RE: Double authentication (User & Machine) with VPN SSL

From: Roger A. Grimes (roger_at_banneretcs.com)
Date: 10/19/05

  • Next message: FocusHacks: "Re: Creating a Test Network"
    Date: Wed, 19 Oct 2005 05:07:57 -0400
    To: "Peyman" <peyman.secu@gmail.com>
    
    

    Sorry for the late reply. I've been working a lot.

    If you've got Windows and IIS, it should be pretty easy. You can require
    IPSec certs (i.e. machine certs) to connect the computers to the web
    server machine using the typical IPSec policy and normal IPSec certs. If
    your web server is located behind a NAT device, the server would have to
    be W2K3 (to do NAT Transversal). Then on IIS, Directory Security, enable
    and require SSL (the normal way), and then ALSO enable Require Client
    mapping. That feature will require that all connecting users have a User
    cert, previously mapped (i.e. attached to their Active Directory
    account) to connect.

    If you need more details I can give them.

    Roger

    ************************************************************************
    ***
    *Roger A. Grimes, Banneret Computer Security, Consultant
    *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, CHFI, TICSA
    *email: roger@banneretcs.com
    *cell: 757-615-3355
    *Author of Honeypots for Windows (Apress)
    *http://www.apress.com/book/bookDisplay.html?bID=281
    ************************************************************************
    ****

     

    -----Original Message-----
    From: Peyman [mailto:peyman.secu@gmail.com]
    Sent: Friday, October 14, 2005 4:49 AM
    To: Roger A. Grimes
    Cc: security-basics@securityfocus.com
    Subject: Re: Double authentication (User & Machine) with VPN SSL

    Hi,

    Here are some details on our environment :
      - the devices are only on Windows (2k or xp)
      - our users will soon have a certificate in a USB token; the laptops
    have a machine certificate in the Windows certificates container (we
    consider that this certificate cannot be stolen).
      - there is no solution deployed for the moment; we'd like to provide a
    remote access, and are investigating to find the best solution. For some
    reasons, we don't want IPSec/L2TP, even if it allows us to make the user
    & machine authentication. That's why I'm asking my question about the
    VPN SSL solutions.

    Thanks a lot
    Peyman

    On 10/14/05, Roger A. Grimes <roger@banneretcs.com> wrote:
    > Need a little bit more about your environment:
    >
    > Using Windows or Linux, or both? Using what versions of OS?
    >
    > Using built-in software or is a third party solution solution
    > acceptable?
    >
    > Are smart cards or token devices an option, or do you want it to be a
    > software only implementation?
    >
    > Roger
    >
    > **********************************************************************
    > **
    > ***
    > *Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP,
    > MCSE: Security (2000/2003/MVP), CEH, CHFI, TICSA
    > *email: roger@banneretcs.com
    > *cell: 757-615-3355
    > *Author of Honeypots for Windows (Apress)
    > *http://www.apress.com/book/bookDisplay.html?bID=281
    > **********************************************************************
    > **
    > ****
    >
    >
    >
    > -----Original Message-----
    > From: Peyman [mailto:peyman.secu@gmail.com]
    > Sent: Thursday, October 13, 2005 1:36 PM
    > To: security-basics@securityfocus.com
    > Subject: Double authentication (User & Machine) with VPN SSL
    >
    > Dear all,
    >
    > I was wondering if with a VPN SSL solution, it is possible to
    > authenticate the user and the machine both, with their certificates.
    > I know that this could be possible with IPSec Over L2TP (machine
    > authentication with L2TP, and user authentication with IPSec), and not

    > possible with pure IPSec (just a basic login/password with X-Auth
    > available in IKE for a user authentication).
    > Just to precise my needs :
    > - I'd like to authenticate my users with a certificate because this

    > is useful for a remote vpn connection, and also for others needs
    > (emails, access to some ressources, applications, etc.)
    > - I'd like to authenticate the corporate laptops with a unique
    > certificate stored securely on it : this is useful to only allow a
    > full network access to the corporate network to trusted machines, and
    > also to revocate certificates of laptops that might be stolen/lost.
    >
    > Thanks a lot for any help,
    > Peyman
    >


  • Next message: FocusHacks: "Re: Creating a Test Network"

    Relevant Pages

    • Re: Need help configuring Wireless Connection profile
      ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
      (microsoft.public.windowsxp.general)
    • Re: EAP-TLS with windows CE
      ... credentials at the login prompt for Windows Server 2003 on the server ... The certificate is a public thing, ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
      (microsoft.public.windowsce.platbuilder)
    • Re: Web Service, Authentication, Security & Domains
      ... Have you considered to use certificate authentication? ... IIS automatically maps the client certificate to a windows ... (the service only sees the authenticated windows account). ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: 802.1x
      ... > I am trying to enable 802.1x autentication for my network but when I ... I have set a computer certificate to ... > like Windows is not even looking at the computer certificates when it ... > decides what cert to send in for authentication. ...
      (microsoft.public.windows.server.networking)
    • RE: updates after format
      ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
      (microsoft.public.windows.mediacenter)