Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 922
  • Last Modified:

Authentication

We are investigating using Microsoft Internet Authentication Server (IAS) to authenticate our remote access vpn users coming in to our Cisco Adaptive Security Appliance (ASA). Based on what we have seen so far, we find the shortcomings listed of using MS IAS as authentication server. However, we understand that SafeWord RemoteAccess solution can integrate with MS IAS and address all/some of the shortcomings below.  

1) One-time password with security token

We feel that normal AD user account and password for remote access vpn users is not sufficient. Hence, we are considering to enhance the authentication of our remote access vpn users with a one-time password solution in the form of small hardware based security tokens.

 

2) Duration based remote access permission

We have a need to grant our travelling users with a predetermined but flexible duration of remote access. We would like to set the end (or expiry) date for some users at the point of granting remote vpn access permission. This can either be an MS IAS integrated solution or one that is part of the one-time password / hardware security token solution.

 

3) Reports / usage statistics

We would like to have reporting capabilities on usage statistics of our remote access vpn users such as number of remote access vpn users signed on over a period of time, number of sign-on by a particular user over a period of time, max. number of concurent users, max duration of connections, etc.

Would you please advice with a solution

 

0
hanym
Asked:
hanym
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
The Cisco ASA device is in effect an intrusion prevention system for your vpn users. It uses Trend-Micros's antivirus, which is signature based looking for all KNOWN viri (spyware detection may be in there too) and blocking them, as well as having a firewall built-in to block "typical" virus-like activities. There is some url filtering available as well, if you have the Anti-X edition I suppose.

With a VPN, all data is encrypted that goes to/from the client to/from the network once authenticated.  The ASA add's the "behaviour" and AV/spyware signature detection, to keep those pesky PC's that can't be updated as often, or as trusted as a Lan pc might be, from doing much damage.

I personally don't feel that the authentication to the VPN is a weak point on our 3000 series concentrator, we have a secure certificate that is distrbuted in our installer, a non-default listening port as well as we have a bound the client src port, and the ACS server ties in well with AD. The VPN also has a firewall in front of it, unless data is sent from a certain src port to a certain destination port, anyother data is dropped. Pings, port sweeps don't work, unless someone knew the src port they needed to bind to. Even then, they have to have our cert in their vpn client software to even then attempt to authenticate to the ACS server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_white_paper0900aecd80220a0b.shtml

The biggest threat I feel is machines that aren't "under our confrol", like a users home pc they bought from best-buy and have the VPN installed on... the ASA might be a useful tool to have around. Or work issued laptops that spend weeks or more on the road, and schedualed updates are being made, such as AV and M$ updates.

As far as the logging, I'm sure cisco has an overpriced log parser that someone could write for free if they havent already. Our 3030 keeps very detailed log's and we could have them parsed automatically with perl very easily, there may be tools for this already also.

The ASA would be a good defense agains spyware/viri that are known, but a hacker who gains access to a pc wouldn't be stopped by that alone. Best practices, and an alternate browser have cut down on our IT/Helpdesk calls 10 fold. http://www.xinn.org/win_bestpractices.html
I'm sorry I've not answered your question completely, at the bottom of this link is some great reading about "one-time pads" as they call them:
http://www.schneier.com/crypto-gram-0210.html
-rich
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now