Plan Your Authentication Deployment
Learn about the things to consider before you implement
an authentication solution on your next-gen firewall.
The following are key questions to consider before you
implement an authentication solution for administrators who access
the firewall and end users who access services and applications
through Authentication Portal.
For both end users and administrators, consider:
For end users only, consider:
Which services and applications
are more sensitive than others? For example, you might want stronger
authentication for key financial documents than for search engines.
To protect your most sensitive services and applications, you can
configure
Multi-Factor
Authentication (MFA) to ensure that each user authenticates
using multiple methods (factors) when accessing those services and
applications. To accommodate a variety of security needs,
Configure
Authentication Policy rules that trigger MFA or single factor
authentication (such as login credentials or certificates) based
on specific services, applications, and end users. Other ways to
reduce your attack surface include
network segmentation and
user groups for allowed applications.
For administrators only, consider:
Do you use an external server
to centrally manage authorization for all administrative accounts?
By defining Vendor-Specific Attributes (VSAs) on the external server,
you can quickly change administrative role assignments through your
directory service instead of reconfiguring settings on the firewall. VSAs
also enable you to specify access domains for administrators of
firewalls with multiple virtual systems.
SAML,
TACACS+,
and
RADIUS support
external authorization.