Solved

Authentication

Posted on 2006-06-17
1
886 Views
Last Modified: 2013-11-16
We are investigating using Microsoft Internet Authentication Server (IAS) to authenticate our remote access vpn users coming in to our Cisco Adaptive Security Appliance (ASA). Based on what we have seen so far, we find the shortcomings listed of using MS IAS as authentication server. However, we understand that SafeWord RemoteAccess solution can integrate with MS IAS and address all/some of the shortcomings below.  

1) One-time password with security token

We feel that normal AD user account and password for remote access vpn users is not sufficient. Hence, we are considering to enhance the authentication of our remote access vpn users with a one-time password solution in the form of small hardware based security tokens.

 

2) Duration based remote access permission

We have a need to grant our travelling users with a predetermined but flexible duration of remote access. We would like to set the end (or expiry) date for some users at the point of granting remote vpn access permission. This can either be an MS IAS integrated solution or one that is part of the one-time password / hardware security token solution.

 

3) Reports / usage statistics

We would like to have reporting capabilities on usage statistics of our remote access vpn users such as number of remote access vpn users signed on over a period of time, number of sign-on by a particular user over a period of time, max. number of concurent users, max duration of connections, etc.

Would you please advice with a solution

 

0
Comment
Question by:hanym
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 16954538
The Cisco ASA device is in effect an intrusion prevention system for your vpn users. It uses Trend-Micros's antivirus, which is signature based looking for all KNOWN viri (spyware detection may be in there too) and blocking them, as well as having a firewall built-in to block "typical" virus-like activities. There is some url filtering available as well, if you have the Anti-X edition I suppose.

With a VPN, all data is encrypted that goes to/from the client to/from the network once authenticated.  The ASA add's the "behaviour" and AV/spyware signature detection, to keep those pesky PC's that can't be updated as often, or as trusted as a Lan pc might be, from doing much damage.

I personally don't feel that the authentication to the VPN is a weak point on our 3000 series concentrator, we have a secure certificate that is distrbuted in our installer, a non-default listening port as well as we have a bound the client src port, and the ACS server ties in well with AD. The VPN also has a firewall in front of it, unless data is sent from a certain src port to a certain destination port, anyother data is dropped. Pings, port sweeps don't work, unless someone knew the src port they needed to bind to. Even then, they have to have our cert in their vpn client software to even then attempt to authenticate to the ACS server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_white_paper0900aecd80220a0b.shtml

The biggest threat I feel is machines that aren't "under our confrol", like a users home pc they bought from best-buy and have the VPN installed on... the ASA might be a useful tool to have around. Or work issued laptops that spend weeks or more on the road, and schedualed updates are being made, such as AV and M$ updates.

As far as the logging, I'm sure cisco has an overpriced log parser that someone could write for free if they havent already. Our 3030 keeps very detailed log's and we could have them parsed automatically with perl very easily, there may be tools for this already also.

The ASA would be a good defense agains spyware/viri that are known, but a hacker who gains access to a pc wouldn't be stopped by that alone. Best practices, and an alternate browser have cut down on our IT/Helpdesk calls 10 fold. http://www.xinn.org/win_bestpractices.html
I'm sorry I've not answered your question completely, at the bottom of this link is some great reading about "one-time pads" as they call them:
http://www.schneier.com/crypto-gram-0210.html
-rich
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now