Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Authentication

Posted on 2006-06-17
1
Medium Priority
?
918 Views
Last Modified: 2013-11-16
We are investigating using Microsoft Internet Authentication Server (IAS) to authenticate our remote access vpn users coming in to our Cisco Adaptive Security Appliance (ASA). Based on what we have seen so far, we find the shortcomings listed of using MS IAS as authentication server. However, we understand that SafeWord RemoteAccess solution can integrate with MS IAS and address all/some of the shortcomings below.  

1) One-time password with security token

We feel that normal AD user account and password for remote access vpn users is not sufficient. Hence, we are considering to enhance the authentication of our remote access vpn users with a one-time password solution in the form of small hardware based security tokens.

 

2) Duration based remote access permission

We have a need to grant our travelling users with a predetermined but flexible duration of remote access. We would like to set the end (or expiry) date for some users at the point of granting remote vpn access permission. This can either be an MS IAS integrated solution or one that is part of the one-time password / hardware security token solution.

 

3) Reports / usage statistics

We would like to have reporting capabilities on usage statistics of our remote access vpn users such as number of remote access vpn users signed on over a period of time, number of sign-on by a particular user over a period of time, max. number of concurent users, max duration of connections, etc.

Would you please advice with a solution

 

0
Comment
Question by:hanym
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 750 total points
ID: 16954538
The Cisco ASA device is in effect an intrusion prevention system for your vpn users. It uses Trend-Micros's antivirus, which is signature based looking for all KNOWN viri (spyware detection may be in there too) and blocking them, as well as having a firewall built-in to block "typical" virus-like activities. There is some url filtering available as well, if you have the Anti-X edition I suppose.

With a VPN, all data is encrypted that goes to/from the client to/from the network once authenticated.  The ASA add's the "behaviour" and AV/spyware signature detection, to keep those pesky PC's that can't be updated as often, or as trusted as a Lan pc might be, from doing much damage.

I personally don't feel that the authentication to the VPN is a weak point on our 3000 series concentrator, we have a secure certificate that is distrbuted in our installer, a non-default listening port as well as we have a bound the client src port, and the ACS server ties in well with AD. The VPN also has a firewall in front of it, unless data is sent from a certain src port to a certain destination port, anyother data is dropped. Pings, port sweeps don't work, unless someone knew the src port they needed to bind to. Even then, they have to have our cert in their vpn client software to even then attempt to authenticate to the ACS server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_white_paper0900aecd80220a0b.shtml

The biggest threat I feel is machines that aren't "under our confrol", like a users home pc they bought from best-buy and have the VPN installed on... the ASA might be a useful tool to have around. Or work issued laptops that spend weeks or more on the road, and schedualed updates are being made, such as AV and M$ updates.

As far as the logging, I'm sure cisco has an overpriced log parser that someone could write for free if they havent already. Our 3030 keeps very detailed log's and we could have them parsed automatically with perl very easily, there may be tools for this already also.

The ASA would be a good defense agains spyware/viri that are known, but a hacker who gains access to a pc wouldn't be stopped by that alone. Best practices, and an alternate browser have cut down on our IT/Helpdesk calls 10 fold. http://www.xinn.org/win_bestpractices.html
I'm sorry I've not answered your question completely, at the bottom of this link is some great reading about "one-time pads" as they call them:
http://www.schneier.com/crypto-gram-0210.html
-rich
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
How does someone stay on the right and legal side of the hacking world?
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question