LDAP vs local login for remote access

Manoj Wadhwa · ‎02-27-2014

Hi Team,

I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.

I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.

Manoj Wadhwa · ‎03-01-2014

Hi Team - can anyone share your views on this. Thank you.

Javier Portuguez · ‎03-02-2014

Hello Manoj,

IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.

Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.

Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.

If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:

AnyConnect Certificate Based Authentication.

Why to use AD:

Pros

Scalable.

Easy to manage.

Allows password-management.

Cons:

Expensive (not open AD solution).

HTH.

Please rate helpful posts.

Manoj Wadhwa · ‎03-02-2014

Hello Javier,

Thank you for your response. From a security perspective, isn't AD integration more vulnerable to brute force than local authentication. If AD account gets compromised, the overall security gets compromised. But if the local authentication for remote access gets compromised, though the hacker can login, he will still need domain credentials to access the infrastructure. Keeping this in mind, is AD less secure than local authentication?

Javier Portuguez · ‎03-02-2014

Hi Manoj,

Attackers should not be able to attack AD directly, this is something you should avoid in the first place.

To make the VPN authentication stronger one may consider certificates or RSA tokens as an option for two-factor authentication.

In my experience, I have never seen an ASA with more than 10 accounts, it is not managable.

I understand your concerned, but the ASA has mechanisms to avoid automatic brute-force attacks, for example, it drops the connection if the authentication fails and forces the AnyConnect client to manually initiate a new connection.

With that said, username and password credentials are always compromised, if you are really concerned about it, you may check two factor authentication or remote endpoint assesment, for instance:

- Certificates.

- Tokens.

- Cisco Host Scan.