plorer
+ As of no!. 4TLM !or-s on IPv?
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
47/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
4TLM Authentication Methodologies
There are t!o methodologies for 4TLM Administration :> Appliance Access* Under
Authentication 2ervices. ena$le access of 4TLM for the
re@uired ,ones* ;ere. !e have ena$led 4TLM for LA4 ,one*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
50/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
Authentication ailover Approach
Authentication precedence
+ #lientless Users
+ #lientless 2ingle 2ign:3n
+ #orporate #lient
+ 4TLM
+ #aptive Portal
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
51/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
#AT# 6Thin #lient Authentication7
hat is Thin #lient
+ A server that provides a$ility to host multiple. simultaneous client sessions is
termed as Terminal 2ervers* 2uch server is capa$le of hosting multi:user
des-tops*
+ User uses remote access soft!are. allo!ing client computer to serve as
terminal emulator* Users shall connect to Terminal 2erver and access the
resource or internet from virtual user des-top*+ #AT# !or-s on IPv?
#hallenge 2tep F< Integrate !ith 2M2 Gate!ay
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
60/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
2M2 > 2tep D< /na$le 2M2 Gate!ay
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
61/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
2M2 > 2tep D< /na$le 2M2 Gate!ay
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
62/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
User Authentication > Agenda
Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based ire!all "ule
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
63/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Identity $ased Policies > Access time policy
It defines the time period during !hich users can $e
allo!ed)denied the net!or- access* Li-e for e0ample. onlyoffice hours% access*
It ena$les to set time interval + days and time for net!or-
access !ith the help of a 2chedule*
Identity :>Policy :> Access Time
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
64/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Identity $ased Policies > 2urfing Juota Policy
It defines the duration of net!or- surfing time*
It is the allo!ed time in hours for a group or an individual user
to access Internet*
Identity :>Policy :> 2urfing Juota
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
65/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Identity $ased Policies > 1ata Transfer Policy
This policy is used to restrict the users to upload and
do!nload
1ata transfer restriction can $e $ased on Policy :> 1ata
Transfer
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
66/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Identity $ased Policies > #reating a 1ata Transfer Policy
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
67/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
User Authentication > Agenda
Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based ire!all "ule
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
68/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Group Management
A Group is a collection of users having common policies
Instead of attaching individual policies to the user. create
group of policies and simply assign the appropriate
A group can contain default as !ell as custom policies*
9arious policies that can $e grouped areGroups
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
72/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Adding clientless groups
To add clientless groups go to Identity :>Groups :>Add
7/21/2019 CCNSP V3.0EL Module 4.ppt
73/90
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
74/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
User Management
Users can $e identified $y an IP)MA# address or a user
name and assigned to a user group*
All the users in a group inherit the policies defined for that
group*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
75/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
User Types
#y$eroam supports three types of users
+ 4ormal
+ #lientless
+ 2ingle 2ign:3n
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
76/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Adding 4ormal User
To create the users. Identity :> Users :> User :>Add
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
77/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Adding #lientless Users
To create the clientless users. Identity :>User :>#lientless
User
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
78/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Adding 2ingle 2ign:3n Users
#y$eroam !ill automatically create 2ingle 2ign:3n user on
first successful authentication
2uch users cannot $e created manually
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
79/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Manage Users
4avigate to Identity :> User
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
80/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Manage #lientless Users
2elect Identity :> User :> #lientless Users to vie! list of
Users and clic- User name to $e modified*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
81/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
User)MA# address $inding
This is not applica$le to #lientless Users
4avigate to Identity :> Users :> User
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
82/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
User%s My Account
User My Account gives details li-e @uarantine. change
pass!ord. email. and Internet usage of a particular user*
User can change his)her pass!ord using this ta$*
Users can vie! their My Account details from GUI*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
83/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
#hange Pass!ord 5 Account 2tatus
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
84/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
User Authentication > Agenda
Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based ire!all "ule
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
85/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
Identity $ased fire!all rule
In the rule matching criteria a normal UTM does everything
from matching source and destination addresses. to ports*But. ne0t generation UTM li-e #y$eroam adds Identity to the
fire!alling solution*
hen #y$eroam receives the re@uest. it chec-s for the
source address. destination address and the services andtries to match !ith the fire!all rule*
If Identity 6User7 found in the Live User #onnections and all
other matching criteria fulfils then action specified in the rule
!ill $e applied*
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
86/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
#reate Identity $ased ire!all rule 6#y$eroam 9)2 4ormal ire!all7
.or'al irewall
ule 'atchin$ criteria
: 2ource address
: 1estination address
: 2ervice 6port7
: 2chedule
Action
: Accept
: 4AT
: 1rop
: "eect
: Identit% (or IPv4/IPv)
!%-eroa' Identit% *ased U"M
Unified "hreat !ontrols (per ule Matchin$ !riteria) IP# Polic%
5e- ilter 6 Application ilter Polic%
7o# Polic%
Anti 8irus 6 Anti #pa'
outin$ decisions
3n IPv #y$eroam 2upports. Jo2 and "outing 1ecisions
;o!ever. fails in 1;#P. i:i environment
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
87/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
#reate Identity $ased IPv? ire!all rule 6#ont*7
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
88/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
#reate Identity $ased IPv ire!all rule 6#ont*7
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
89/90
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rigtraining.cyberoam.com
La$s
La$ FD /nforce Authentication
+ Action change in default fire!all rule
+ 4e! ire!all "ule in case users are using I2P provided 142
La$ F Authenticating a user through #aptive
Portal)#y$eroam #orporate #lient
+ Authenticating !ith #orporate #lient
La$ F? #hange default #aptive Portal 2ettings
La$ F Integration !ith Active 1irectory 63ptional7
+ #onfiguring A1 authentication
Cyberoam Certied !et"or# $ %ec&rity Pro'essional (CC!%P)
7/21/2019 CCNSP V3.0EL Module 4.ppt
90/90
4e0t :> Module 6e$ ilter7