Re: [fw-wiz] Username password VS hardware token plus PIN

From: Kevin (
Date: 02/23/05

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Username password VS hardware token plus PIN"
    To: "" <>
    Date: Tue, 22 Feb 2005 20:37:38 -0600

    On Tue, 22 Feb 2005 17:20:38 -0500,
    <> wrote:
    > When users are at their desktop at the office they would do what they
    > always do - provide username/password. But when they wish to get
    > access to apps via the VPN they would provide their username/
    > password and a hardware token.

    I'm not sure I understand the question. What type of "VPN" are you

    Why not make token authentication the primary (only?) requirement for
    starting up a new VPN session to the private internal network, and then
    let Windows and/or the applications the brokers run deal with the
    the domain credentials as needed?

    Cisco, Nortel, and other VPN clients will support this, though I'm
    not sure about the embedded Windows VPN libraries. Yes, you'll
    need a separate ACE/Server machine sync'd to Active Directory.

    > Asking a broker to carry around a token is ok. But asking them to run this
    > and that and do this and do that is too much and it simply won't happen.

    I've been there (literally, search for my name and "Comstock").
    Supporting brokers is not fun, the guys who bring in big bucks are
    all but untouchable, similar ego to "talent" in other industries.

    I've been through several *failed* token deployments using various
    vendor's products, as well as a couple of successful SecurID
    deployments. The difference wasn't so much the brand name
    (though that helped) as it was having a well-planned migration
    combined with a token solution which was difficult for the end user
    to mess up -- physically robust, technically simple to use, and no
    buttons to press.

    Kevin Kadow
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Username password VS hardware token plus PIN"