Solved

RSA SecurID appliance network placement

Posted on 2010-08-28
5
1,566 Views
Last Modified: 2012-05-10
A customer has purchased dual RSA SecurID Appliance 130's, which will be used to authenticate remote users via hard and soft tokens. I'm looking for design recommendations on where the RSA appliances should be positioned - specifically, should they be in the network DMZ w/ public IP addresses, hidden behind a static NAT firewall, or something else altogether?

Pretty basic/simple question (I trust), and supporting documentation is always helpful.

Thank you!
0
Comment
Question by:cfan73
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Expert Comment

by:t_hungate
ID: 33551312
This really depends on how you are wanting to use the device.

Is it for authentication of web based access, internal, or remote via VPN? Maybe all the above.

I have messed around with a 130, and the setup and config was very simple and straight forward.  I think that RSA broke it down to 6 or 8 steps.

Good info on the device its self and some related documentation from a research project.
http://www.rsa.com/products/securid/sb/10695_SIDTFA_SB_0210.pdf

Nice little demo with some good links to other info.
http://www.rsa.com/experience/sidinaction/window.html

Hope this helps.

TLH
0
 

Author Comment

by:cfan73
ID: 33554978
Thanks for your input - let me just verify one thing (after reading into this a bit more).

I think the solution requires an authentication agent of some sort that is publicly accessible (hence, likely in the DMZ), but then this agent passes credentials (using a variety of different methods) to the authentication manager process, which is provided by the SecurID appliance.

I just want to verify that the appliance itself does NOT have to be in the DMZ alongside the authentication agent, as long as the agent has a route (and whatever firewall port(s) open) to get there.

It seems obvious that this would work, but I just wanted to confirm.  I'm pretty new to the RSA components.
0
 
LVL 10

Accepted Solution

by:
t_hungate earned 250 total points
ID: 33555279
You are correct, the SecureID can be assigned an IP address inside your internal network. From the reading that I did, the best practices actually put the device inside your network.  You then have your users, authenticate through the device. You are correct that an authentication agent is required and if you look at some of the documentation, it will refer, to your network configuration and layout when trying to determine where each piece of the authentication systems will reside.  I think this is mainly due to the varying levels of complexity that can be present in networks now a days.
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 250 total points
ID: 33559518
I would put it inside your network. This is not something the public accesses directly, and it's purpose is to provide information that is under tight control to the VPN device. It should be as securely located as possible.
0
 

Expert Comment

by:prodigy1485
ID: 34715442
I had an exactly similar requirement. I am setting up the RSA SecurID appliance, and it requires a FQDN and an IP that is publicly accessible and available. In this case, wouldn't it be appropriate to set it up under DMZ segment, get Users authenticated and then provide them access to a separate LAN subnet?>
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question