Re: VPN Beginners help

From: Vin McLellan (vin_at_theworld.com)
Date: 01/21/04 

Date: Wed, 21 Jan 2004 15:30:53 -0500

"Martin" <mvinfotech@NOSPAM.btinternet.com> queried the Listocracy:

<snip, snip>
> Is configuration of the PIX for VPN simple? Is anything required on
> the remote client to access our domain through the PIX VPN?
>
> It has also been suggested we setup a secure method of authenticating,
> using a SecureID keyfob. I would be interested in finding out about
> these and how they work. Again I would appreciate if someone could
> point me in the right direction.

Hi Martin,

The SecurID is a two-factor hand-held authenication token which continuously
produces a 6-8 digit pseudorandom number, a one-time password, on a LCD
display on a keyfob or card. Used in conjunction with a user-memorized
password, it provides the remote authentication server with two-factor
proof -- something known, and something held -- that the user is the same
person who was previously registered as a valid user on the authentication
server and assigned the token by a responsible party.

The newer SecurID use AES to hash Current Time and a token-specific secret
to product the token-code displayed on the LCD. The user conflates the
memorized PIN and the SecurID token-code and uses it just like any longish
password.

 The remote authentication server, which RSA calls an ACE/Server, is a
RDb-based server that manages Identity and Access Managment services and
supports the distributed SecurIDs by calculating Current Time and the seed
of record for that token to match the calcuated token-code and its record of
the user's PIN against the pair submitted by the user in any authentication
call.

RSA has been at this for awhile, and I think you will find that most
commercial firewalls (certainly the PIX) and VPNs -- like hundreds of other
apps -- already have an embedded ACE/Agent or Radius client that can proxy
an authentication call to the RSA ACE/Server.

Please feel free to ask for any further details or clarifications. Strong
authentication is important to all of us, and there is doubtless a lot of
experience dealing with RSA SecurID authentication on this List.

Mark Lobel of PWC has a useful paper on "The Case for Strong Authetication"
at: http://tinyurl.com/27fze

With regard to your specific situation, these links might help:

Introduction - Cisco Security and VPN Software
http://www.cisco.com/en/US/products/sw/secursw/index.html
RSA Implementation guide for the PIX firewall
http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_Remote_Access_Servers_and_Pix_FW.pdf

Cisco 500 Series Firewall Attributes
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/
"Cisco PIX security appliances support various remote access VPN clients
including Cisco software VPN clients (available on many platforms including
Microsoft Windows, Linux, Solaris, and Mac OS X), Cisco hardware VPN clients
(such as the Cisco PIX 501 and PIX 506E security appliances, VPN 3002
concentrators, and Cisco 800 or 1700 series routers), as well as
Point-to-Point Tunneling Protocol and Layer 2 Tunneling Protocol clients in
Microsoft Windows operating systems. Cisco PIX security appliances encrypt
data using 56-bit Data Encryption Standard (DES), 168-bit Triple DES (3DES),
or up to 256-bit Advanced Encryption Standard encryption."

SecurID Tokens
http://www.rsasecurity.com/products/securid/tokens.html
RSA ACE/Agent for Windows 2000
http://www.rsasecurity.com/products/securid/techspecs/windows55.html
A list of 101 RSA Partners (with embedded ACE/Agents) selling VPNs,
Firewalls, IDS http://tinyurl.com/2cfbg

Overview, RSA Security Products
http://www.rsasecurity.com/products/
RSA's VPN Security Portfolio
http://www.rsasecurity.com/solutions/vpn/framework.html

Hope this is helpful. Don't hesitate to ask for help here, this forum has
historically offered generous support for newbies. I've been a consultant
to RSA, off and on, for 15 years.

Suerete,
                _Vin

"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto _vbm.

 * Vin McLellan + The Privacy Guild + <vin@theworld.com> *
            22 Beacon St., Chelsea, MA 02150-2672 USA

Relevant Pages