[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 364
  • Last Modified:

How to authenticate people ... and make sure of identity.(500 Points)

Hi Gentls,
I need your help...I have a portal and many people will login to it. I allow some range of IPs..the problem now if my customer try to login from a public area outside the allowed IP ranges..
how to allow them to loin and on the same time making sure that the users will not share same account or give to their friends.

1 Solution
The best options for VPN authentication is a 2 factor solution.   Meaning that the end-user must produce 2 items in order to get authenticated.    

Usually this is "Something they have and Something they know".  

An example 2 factor setup could use an RSA SecureID solution.   The Secure ID is a device that created a new 6 digit number every 60 seconds.   The end user must provide the current 6 digit number (something they have) along with a password (something they know).    

This eliminates using IP ranges as a method to authenticate which IMHO is not secure at all.    

You could also use a mix of Passwords, certificates, Secure Desktop registry checks....    just off the top of my head.

Here's some reading to get you started:
besmile4everAuthor Commented:
U mean giving the persone who will log from out of the IP ranges..giving him a usernam/passwd with a RSA access?
besmile4everAuthor Commented:
for example, I would like to know how the international encyclopedia online libraries are working for private access or people?
as I know they will allow based IP ranges and also allow personeel access?
can I know how they are implement it?
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Well, I have no idea what that company does for security.    But whatever the details might be, most companies follow the same theory and standards.    How you implement those standards is up to you, your company, and your budget.  

Having the source IP as the only method of authenticating a vpn is not a good idea IMHO.
besmile4everAuthor Commented:
any other comments ls?
Just remember that:

Financial entities have regulatory requirements to use at least 2 factor authentication and 2 sets of firewalls from 2 vendors on the perimeter.    

Most companies I've seen use an LDAP lookup for ID/PW authentication to VPN.  

There are other options (i.e. certificates) that would also provide more-than-adequate measures.

Using just the ip of a remote machine is extremely insecure IMHO.  Since you are not verifying the person at the other end.  

Do your users need to be able to access the website via any system?

An option would be to configure username + password authentication, and log the IP address they login from.  Your website could be configured to restrict a maximum number of IP's a user can login from to prevent users from sharing their accounts with other users.

Allowing the users to customise those IP ranges themself in their user profiles would save you some administration effort.
Agreed, two factor authentication and not using the ip address.  

As far as guaranteeing users do not give it out to friends, well, that's pretty hard to do.  But the best is with SecureID keys - the ones that change every 10 seconds.  Another version of two-factor is a certificate plus a password.   The certificate be put on any machine so it doesn't limit you to an ip range.  THe problem is then that the certificate can be distributed anywhere to any machine.

besmile4everAuthor Commented:
Many thnks..

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now