Check Point Identity Awareness Software Blade provides granular visibility of users, groups and machines, providing unmatched application and access control through the creation of accurate, identity-based policies. Centralized management and monitoring allows for policies to be managed from a single, unified console.

Benefits

Increases visibility of user activities
  • Centrally manage user access to company resources and Internet applications
  • Granular user-, group- and machine-based visibility and policy enforcement
  • Easily distinguish between employees and others, i.e., guests and contractors
Improves control of corporate resources
  • Granular access to data centers, applications and network segments by user, machine or location
  • Prevent unauthorized resource access, while allowing users work remotely
  • Prevent threats and data loss by restricting access to resources by users and devices
Easy to deploy in any organization
  • Integrated into Check Point Software Blade Architecture
  • Provides scalable identity sharing between gateways
  • Seamless Active Directory (AD) integration with multiple deployment options-Clientless, Captive Portal or Identity Agent

Features

The Identity Awareness Software Blade allows you to easily add user, user-group and machine identity intelligence to your security defenses.

Provide corporate access for specific groups or users leveraging network-wide identity awareness

The Identity Awareness Software Blade provides multiple methods to obtain a user’s identity, including: AD Query, Browser-Based, or Identity Agents. Identity information can be used by relevant Software Blades to apply and enforce user-based policies.

AD Query
An easy to deploy, clientless identity acquisition method. It is based on Active Directory integration and it is completely transparent to the user.

Browser-Based Authentication
Acquires identities from unidentified users. You can configure these acquisition methods:

  • Captive Portal - a simple method that authenticates users through a web interface before granting them access to Intranet resources. When users try to access a protected resource, they get a web page that must be filled out to continue.
  • Transparent Kerberos Authentication - browser attempts to authenticate users transparently by getting identity information before the Captive Portal username/password page opens. When you configure this option, the Captive Portal requests authentication data from the browser. Upon successful authentication, the user is redirected to its original destination. If authentication fails, the user must enter credentials in the Captive Portal.

Identity Agents
There are two types of Identity Agents:

  • Endpoint Identity Agents - dedicated client agents installed on users’ computers that acquire and report identities to the Security Gateway.
  • Terminal Servers Identity Agent - an agent installed on an application server that hosts Citrix/Terminal services. It identifies individual users whose source is the same IP address.

Using Endpoint Identity Agents give you:

  • User and machine identity
  • Minimal user intervention - all necessary configuration is done by administrators and does not require user input.
  • Seamless connectivity - transparent authentication using Kerberos Single Sign-On (SSO) when users are logged in to the domain. If you do not want to use SSO, users enter their credentials manually. You can let them save these credentials.
  • Connectivity through roaming - users stay automatically identified when they move between networks, as the client detects the movement and reconnects.
  • Added security - you can use the patented packet tagging technology to prevent IP Spoofing. Endpoint Identity Agents also gives you strong (Kerberos based) user and machine authentication.

RADIUS Accounting
RADIUS Accounting gets identity data from RADIUS Accounting Requests that are generated by the RADIUS accounting client. Identity Awareness uses the data from these requests to obtain user anddevice group information from the LDAP server.

Remote Access (VPN SSO)
Identities are acquired for Mobile Access clients and IPSec VPN clients when configured to work in Office Mode and when they connect to the Security Gateway.

Adding identity intelligence via the Identity Awareness Software Blade is fast and easy with our built-in deployment wizard. In just a few simple steps you can add user, user-group and machine identity awareness and obtain valuable information to utilize in policies throughout your security infrastructure.

Step 1: Provide corporate access for specific groups or users, leveraging network-wide identity awareness.

Step 2: Provide your Active Directory credentials for the required domain.

Step 3: Create any rules you require for capturing identity information via the captive portal.

That’s all it takes. The Identity Awareness Software Blade will obtaining identity information. If desired, you can change the options that you set in the wizard or deploy other methods, such as identity agents.

Identity information can easily be shared, as required, on a single gateway or across the entire network. In a multiple gateway deployment, such as multiple branches or multiple gateways protecting internal resources, identity can be acquired on one gateway and shared amongst all gateways. The benefits of identity sharing include:

  • One-time user authentication – user identity is shared between gateways, allowing users to access their defined resources anywhere on the network
  • Prevents load on the network from multiple Active Directory lookups
  • Simplifies the implementation of Active Directory servers and synchronization

The Identity Awareness Software Blade is integrated into the Software Blade architecture. It can be easily and rapidly activated on existing Check Point Security Gateways saving time and reducing costs by leveraging existing security infrastructure.

Specifications

Supported Appliance Families
  • Check Point 2012 Appliances
  • Check Point Power-1
  • Check Point IP Appliances
  • Check Point UTM-1
  • Check Point IAS
Supported Operating Systems
  • GAiA
  • SecurePlatform
  • IPSO 6.2 Disk-based
  • IPSO 6.2 Flash-based
Software Blades Interoperation
  • Firewall
  • Application Control
  • DLP
  • Antivirus
  • URL Filtering
Identity Agent Platform Support
  • Windows XP Home (SP3, 32-bit)
  • Windows XP Pro (SP3, 32-bit)
  • Vista (SP1, 32 and 64-bit)
  • Windows 7 Professional/Enterprise/Ultimate (32 and 64-bit)
  • Windows 8
  • Windows Server 2003 (SP1-2, 32 and 64-bit)
  • Windows Server 2008 (SP1-2, 32 and 64-bit)
  • Windows Server 2012
  • Mac OS X