Question about Authentication Domain
Looking at following configuration for a VPN Solution I would like to hear the pros and cons.
I have 2 VPN Zones on is less secure than the other. Currently we use RSA Secure ID for 2 factor authentication. They logon the VPN client with 2 configuration one logs on to the less secure area using AD. The second uses RSA and then AD to connect to a single terminal server where they can access the environment via RDP.
I'm considering adding a second Domain just for authentication in the environment. The idea is to have an Authentication Domain that can access the less secure area and connect to the more secure area via RSA and one way trust. After which they will Access the environment via RDP.
Thoughts?
I have 2 VPN Zones on is less secure than the other. Currently we use RSA Secure ID for 2 factor authentication. They logon the VPN client with 2 configuration one logs on to the less secure area using AD. The second uses RSA and then AD to connect to a single terminal server where they can access the environment via RDP.
I'm considering adding a second Domain just for authentication in the environment. The idea is to have an Authentication Domain that can access the less secure area and connect to the more secure area via RSA and one way trust. After which they will Access the environment via RDP.
Thoughts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
RSA is kind of multifactor authentication works after primary authentication, I don't see how it will eliminate need for authenticating to resource domain
If you are allowing to authenticate resource forest accounts directly over VPN, it will kill the purpose of having separate account forest
Users should be able to *IN* with account forest credentials only and then they should be able to logon to resource domain with selective authentication over trust followed by RSA etc
You need to restrict logon to VPN from resource forest IDs
I don't know which VPN solution you are using, but I believe you do need to map groups from domain in order to be able to authenticate, here you need to allow only account forest groups
This process what essentially do, it will isolate VPN access and resource access so that just logging on to VPN won't grant resource access
Mahesh.
If you are allowing to authenticate resource forest accounts directly over VPN, it will kill the purpose of having separate account forest
Users should be able to *IN* with account forest credentials only and then they should be able to logon to resource domain with selective authentication over trust followed by RSA etc
You need to restrict logon to VPN from resource forest IDs
I don't know which VPN solution you are using, but I believe you do need to map groups from domain in order to be able to authenticate, here you need to allow only account forest groups
This process what essentially do, it will isolate VPN access and resource access so that just logging on to VPN won't grant resource access
Mahesh.
ASKER
Thanks much for your input on this hypothetical.
ASKER
Thanks guys
ASKER
Yes you are correct most environments would not dare do something like this for several reasons. For the sake of argument lets say the more secure zone is air gaped and and the only communication between these zones are computer to computer. The people working in the less secure zone do not need to access the access the secure zone.
We are looking at ISE, but using application level access.
Now the secure zone is only accessed support and since we have internal support and external support I'm limiting as much access to external as possible. With all that said I already have an AD structure in place to manage most of the security on the secure zone for Windows and Linux systems. And we will be redesigning our VLANs in the process.
When you say it won't make the environment more secure can you provide some details?
Mahesh,
Thanks. That's almost exactly what what I was talking about and definitely kind of what I have in mind. The environment was pretty much handed to me that way. However I do like the idea of the second VPN zone for internal people to access the air gaped zone and to provide a high trust secure zone, where tools and other thing reside that's not easily accessible to external people.
Technically we will have only one Authentication Domain, using RSA to pass the credentials to the secure domain via trust