Solved

RSA SecurID appliance network placement

Posted on 2010-08-28
5
1,532 Views
Last Modified: 2012-05-10
A customer has purchased dual RSA SecurID Appliance 130's, which will be used to authenticate remote users via hard and soft tokens. I'm looking for design recommendations on where the RSA appliances should be positioned - specifically, should they be in the network DMZ w/ public IP addresses, hidden behind a static NAT firewall, or something else altogether?

Pretty basic/simple question (I trust), and supporting documentation is always helpful.

Thank you!
0
Comment
Question by:cfan73
5 Comments
 
LVL 10

Expert Comment

by:t_hungate
ID: 33551312
This really depends on how you are wanting to use the device.

Is it for authentication of web based access, internal, or remote via VPN? Maybe all the above.

I have messed around with a 130, and the setup and config was very simple and straight forward.  I think that RSA broke it down to 6 or 8 steps.

Good info on the device its self and some related documentation from a research project.
http://www.rsa.com/products/securid/sb/10695_SIDTFA_SB_0210.pdf

Nice little demo with some good links to other info.
http://www.rsa.com/experience/sidinaction/window.html

Hope this helps.

TLH
0
 

Author Comment

by:cfan73
ID: 33554978
Thanks for your input - let me just verify one thing (after reading into this a bit more).

I think the solution requires an authentication agent of some sort that is publicly accessible (hence, likely in the DMZ), but then this agent passes credentials (using a variety of different methods) to the authentication manager process, which is provided by the SecurID appliance.

I just want to verify that the appliance itself does NOT have to be in the DMZ alongside the authentication agent, as long as the agent has a route (and whatever firewall port(s) open) to get there.

It seems obvious that this would work, but I just wanted to confirm.  I'm pretty new to the RSA components.
0
 
LVL 10

Accepted Solution

by:
t_hungate earned 250 total points
ID: 33555279
You are correct, the SecureID can be assigned an IP address inside your internal network. From the reading that I did, the best practices actually put the device inside your network.  You then have your users, authenticate through the device. You are correct that an authentication agent is required and if you look at some of the documentation, it will refer, to your network configuration and layout when trying to determine where each piece of the authentication systems will reside.  I think this is mainly due to the varying levels of complexity that can be present in networks now a days.
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 250 total points
ID: 33559518
I would put it inside your network. This is not something the public accesses directly, and it's purpose is to provide information that is under tight control to the VPN device. It should be as securely located as possible.
0
 

Expert Comment

by:prodigy1485
ID: 34715442
I had an exactly similar requirement. I am setting up the RSA SecurID appliance, and it requires a FQDN and an IP that is publicly accessible and available. In this case, wouldn't it be appropriate to set it up under DMZ segment, get Users authenticated and then provide them access to a separate LAN subnet?>
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now