Scribd
Upload
132 views90 pages

CCNSP V3.0EL Module 4

Cyberoam's Layer 8 identifies all traffic by "Username" in place of IP Address / MAC address. It not only "authenticates" but also "authorizes" and keeps the "account" of user activity. To Authenticate, there are two types of users and hence two types of flows - Local - External.

Uploaded by

Sivabalan Rajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
132 views90 pages

CCNSP V3.0EL Module 4

Cyberoam's Layer 8 identifies all traffic by "Username" in place of IP Address / MAC address. It not only "authenticates" but also "authorizes" and keeps the "account" of user activity. To Authenticate, there are two types of users and hence two types of flows - Local - External.

Uploaded by

Sivabalan Rajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 90

CyberoamCyberoam

Certified Network
& Security
Professional
(CCNSP)
Certified
Network
& Security
Profess

Module 4
User Authentication

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Authentication

Cyberoams Layer 8 identifies all traffic by Username in


place of IP Address/MAC address.
It becomes essential for a user to authenticate through the firewall

Cyberoam functions using AAA principles. It not only


authenticates but also authorizes and keeps the account
of user activity.
To Authenticate, there are two types of users and hence two
types of flows
Local
External

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Local Authentication

User Authentication/
Authorization request

2
User Authentication/
Authorization result

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


External Authentication

User Authentication/
Authorization request

Authentication
request forwarded

2
AD

training.cyberoam.com

User Authentication
response

User Authentication
result

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


External Authentication

Cyberoam can be integrated to authenticate with external


servers like
Active Directory
LDAP / LDAPS
Open LDAP
Novell eDirectory
Apple Directory
Any standard LDAP Directory
RADIUS Server

Third Party integration with Cyberoams API

SSL and STARTTLS are supported for Active Directory and LDAP
training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Configuration of Authentication Servers

Local & External authentication servers can be configured at


same time
Multiple type of external authentication servers also can be
configured at same time

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Active Directory Integration

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Active Directory Integration

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Active Directory Integration

Upon Users First Successful login


A user will be created on Cyberoams local database
If loose integration is selected while adding AD server, user falls into Default
Open Group
If tight integration is selected while adding AD Sever, user falls into their
respective group on Cyberoam (if the groups are already created or present)

Importing Groups
You can use the import group wizard. In this method, Cyberoam will
automatically create groups by Syncing with AD Server.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Active Directory Integration > Import Groups

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Level of Authentication

Authentication is done at three levels in Cyberoam


Firewall
VPN
Admin

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Level of Authentication > Authentication in Firewall

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Level of Authentication > Authentication in VPN

Only Secure Two Factor Authentication is the most preferred


method at this level

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Level of Authentication > Admin Authentication

Active Directory or Secure Two Factor Authentication are the


most preferred methods at this level

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Authentication Methods

Cyberoam can authenticate a user with four methods

Client Based
Client Less
SSO (Single Sign-On)
SMS (Text Based) (Guest Users)

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Client based

Client based authentication mechanism is applied when a


user is using a stand-alone computer or a mobile device.
Captive portal
Prompts with web page to input user credentials
Customizable Portal View
Can be secured using HTTPS

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Client based

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Captive Portal > Captive Portal Settings

Note: Cyberoam will try sending Keep Alive packet to the live user 3 times at
an interval of 3 minutes.
training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Client based > Client Software

Corporate Client is the only authentication method that will work, when USER/MAC
Binding is enabled (works for IPv4 only)
Can be downloaded from www.cyberoam.com/cyberoamclients.html

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Client based > Client Software

General Authentication Client for Android is used to authenticate mobile users


Available on Play Store

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Client based > Client Software

iAccess Client for iOS devices is used to authenticate mobile users


Available on App Store

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Client based > Client Software

On successful login, a username appears on the live users


list.
Identity -> Live Users

IPv6
Users

IPv4
Users

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Clientless User

Static mapping of user with fixed IP address


Clientless user does not require user to authenticate with
Cyberoam
Useful for:
Servers to access Internet like Windows Patch Update Server
Print Servers (IP Printers)
VOIP Phones

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Clientless User > Adding a clientless user

To add a clientless user navigate to Identity -> Users ->


Clientless Users -> Add

To check if the user is listed, go to Identity -> Users


-> Clientless Users and click on the username

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Single Sign-On

Cyberoam can be integrated with Active Directory or Novell


eDirectory to provide Single Sign-On (SSO) for transparent
user authentication.
With SSO, users only need to sign in once to access network
Domain credentials can be used to authenticate user for any
traffic type without providing username/password to
Cyberoam.
Benefits
Ease of use
Transparency to users
Improves user experience

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Single Sign-On (Continued)

Cyberoam provides SSO through


CTAS (Cyberoam Transparent Authentication Suite)
For Active Directory & Novell eDirectory
NTLM (NT LAN Manager)
For Active Directory
CATC (Cyberoam Authentication for Terminal Clients)
For Microsoft & Citrix Terminal Services

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS

Cyberoam Transparent Authentication Suite (CTAS) is


software component to be installed on Active Directory server
for SSO.
It eliminates the installation of SSO clients on each
workstation and delivers a high level of protection.
As of now, CTAS works on IPv4

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > Login Flow

Successful logon
Event ID 672 (win 2003),
4768 (win 2008/2012)
Security
Audit Log

AD

CTAS
Software
CTAS sends Audit Log information to Cyberoam on Port 6060

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > Deployment Scenarios

CTAS Suite

Primary
Domain
Controller
(AD)

Agent
Event Log
Successful Login

training.cyberoam.com

Collector

Port
5566

CTAS
Port
5566

Agent

Backup
Domain
Controller
(AD)
Event Log
Successful Login

Port
6060

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > Login Flow for Non-Domain Computer
WMI
ping
Remote Registry

Result :
Successful

CTAS Suite

Primary
AD

Agent

CTAS

Collector

Port
5566

Agent

Event ID

Event ID

Port
5566

training.cyberoam.com

Secondary
AD

Port
6677
Port
6060

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > Components

CTAS suite consists of two components


Agent
Traps user authentication events using Microsoft Event logs, sends such
events to collector
This component is needed in case of Event Logs Login Method
Collector
Processes events received from Agent(s) and stores in its database for
tracking
Authenticate user in Cyberoam

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > Configuration

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > User Log off Detection

EventLog & NETAPI are Microsofts utilities that help in


detecting accurate successful domain user login.
However, there is no built in utility that detects user log-off
and hence Cyberoam provides two different methods for Logoff detection.
When enabled, Cyberoam Collector by default checks user
log off at 10 minutes of interval.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > User Log off Detection

User: Michael
IP: 10.120.16.36

User: Robert
IP: 10.120.16.31

CTAS Suite

Primary
AD

Agent
Event ID

training.cyberoam.com

Collector

CTAS

User: Ricky
IP: 10.120.16.45

Secondary
AD

Agent
Event ID

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > User Log off Detection
Logout Method
Ping /Workstation Polling (WMI /Remote Registry)
Logout Interval
605 seconds (Default)

User: Michael
IP: 10.120.16.36

User: Robert
IP: 10.120.16.31

CTAS Suite

Primary
AD

Agent
Event ID

training.cyberoam.com

Collector

CTAS

User: Ricky
IP: 10.120.16.45

Secondary
AD

Agent
Event ID

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > User Log off Detection
AFTER 15 MINUTES

User: Michael
IP: 10.120.16.36

User: Robert
IP: 10.120.16.31

CTAS Suite

Primary
AD

Agent
Event ID

training.cyberoam.com

Collector

CTAS

Secondary
AD

Agent

User: Ricky
IP: 10.120.16.45

DISCONNECTED

Event ID

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > User Log off Detection

Logout Poll
User: Michael
IP: 10.120.16.36

User: Robert
IP: 10.120.16.31

CTAS Suite

Primary
AD

Agent

Collector

Event ID

CTAS

Secondary
AD

Agent

User: Ricky
IP: 10.120.16.45

DISCONNECTED

Event ID

Logout Ricky

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS > User Log off Detection

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS Fault tolerance

Collector being an essential component in Transparent


authentication mechanism, it is required that Collector
failover be configured also known as "CTAS Fault Tolerance".
Cyberoam allows building up group of Backup collectors for
fault tolerance.
One of these collectors will act as primary, while remaining
are backup collectors.
Cyberoam allows adding up to 5 collectors in a single group.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS Troubleshooting

From CTAS, you can

Check Online users


See Log file
Increase log file size
Perform WMI Query test
Troubleshoot

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CTAS Troubleshooting

CTAS Live users page

Logon Type value 1 stands for Workstation Polling


Logon Type value 2 stands for Authentication from AD
training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


NTLM

Browser initiated Single Sign-On Authentication


It is a challenge-response authentication protocol to
authenticate the user while accessing internet or an
application.
Pre-requisites
Cyberoam must be integrated with Active Directory
In order to run NTLM, following requirements must be met:
Server: Windows 2003 or Windows 2008.
Protocol: NTLMv1 or NTLMv2.
Browser: Google Chrome, Firefox & Internet Explorer

As of now, NTLM works on IPv4

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


NTLM Authentication Methodologies

There are two methodologies for NTLM:


Agent Based
Software dependent agent based solution
Software needs to be installed on Domain Controller(s)
Agent Less
Hassel free software independent solution
No software component is needed

Cyberoam NTLM implementation is based on Agent Less

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


NTLM Process Flow

NTLM process flow consists of 6 steps as below:


Client -> Server GET
Server -> Client 401 Unauthorized WWW-Authenticate: NTLM
Client -> Server GET ... Authorization: NTLM <base64-encoded type-1message>
Server -> Client 401 Unauthorized WWW-Authenticate: NTLM <base64encoded type-2-message>
Client -> Server GET ... Authorization: NTLM <base64-encoded type-3message>
Server -> Client 200 Ok

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Enable NTLM

Cyberoam must be integrated with Active Directory to Enable


NTLM
Go to System -> Administration -> Appliance Access. Under
Authentication Services, enable access of NTLM for the
required zones. Here, we have enabled NTLM for LAN zone.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Authentication Failover Approach

Authentication precedence

Clientless Users
Clientless Single Sign-On
Corporate Client
NTLM
Captive Portal

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CATC (Thin Client Authentication)

What is Thin Client


A server that provides ability to host multiple, simultaneous client sessions is
termed as Terminal Servers. Such server is capable of hosting multi-user
desktops.
User uses remote access software, allowing client computer to serve as
terminal emulator. Users shall connect to Terminal Server and access the
resource or internet from virtual user desktop.
CATC works on IPv4

Challenge:
Firewall will see only terminal server IP as a source whenever thin client user
try to access Internet
Difficult to differentiate the user traffic

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CATC (Thin Client Authentication)

Intern
et
Cannot identify
user surfing the
Internet

DMZ
Request for
google.com

XenServ
er

Firewall
Router

192.168.1.1

10.1.1.2
192.168.1
Thin Client
.1
training.cyberoam.com

10.1.1.3
192.168.1
.1

10.1.1.4
192.168.1
.1

Cannot define Rules based on


All
Thin Client Users
combination of IP address
have
same
IP address
Source
IP: 192.168.1.1
as Destination
of XenServer
IP: Google.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Same IP address, Users differentiated by Session-Id

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CATC (Thin Client Authentication)

Cyberoam Authentication for Thin Client (CATC)


Supported on Windows 2003, Windows 2008, Presentation Server and Citrix
XenApp.

In order to run CATC, following requirements must be met:


UDP port 6060 must be open on Terminal Server for outbound, to serve login
information to Cyberoam.
Native Firewall, Anti-Virus or User Account Control (UAC) might intervene
CTAS process and are subject to be disabled or removed in some cases.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CATC Pre-requisites

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CATC > Process Flow

Login
User login on Terminal Server using remote access software.
User opens up a browser to access internet.
CATC will send UDP packet on port 6060 to Cyberoam which consists of
Login Code, Session ID, Source Port, Destination Port, Destination IP, and
Username.
Cyberoam will check the packet sent by the Agent and does reverse lookup
into its Live Users. If user doesnt exist, new user will be added.
Once the user is authenticated, the user traffic is allowed or denied based on
the access control defined for that user.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


CATC > Process Flow

Logout
Terminal Server as well maintains the database of the users currently
connected to it. This database is dynamically updated when the user logs off.
Agent installed on the Terminal Server shall refer to the database continuously
and notify Cyberoam device instantly on user log off.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


SMS or Text based Authentication (Guest User)

It is very tedious for an admin to create users and provide


credentials to user in public places like hotspot/hotels for few
days/hours.
This method provides a portal to guest users using which
they can self create Internet access tokens through
Cyberoam Appliances via. Password received on their SMS
enabled communication device.
Cyberoam facilitates to be integrated with SMS gateways.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


SMS > Step 1: Integrate with SMS Gateway

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


SMS > Step 2: Enable SMS Gateway

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


SMS > Step 2: Enable SMS Gateway

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Identity based Policies > Access time policy

It defines the time period during which users can be


allowed/denied the network access. Like for example, only
office hours access.
It enables to set time interval days and time for network
access with the help of a Schedule.
Identity ->Policy -> Access Time

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Identity based Policies > Surfing Quota Policy

It defines the duration of network surfing time.


It is the allowed time in hours for a group or an individual user
to access Internet.
Identity ->Policy -> Surfing Quota

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Identity based Policies > Data Transfer Policy

This policy is used to restrict the users to upload and


download
Data transfer restriction can be based on:
Total Data transfer (Upload + Download)
Individual Upload and/or Download

To create data transfer policy, go to Identity -> Policy -> Data


Transfer

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Identity based Policies > Creating a Data Transfer Policy

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Group Management

A Group is a collection of users having common policies


Instead of attaching individual policies to the user, create
group of policies and simply assign the appropriate
A group can contain default as well as custom policies.
Various policies that can be grouped are:

Surfing Quota
Access Time policy
Web Filter policy
Application Filter Policy
Bandwidth policy
Data Transfer

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Group Types

Normal

A user of this group need to logon to Cyberoam using the Captive Portal or
Authentication Client to access the network

Clientless
A user of this group is not needed to login to Cyberoam using any Client to
access the network.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Adding a new group

To add or edit user group details, go to Identity Groups


Group.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Managing groups

To manage groups go to Identity->Groups

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Adding clientless groups

To add clientless groups go to Identity ->Groups ->Add

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Management

Users can be identified by an IP/MAC address or a user


name and assigned to a user group.
All the users in a group inherit the policies defined for that
group.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Types

Cyberoam supports three types of users


Normal
Clientless
Single Sign-On

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Adding Normal User

To create the users, Identity -> Users -> User ->Add

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Adding Clientless Users

To create the clientless users, Identity ->User ->Clientless


User

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Adding Single Sign-On Users

Cyberoam will automatically create Single Sign-On user on


first successful authentication
Such users cannot be created manually

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Manage Users

Navigate to Identity -> User

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Manage Clientless Users

Select Identity -> User -> Clientless Users to view list of


Users and click User name to be modified.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User/MAC address binding

This is not applicable to Clientless Users


Navigate to Identity -> Users -> User

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Users My Account

User My Account gives details like quarantine, change


password, email, and Internet usage of a particular user.
User can change his/her password using this tab.
Users can view their My Account details from GUI.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Change Password & Account Status

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


User Authentication > Agenda

Introduction
Types of Authentication
Levels of Authentication
Authentication Methods
Identity Based Policies
Group Management
User Management
Identity Based Firewall Rule

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Identity based firewall rule

In the rule matching criteria a normal UTM does everything


from matching source and destination addresses, to ports.
But, next generation UTM like Cyberoam adds Identity to the
firewalling solution.
When Cyberoam receives the request, it checks for the
source address, destination address and the services and
tries to match with the firewall rule.
If Identity (User) found in the Live User Connections and all
other matching criteria fulfils then action specified in the rule
will be applied.

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Create Identity based Firewall rule (Cyberoam V/S Normal Firewall)

Normal
Firewall
Cyberoam
- Identity Based UTM
Rule matching criteria
- Source address
- Destination address
- Service (port)
- Schedule
- Identity (For IPv4/IPv6)
Action
- Accept
- NAT
- Drop
- Reject

However,
fails inControls
DHCP, Wi-Fi
Unified Threat
(per environment
Rule Matching Criteria)
- IPS Policy
- Web Filter & Application Filter Policy
- QoS Policy
- Anti Virus & Anti Spam
- Routing decisions
On IPv6 Cyberoam Supports, QoS and Routing Decisions

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Create Identity based IPv4 Firewall rule (Cont.)

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Create Identity based IPv6 Firewall rule (Cont.)

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Labs

Lab #12 Enforce Authentication


Action change in default firewall rule
New Firewall Rule in case users are using ISP provided DNS

Lab #13 Authenticating a user through Captive


Portal/Cyberoam Corporate Client
Authenticating with Corporate Client

Lab #14 Change default Captive Portal Settings


Lab #15 Integration with Active Directory (Optional)
Configuring AD authentication

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

Cyberoam Certified Network & Security Professional (CCNSP)


Next -> Module 5 (Web Filter)

training.cyberoam.com

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ

You might also like