RSA SecurID appliance network placement

A customer has purchased dual RSA SecurID Appliance 130's, which will be used to authenticate remote users via hard and soft tokens. I'm looking for design recommendations on where the RSA appliances should be positioned - specifically, should they be in the network DMZ w/ public IP addresses, hidden behind a static NAT firewall, or something else altogether?

Pretty basic/simple question (I trust), and supporting documentation is always helpful.

Thank you!
Who is Participating?
Tony HungateConnect With a Mentor Director of TrainingCommented:
You are correct, the SecureID can be assigned an IP address inside your internal network. From the reading that I did, the best practices actually put the device inside your network.  You then have your users, authenticate through the device. You are correct that an authentication agent is required and if you look at some of the documentation, it will refer, to your network configuration and layout when trying to determine where each piece of the authentication systems will reside.  I think this is mainly due to the varying levels of complexity that can be present in networks now a days.
Tony HungateDirector of TrainingCommented:
This really depends on how you are wanting to use the device.

Is it for authentication of web based access, internal, or remote via VPN? Maybe all the above.

I have messed around with a 130, and the setup and config was very simple and straight forward.  I think that RSA broke it down to 6 or 8 steps.

Good info on the device its self and some related documentation from a research project.

Nice little demo with some good links to other info.

Hope this helps.

cfan73Author Commented:
Thanks for your input - let me just verify one thing (after reading into this a bit more).

I think the solution requires an authentication agent of some sort that is publicly accessible (hence, likely in the DMZ), but then this agent passes credentials (using a variety of different methods) to the authentication manager process, which is provided by the SecurID appliance.

I just want to verify that the appliance itself does NOT have to be in the DMZ alongside the authentication agent, as long as the agent has a route (and whatever firewall port(s) open) to get there.

It seems obvious that this would work, but I just wanted to confirm.  I'm pretty new to the RSA components.
mikebernhardtConnect With a Mentor Commented:
I would put it inside your network. This is not something the public accesses directly, and it's purpose is to provide information that is under tight control to the VPN device. It should be as securely located as possible.
I had an exactly similar requirement. I am setting up the RSA SecurID appliance, and it requires a FQDN and an IP that is publicly accessible and available. In this case, wouldn't it be appropriate to set it up under DMZ segment, get Users authenticated and then provide them access to a separate LAN subnet?>
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.