Solved

Authentication

Posted on 2006-06-17
1
881 Views
Last Modified: 2013-11-16
We are investigating using Microsoft Internet Authentication Server (IAS) to authenticate our remote access vpn users coming in to our Cisco Adaptive Security Appliance (ASA). Based on what we have seen so far, we find the shortcomings listed of using MS IAS as authentication server. However, we understand that SafeWord RemoteAccess solution can integrate with MS IAS and address all/some of the shortcomings below.  

1) One-time password with security token

We feel that normal AD user account and password for remote access vpn users is not sufficient. Hence, we are considering to enhance the authentication of our remote access vpn users with a one-time password solution in the form of small hardware based security tokens.

 

2) Duration based remote access permission

We have a need to grant our travelling users with a predetermined but flexible duration of remote access. We would like to set the end (or expiry) date for some users at the point of granting remote vpn access permission. This can either be an MS IAS integrated solution or one that is part of the one-time password / hardware security token solution.

 

3) Reports / usage statistics

We would like to have reporting capabilities on usage statistics of our remote access vpn users such as number of remote access vpn users signed on over a period of time, number of sign-on by a particular user over a period of time, max. number of concurent users, max duration of connections, etc.

Would you please advice with a solution

 

0
Comment
Question by:hanym
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 16954538
The Cisco ASA device is in effect an intrusion prevention system for your vpn users. It uses Trend-Micros's antivirus, which is signature based looking for all KNOWN viri (spyware detection may be in there too) and blocking them, as well as having a firewall built-in to block "typical" virus-like activities. There is some url filtering available as well, if you have the Anti-X edition I suppose.

With a VPN, all data is encrypted that goes to/from the client to/from the network once authenticated.  The ASA add's the "behaviour" and AV/spyware signature detection, to keep those pesky PC's that can't be updated as often, or as trusted as a Lan pc might be, from doing much damage.

I personally don't feel that the authentication to the VPN is a weak point on our 3000 series concentrator, we have a secure certificate that is distrbuted in our installer, a non-default listening port as well as we have a bound the client src port, and the ACS server ties in well with AD. The VPN also has a firewall in front of it, unless data is sent from a certain src port to a certain destination port, anyother data is dropped. Pings, port sweeps don't work, unless someone knew the src port they needed to bind to. Even then, they have to have our cert in their vpn client software to even then attempt to authenticate to the ACS server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_white_paper0900aecd80220a0b.shtml

The biggest threat I feel is machines that aren't "under our confrol", like a users home pc they bought from best-buy and have the VPN installed on... the ASA might be a useful tool to have around. Or work issued laptops that spend weeks or more on the road, and schedualed updates are being made, such as AV and M$ updates.

As far as the logging, I'm sure cisco has an overpriced log parser that someone could write for free if they havent already. Our 3030 keeps very detailed log's and we could have them parsed automatically with perl very easily, there may be tools for this already also.

The ASA would be a good defense agains spyware/viri that are known, but a hacker who gains access to a pc wouldn't be stopped by that alone. Best practices, and an alternate browser have cut down on our IT/Helpdesk calls 10 fold. http://www.xinn.org/win_bestpractices.html
I'm sorry I've not answered your question completely, at the bottom of this link is some great reading about "one-time pads" as they call them:
http://www.schneier.com/crypto-gram-0210.html
-rich
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now