Rex Global Check Point Account Management Module LDAP-based User Management

LDAP-based User Management

In order to manage user authentication efficiently, organizations use an LDAP (Lightweight Directory Access Protocol) infrastructure. LDAP creates a shareable, scalable and centrally manageable repository of user information. With Check Point?s Account Management Module, VPN-1/FireWall-1 enforcement points become full LDAP clients, which communicate with LDAP servers to obtain identification and security information about network users. Organizations are no longer limited to deploying only LDAP-compliant applications to maintain the highest levels of control on their network users and ultimately over their networks.

LDAP-based User Management

Complete integration with LDAP infrastructures

Consistent user information is critical for proper security. Yet, without a centralized data store, managing user information across multiple applications can be a manual, error-prone process that results in inconsistencies. The Account Management Module enables VPN-1/FireWall-1 to leverage LDAP-based user information stores, eliminating the risks associated with manually maintaining and synchronizing redundant data stores.

With the Account Management Module, VPN-1/FireWall-1 is fully LDAP-compliant and therefore able to work with existing LDAP servers already populated with user information. As LDAP clients, VPN-1/FireWall-1 gateways can access user-level security information in a distributed LDAP directory structure in order to enforce enterprise security policies.

The Account Management Module leverages the flexibility of the LDAP protocol by extending the schema to include all necessary user-level security elements. This information is then available not only to VPN-1/FireWall-1 but to any LDAP-compliant application, enabling centralized user management throughout the enterprise.

Identification	Full user name Login Name Email Address Directory Branch Associated Template
Authentication	Authentication Scheme Authentication Server Password
Access Control	Authorized Sources Authorized Destinations
Time Restrictions	Time and Day Access Privileges
Encryption	Key Negotiation Schemes Encryption Algorithm Data Integrity Method
Groups	Group Membership

The Account Management Module includes a GUI that enables network administrators to define new users and add security information to existing user profiles stored in the LDAP servers. The GUI can be run as a standalone application or launched from SmartDashboard. It includes advanced features like the search functionality, which eases maintenance of user-level security data. For example, in order to change the organization's authentication scheme, an administrator can first query the LDAP directory for all users utilizing a RADIUS authentication server, and then specify the new scheme for those users.

To protect the user-level security information itself, the Account Management GUI provides Account Units--a logical organization of users, which simplifies administration. Segmenting an LDAP directory structure into multiple Account Units enables organizations to distribute control and responsibility of these logical groups of users, thereby improving both efficiency and information security.

Running the Account Management Module from within the SmartDashboard provides a single console for managing both enterprise-wide security policies and user-level security information.

To simplify the definition and maintenance of users, the Account Management Module provides "live templates" that can be used to apply common configuration parameters to multiple users. Changes made to templates are immediately applied to all users defined by that template, which facilitates standardization and synchronization of user configurations. Using templates dramatically reduces the burden of managing large numbers of network users and minimizes risks associated with mis-configuration.