Solved

Checkpoint Mobile VPN two factor Authentication

Posted on 2016-08-03
5
38 Views
Last Modified: 2016-08-23
Hi i would like to know the simplest way to get two factor Authentication up and running within Checkpoint Mobile for our VPN logins
Thanks.
0
Comment
Question by:VH
  • 4
5 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
Comment Utility
It will be setting up a proxy for authentication to AD or Radius as an example. Duo security listed the step by step and based on the 2fa fastest will be via Duo Push
Duo’s mobile app to send push notifications to your phone as your second factor. Here’s how it works:

Enter your username and password into your login page.

Choose ‘Duo Push’ as your second factor on the next screen prompt.

Then, tap ‘Approve’ on the push notification sent to your phone.


Duo Push is an out-of-band authentication method that prevents remote attackers from stealing your password and your second factor.
see the "Test Your Setup"
https://duo.com/docs/checkpoint
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
Comment Utility
There is also Checkpoibt own 2FA via its mobile remote VPN access software blade (which you may have) of DynamicID Direct SMS Authentication. Can check with their sales support
The Mobile Access Software Blade can be configured to send a One-Time Password (OTP) to an end-user communication device (such as a mobile phone) via an SMS message. SMS two-factor authentication provides an extra level of security while eliminating the difficulties associated with managing hardware tokens
https://www.checkpoint.com/products/mobile-access-software-blade/
0
 

Author Comment

by:VH
Comment Utility
Hi Btan,

i think DynamicID Direct SMS would be the best path for us, can twilio be used for DynamicID ?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
Comment Utility
DynamicID will be good and to have SMS authentication, you will need to configure the SMS provider details - see example, http://91sec.blogspot.sg/2014/10/enable-checkpoint-ssl-vpn-remote-access_17.html
For configuring the SMTP provider for sending via Email as below
http://www.shanekillen.com/2014/04/check-point-how-to-configure-dynamicid.html
For Twilio, you will need to have the valid account and have the GET URL (with credential) for this SMS provider, better to check with provider.

Separately just to share that recently NIST updated that SMS as 2FA is going to be deprecated
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
https://pages.nist.gov/800-63-3/sp800-63b.html

I suggest for more secure systems to use hardware tokens or app authenticators, but don’t automatically rule out text messages. For a start, you do not need to rule out SMS as a method just because of it is reported as above though for systems that need the maximum protection, maybe it’s not appropriate. Make an informed decision for systems in term of ease of use, cost, and eventually it is user acceptance that matters for a viable solution.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
DynamicID is concurred as the 2FA approach
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now