Solved

Laptop Security over VPN

Posted on 2003-12-02
7
381 Views
Last Modified: 2010-04-11
Hi..

Pleas tell me ways to implement "two factor security" for my remote mobile users who access my corporate network via Nortell contivity VPN over internet.

Please tell me what are the options available for security like ...

Digital certificates or
tokens
smart cards etc...
what is the best way of securing a laptop in case it gets stolen.... ?


can anybody tell me the price of having a "digital certificate" per user from verisign etc...


0
Comment
Question by:magicianspell
  • 3
  • 2
7 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9867711
Two factor authentication:
Depends on what your VPN solution support. Most support certificates. Some support tokens or smart cards. Contact the vendor(s).
Note that not all supposed two-factor solutions really are two-factor. For example, RSA SecurID tokens have a reversable algorithm based on the time of day and the pin, so they're really no different than a password.

Securing a laptop in case its stolen:
Your best bet is filesystem encryption. The encrypting filesystem support in Windows XP (assuming Windows) is reasonably decent. There are also commercial solutions from places like PGP and Norton, as well as solutions for non-Windows systems like Mac and Linux.

Price of a verisign cert:
Personal cert is something like $25/year/person. Server cert is more like a few hundred $/year/server.
0
 
LVL 1

Expert Comment

by:birksy
ID: 9870029
If you're using a Nortel Contivity box, then I'd beg to differ with Chris. RSA SecurID tokens offer far better security than simply using a username and password.

Thinking what would need to be compromised if you used this style of authentication on the Nortel, your hacker would need to know the following:

A valid username
A valid groupname
The password associated with the groupname above
The PIN number associated with your username's token
The current number on the securID token associated with username above
The minimum version of software he could connect to your Nortel server with (it can be locked down).

Even if you knew the seeded pseudo number generation algorithm that is used on the token (the seed is individual to each token and the number displayed is nothing to do with the time of day, your token needs syncronising before first use) then you'd still have to get all the information above to get on. You have to admit it's a lot of trouble to go to, and potentially as a hacker you then have to authenticate yourself on the network to Windows Domains and so on.

Any vulnerabilities in the implementation of RSA SecurID are not going to be cracked by some kiddie with his scripting tools, that you can be certain.

Take a read of the following commentary if you're not convinced:

http://seclists.org/lists/bugtraq/1996/Sep/0014.html

And I'm sure you know where to go to find info on RSA SecuriD/ACE Servers :-)

Have fun,

R.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9870088
You are wrong, o' obi-wan.

The SecurID algorithm has been cracked, cracked, cracked. See the @stake research report on the same, along with the dozens of script-kiddie scripts to exploit it. You merely need to observe/sniff a single instance of the number that's generated by the thing to be able to generate all future numbers.

This means it is not a "what you have" but a "what you know" authenticator, and therefore not two-factor.

Better than a regular password? Only if your system allows poorly chosen passwords that can be cracked by a dictionary attack.

Otherwise, about the same as a password with good password selection/update hygene.
0
 
LVL 1

Accepted Solution

by:
birksy earned 50 total points
ID: 9873627
Hi Chris,

That's quite an interesting comment about SecuriD. So what are you views on the conclusion of the @stake white paper?

I'll quote some of it here, seeing as it's been pulled from the at stake web site and isn't straight forward to find:

"The concerns mentioned in this brief hope to motivate further public assessment of the current SecurID algorithm. Do they negate the usefulness of an infrastructure utilizing this technology? No. However it does point to the possibility that companies might be assuming more risk than they need to..."

further:

"By encrypting the communications, limiting access to back-end communications, and ensuring the integrity and whereabouts of the token generator, the risks of promiscuous viewing of the user authentication and tokencodes and potential retrieval of the sercret component are minimized greatly. SSH, DESTTelnet, SSL, and other encryption mechanisms can be deployed to help minimize these risks. IPSec, separate back-end management networks, and other means can be implemented to protect the back-end authentication that occurs between the application server and the ACE/Server...."

And are you serious about the scripting exploits, that's news to me, would you have to compromise the token's 64 bit seed first?

R.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9874541
WRT the @stake conclusions: Agreed. SecurID is not useless, and encrypting the communications can greatly reduce the risk. On the other hand, the same is true of passwords. IMO, a password-based system with strong password controls is on the same order of security as SecurID. If you want strong two-factor, I'd go for X.509-cert unlocked by PIN (good), SmartCard/dongle holding X.509-cert unlocked by PIN (better), or SmartCard/dongle holding X.509-cert unlocked by biometric (best).

As for the scripting exploits, you do no have to compromse the 64-bit seed. You merely need a copy of the token output plus the timestamp when it was generated. You can derive the 64-bit seed from that (that's why the algorithm is broken). The @stake paper talks about doing this, and there was source-doce posted to Bugtraq a couple of years ago.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Security Overview Report 8 55
Internet Protocol Security question 3 73
exchange, email gateway 2 31
ASP server side get value 15 24
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question