Solved

Authentication

Posted on 2006-06-17
1
915 Views
Last Modified: 2013-11-16
We are investigating using Microsoft Internet Authentication Server (IAS) to authenticate our remote access vpn users coming in to our Cisco Adaptive Security Appliance (ASA). Based on what we have seen so far, we find the shortcomings listed of using MS IAS as authentication server. However, we understand that SafeWord RemoteAccess solution can integrate with MS IAS and address all/some of the shortcomings below.  

1) One-time password with security token

We feel that normal AD user account and password for remote access vpn users is not sufficient. Hence, we are considering to enhance the authentication of our remote access vpn users with a one-time password solution in the form of small hardware based security tokens.

 

2) Duration based remote access permission

We have a need to grant our travelling users with a predetermined but flexible duration of remote access. We would like to set the end (or expiry) date for some users at the point of granting remote vpn access permission. This can either be an MS IAS integrated solution or one that is part of the one-time password / hardware security token solution.

 

3) Reports / usage statistics

We would like to have reporting capabilities on usage statistics of our remote access vpn users such as number of remote access vpn users signed on over a period of time, number of sign-on by a particular user over a period of time, max. number of concurent users, max duration of connections, etc.

Would you please advice with a solution

 

0
Comment
Question by:hanym
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 16954538
The Cisco ASA device is in effect an intrusion prevention system for your vpn users. It uses Trend-Micros's antivirus, which is signature based looking for all KNOWN viri (spyware detection may be in there too) and blocking them, as well as having a firewall built-in to block "typical" virus-like activities. There is some url filtering available as well, if you have the Anti-X edition I suppose.

With a VPN, all data is encrypted that goes to/from the client to/from the network once authenticated.  The ASA add's the "behaviour" and AV/spyware signature detection, to keep those pesky PC's that can't be updated as often, or as trusted as a Lan pc might be, from doing much damage.

I personally don't feel that the authentication to the VPN is a weak point on our 3000 series concentrator, we have a secure certificate that is distrbuted in our installer, a non-default listening port as well as we have a bound the client src port, and the ACS server ties in well with AD. The VPN also has a firewall in front of it, unless data is sent from a certain src port to a certain destination port, anyother data is dropped. Pings, port sweeps don't work, unless someone knew the src port they needed to bind to. Even then, they have to have our cert in their vpn client software to even then attempt to authenticate to the ACS server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_white_paper0900aecd80220a0b.shtml

The biggest threat I feel is machines that aren't "under our confrol", like a users home pc they bought from best-buy and have the VPN installed on... the ASA might be a useful tool to have around. Or work issued laptops that spend weeks or more on the road, and schedualed updates are being made, such as AV and M$ updates.

As far as the logging, I'm sure cisco has an overpriced log parser that someone could write for free if they havent already. Our 3030 keeps very detailed log's and we could have them parsed automatically with perl very easily, there may be tools for this already also.

The ASA would be a good defense agains spyware/viri that are known, but a hacker who gains access to a pc wouldn't be stopped by that alone. Best practices, and an alternate browser have cut down on our IT/Helpdesk calls 10 fold. http://www.xinn.org/win_bestpractices.html
I'm sorry I've not answered your question completely, at the bottom of this link is some great reading about "one-time pads" as they call them:
http://www.schneier.com/crypto-gram-0210.html
-rich
0

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Make the most of your online learning experience.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question