|
Posted by DaveMo on August 6, 2007, 10:46 am
Please log in for more thread options >
> > I'm wondering if anybody out there can recommend a good
> > two-factor authentication solution that meets the following
> > criteria:
>
> > 1. Accommodates domain level logons
> > 2. Can be used to secure custom IIS applications
> > 3. Can be used to secure OWA
> > 4. Can be used for VPN authentication
> > 5. Scales so that one or more authentication servers can be
> > placed in multiple sites (both for redundancy and load
> > balancing).
> > 6. Excellent customer support (with some of the solutions
> > I've been testing with, customer support is severely lacking)
>
> Hi DLN, Steve:
>
> Since DLN asked specifically about the RSA story, I'll claim some
> bandwidth to sort that out. I've been a consultant to RSA for many
> years, and I'm obviously biased -- but your RSA salesperson or SSE
> should be able to offer more detail on all of these points. E-mail me
> directly if you need a higher-level RSA contact.
>
> Let me parse the RSA options, pegged to your criteria:
>
> 1. Accommodates domain level logons?
>
> RSA provides three kinds of the solutions here. One is based on the
> SecurID with RSA's Local Authentication Client. The second is PKI. The
> third is a hybrid
>
> 1) SecurID solution with Local Authentication client
>
> With this RSA agent installed on the machine, any local or domain user
> account can be configured to be challenged with SecurID two-factor
> authentication (2FA). The RSA agent can also be configured to include
> the domain name in the login ID sent to server if the AuthMgr data is
> organized for it. (The AuthMgr user data can be synchronized with AD
> to have the AM database users automatically created.)
>
> The point of enforcement is at the local machine, not at the domain
> controller. This means that if user knows his password and there is a
> machine that does not have agent installed he would be able to log
> in.
>
> (RSA, for several years, sold a solution that implemented domain
> enforcement of the SecurID authentication, however it turned out to
> not scale. Some competitors copied that architecture, and built the
> same offering. RSA's evaluation of these products is that they will
> inevitably experience same scalability issues that bedeviled RSA's
> solution, since the OS integration points are the same.)
>
> If the end users are not required to know their Windows' passwords for
> use with other applications, the user passwords can be "hardened."
> With RSA's latest agent hot-fix rollup -- to be releasing this month
> -- there will also be a capability to capture password changes on the
> domain controllers and replicate them to the RSA Authentication
> Manager.
>
> This is the sequence of operations that would protect the domain from
> a user who sought to access it with just a password.
>
> Initial state:
> User has a Windows password and no software is installed on the client
> machines
>
> A) User is provisioned with a SecurID token
> B) Client software is installed
> C) User (via groups) is configured to pass SecurID and a PIN (2FA)
> upon desktop logon
> D) User starts using his token and submits his 2FA passcode
> E) User is prompted for a Windows' password
> F) With the login password integration feature enabled on the RSA
> Authentication Manager, the Windows' password will be captured and
> stored in the RSA Authentication Manager database for the future use.
> Next time, the user will not be prompted for a password since the
> system already knows it and will use it behind the scenes.
> G) If the RSA agent is not installed on the system, the password can
> be used to log into such system. (To prevent this, the Admin can
> either install agent or centrally change the user password to
> something long and strong so that user does not know it any more.)
> RSA's new password-filter component, available this month, will
> automatically replicate all the password changes made centrally. This
> means that next time the user logs into the system he will use his
> SecurID token... and his updated Windows' password will be supplied by
> the server.
>
> This RSA SecurID solution provides a transparent user experience, both
> when a user is connected to the network, and when he is working off-
> line.
>
> 2) PKI solution
>
> RSA has a solution that allows using a certificate on the smart card
> for the windows logon. There are a couple of different options. One,
> with RSA Authentication Client, allows local management of the
> certificates on the smart card. Another, with the RSA Card Manager,
> allows centralized management of a large smart card deployment.
>
> 3) Hybrid
>
> The RSA SID800 token, a SecurID in a USB plug, can act as either an
> hand-held OTP token and/or as a USB-format "smart card." This allows
> RSA's customers use a SID800 as hand-held token for remote access via
> VPNs and Web, while still providing USB "smart card" functionality for
> boot encryption, signing e-mails, or desktop certificate logons.
>
> 2. Can be used to secure custom IIS applications?
>
> The RSA Authentication Agent for Web can protect any application
> running inside IIS with SecurID authentication. The RSA Access Manager
> Agent can also provide access control to different web resources.
>
> 3. Can be used to secure OWA?
>
> Yes. With the RSA Authentication Agent for Web. MSFT even provides a
> guide for this at: <http://www.microsoft.com/technet/isa/2004/
> owapubwithrsasecurid.mspx>.
>
> 4. Can be used for VPN authentication?
>
> RSA provides a plug-in for the Microsoft VPN. Most (all?) major VPN
> vendors support SecurID authentication. These vendor partnerships are
> among RSA's greatest strengths. For documentation from other prominent
> VPN vendors, see:
>
> Cisco:
> <http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/
> osxgui
> de/connect.htm>
> Juniper:
> <http://www.juniper.net/solutions/literature/solutionbriefs/
> 351051.pdf>
> F5:
> <http://www.f5.com/solutions/sb/securid_sb.html>
> Celestix:
> <http://www.celestix.com/press/pressrelease.asp?SRC=pr050304.htm>
> CheckPoint:
> <http://www.checkpoint.com/press/2006/rsa_021406.html>
>
> 5. Scales so that one or more authentication servers can be placed in
> multiple sites (both for redundancy and load balancing)?
>
> RSA supports one Primary Server and up to 10 Replicas. The RSA agent
> provides built-in support for load-balancing, server fail-over, and
> the discovery of new servers.
>
> 6. Excellent customer support?
>
> RSA Customer Support is 24x7. There are probably third-party
> evaluations available somewhere, but the RSA folks are very proud of
> their professionalism and the evaluations they get from their
> customers in surveys.
>
> Hope this is helpful.
>
> Suerte,
> _Vin
This is a nice summary of the RSA story, but I feel compelled to
comment on one part of the answer:
(RSA, for several years, sold a solution that implemented domain
enforcement of the SecurID authentication, however it turned out to
not scale. Some competitors copied that architecture, and built the
same offering. RSA's evaluation of these products is that they will
inevitably experience same scalability issues that bedeviled RSA's
solution, since the OS integration points are the same.)
With all due respect, this is because RSA (and apparently everyone
else) didn't use the correct solution. While working with a 2 factor
ISV, my team implemented a solution that enforces use of the 2 factor
authentication mechanism and it scales just fine. There is, of course,
a small bandwidth and CPU impact on the domain controller, but it is a
percentage of the resources consumed by any authentication attempt. In
other words, yes it is possible to implement such a feature in a
manner that will not scale, but it is not neccessarily the case that
any such implementation will not scale.
As a security person, I find this to be an important aspect of the
overall solution. If the 2 factor solution can be circumvented simply
by removing or disabling the client-side component, then it isn't much
of a security solution IMO.
HTH,
Dave
| 
XML Sitemap