RSA SecurID appliance network placement

Posted on 2010-08-28
Medium Priority
Last Modified: 2012-05-10
A customer has purchased dual RSA SecurID Appliance 130's, which will be used to authenticate remote users via hard and soft tokens. I'm looking for design recommendations on where the RSA appliances should be positioned - specifically, should they be in the network DMZ w/ public IP addresses, hidden behind a static NAT firewall, or something else altogether?

Pretty basic/simple question (I trust), and supporting documentation is always helpful.

Thank you!
Question by:cfan73
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

ID: 33551312
This really depends on how you are wanting to use the device.

Is it for authentication of web based access, internal, or remote via VPN? Maybe all the above.

I have messed around with a 130, and the setup and config was very simple and straight forward.  I think that RSA broke it down to 6 or 8 steps.

Good info on the device its self and some related documentation from a research project.

Nice little demo with some good links to other info.

Hope this helps.


Author Comment

ID: 33554978
Thanks for your input - let me just verify one thing (after reading into this a bit more).

I think the solution requires an authentication agent of some sort that is publicly accessible (hence, likely in the DMZ), but then this agent passes credentials (using a variety of different methods) to the authentication manager process, which is provided by the SecurID appliance.

I just want to verify that the appliance itself does NOT have to be in the DMZ alongside the authentication agent, as long as the agent has a route (and whatever firewall port(s) open) to get there.

It seems obvious that this would work, but I just wanted to confirm.  I'm pretty new to the RSA components.
LVL 10

Accepted Solution

t_hungate earned 1000 total points
ID: 33555279
You are correct, the SecureID can be assigned an IP address inside your internal network. From the reading that I did, the best practices actually put the device inside your network.  You then have your users, authenticate through the device. You are correct that an authentication agent is required and if you look at some of the documentation, it will refer, to your network configuration and layout when trying to determine where each piece of the authentication systems will reside.  I think this is mainly due to the varying levels of complexity that can be present in networks now a days.
LVL 28

Assisted Solution

mikebernhardt earned 1000 total points
ID: 33559518
I would put it inside your network. This is not something the public accesses directly, and it's purpose is to provide information that is under tight control to the VPN device. It should be as securely located as possible.

Expert Comment

ID: 34715442
I had an exactly similar requirement. I am setting up the RSA SecurID appliance, and it requires a FQDN and an IP that is publicly accessible and available. In this case, wouldn't it be appropriate to set it up under DMZ segment, get Users authenticated and then provide them access to a separate LAN subnet?>

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question