I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.
IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
Thank you for your response. From a security perspective, isn't AD integration more vulnerable to brute force than local authentication. If AD account gets compromised, the overall security gets compromised. But if the local authentication for remote access gets compromised, though the hacker can login, he will still need domain credentials to access the infrastructure. Keeping this in mind, is AD less secure than local authentication?
Attackers should not be able to attack AD directly, this is something you should avoid in the first place.
To make the VPN authentication stronger one may consider certificates or RSA tokens as an option for two-factor authentication.
In my experience, I have never seen an ASA with more than 10 accounts, it is not managable.
I understand your concerned, but the ASA has mechanisms to avoid automatic brute-force attacks, for example, it drops the connection if the authentication fails and forces the AnyConnect client to manually initiate a new connection.
With that said, username and password credentials are always compromised, if you are really concerned about it, you may check two factor authentication or remote endpoint assesment, for instance:
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...