What do you consider "two factor" authentication? We currently use Cisco 3000 series VPN concentrators with RADIUS to the NT domain authentication. Our security group wants us to start using SecurID tokens, which I am all for. Unfortunately, Cisco does not support 2 methods at the same time.
The way the RSA token works is that you are prompted for a username to which you respond with your 4-6 character pin and the rotating number on your token.
What I want is to be prompted for a username/password using domain credentials via RADIUS, then a handoff for additional authentication using the RSA token. I consider that to be 2 factor authentication.
I see changing over to the SecurID tokens as the same or even perhaps a little lower security that a plain old username/password authentication. I say worse because I can see people writing their pins (remember, it is just a 4 digit numerical only PIN) on the token. If it is found, the bad guy now has physical access to the network (until the token is invalidated). Our regular password policy is strong.
Does anyone know a VPN system that accepts 2 different authentication methods? Does Checkpoint support this?
RSA is 2-factor authentication, the 2 being the PIN and the keycode. I don't think you can get the user to be authenticated twice on any system, not unless you put some other device inside the VPN device, so they each authenticate separately.
You cannot stop users writing down the PIN, but you can include in your Security Policy something about it being a discilinary offence to do so, and all losses must be reported immediately to IT Dept. Nor should users keep the RSA token in their laptop case. Any security setup can be weakened by users doing something daft, so you have to educate and, if that fails, remove their rights or discipline them. Of course this requires the support of the big cheeses.
A strong password can still be written down (maybe it's more likely to be) and I do believe 2-factor authentication adds something. Shame about the cost.
I understand that "technically" SecurID is 2 factor authentication. But do people really go to bed at night thinking that this is any more secure than username/password? I do not. At the best it is just as secure, maybe a smidgen better. So is this just managerware? Also it appears that you need to dump your entire RADIUS infrastructure as you no longer need it (plus the RSA server is also a RADIUS server). I just really don't think that this system is worth the money for marginally better security and a LOT more management dealing with lost, stole, forgotten or invalidated hardware keys. Plus are people aware that the RSA keys do not have replaceable batteries? When they die, they are discarded and you PURCHASE new ones from RSA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...