Re: [fw-wiz] Username password VS hardware token plus PIN
From: Kevin (kkadow_at_gmail.com)
To: "MHawkins@tullib.com" <MHawkins@tullib.com> Date: Tue, 22 Feb 2005 20:37:38 -0600
On Tue, 22 Feb 2005 17:20:38 -0500, MHawkins@tullib.com
> When users are at their desktop at the office they would do what they
> always do - provide username/password. But when they wish to get
> access to apps via the VPN they would provide their username/
> password and a hardware token.
I'm not sure I understand the question. What type of "VPN" are you
Why not make token authentication the primary (only?) requirement for
starting up a new VPN session to the private internal network, and then
let Windows and/or the applications the brokers run deal with the
the domain credentials as needed?
Cisco, Nortel, and other VPN clients will support this, though I'm
not sure about the embedded Windows VPN libraries. Yes, you'll
need a separate ACE/Server machine sync'd to Active Directory.
> Asking a broker to carry around a token is ok. But asking them to run this
> and that and do this and do that is too much and it simply won't happen.
I've been there (literally, search for my name and "Comstock").
Supporting brokers is not fun, the guys who bring in big bucks are
all but untouchable, similar ego to "talent" in other industries.
I've been through several *failed* token deployments using various
vendor's products, as well as a couple of successful SecurID
deployments. The difference wasn't so much the brand name
(though that helped) as it was having a well-planned migration
combined with a token solution which was difficult for the end user
to mess up -- physically robust, technically simple to use, and no
buttons to press.
firewall-wizards mailing list