Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


RSA SecurID appliance network placement

Posted on 2010-08-28
Medium Priority
Last Modified: 2012-05-10
A customer has purchased dual RSA SecurID Appliance 130's, which will be used to authenticate remote users via hard and soft tokens. I'm looking for design recommendations on where the RSA appliances should be positioned - specifically, should they be in the network DMZ w/ public IP addresses, hidden behind a static NAT firewall, or something else altogether?

Pretty basic/simple question (I trust), and supporting documentation is always helpful.

Thank you!
Question by:cfan73
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

ID: 33551312
This really depends on how you are wanting to use the device.

Is it for authentication of web based access, internal, or remote via VPN? Maybe all the above.

I have messed around with a 130, and the setup and config was very simple and straight forward.  I think that RSA broke it down to 6 or 8 steps.

Good info on the device its self and some related documentation from a research project.

Nice little demo with some good links to other info.

Hope this helps.


Author Comment

ID: 33554978
Thanks for your input - let me just verify one thing (after reading into this a bit more).

I think the solution requires an authentication agent of some sort that is publicly accessible (hence, likely in the DMZ), but then this agent passes credentials (using a variety of different methods) to the authentication manager process, which is provided by the SecurID appliance.

I just want to verify that the appliance itself does NOT have to be in the DMZ alongside the authentication agent, as long as the agent has a route (and whatever firewall port(s) open) to get there.

It seems obvious that this would work, but I just wanted to confirm.  I'm pretty new to the RSA components.
LVL 10

Accepted Solution

t_hungate earned 1000 total points
ID: 33555279
You are correct, the SecureID can be assigned an IP address inside your internal network. From the reading that I did, the best practices actually put the device inside your network.  You then have your users, authenticate through the device. You are correct that an authentication agent is required and if you look at some of the documentation, it will refer, to your network configuration and layout when trying to determine where each piece of the authentication systems will reside.  I think this is mainly due to the varying levels of complexity that can be present in networks now a days.
LVL 28

Assisted Solution

mikebernhardt earned 1000 total points
ID: 33559518
I would put it inside your network. This is not something the public accesses directly, and it's purpose is to provide information that is under tight control to the VPN device. It should be as securely located as possible.

Expert Comment

ID: 34715442
I had an exactly similar requirement. I am setting up the RSA SecurID appliance, and it requires a FQDN and an IP that is publicly accessible and available. In this case, wouldn't it be appropriate to set it up under DMZ segment, get Users authenticated and then provide them access to a separate LAN subnet?>

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question