Skip the navigation

More Than a Token Overhaul of the VPN

A move to two-factor authentication gives our security manager a chance to secure his VPN infrastructure.

By Mathias Thurman
May 30, 2005 12:00 PM ET

Computerworld - Our executive team finally approved the use of two-factor authentication for all virtual private network access into our corporate network. This means we'll get to overhaul the way we deploy our Cisco VPN infrastructure.
Currently, when a user requests virtual private network access, we provide the VPN software and a VPN profile that the user has to import into the VPN client.
The user then launches the VPN software, authenticates and is placed in a group that's defined within the Cisco Secure Access Control Server (ACS). As things now stand, all groups are configured to allow access to just about everything in the company.
This isn't very secure, of course, because a user within the sales organization, for example, has the ability to reach out to production Unix servers. Granted, if the server was configured properly, access would be denied if the user didn't have a valid account on the Unix server.
But if the server wasn't configured properly, a malicious user could gain unauthorized access. What's more, a malicious user who isn't barred from any part of the network could attempt any number of other activities, including denial-of-service and man-in-the-middle attacks. So, as we now move to strong two-factor authentication, we have an opportunity to tie down our systems much more securely.
In implementing two-factor authentication, we're using RSA Security Inc.'s SecurID tokens, with corresponding access control provided by Cisco Systems Inc. The RSA SecurID token servers and associated tokens provide only for authentication; the tokens don't dictate which areas of the network an employee will have permission to access. This authorization piece is handled by the Cisco ACS.
With the ACS, groups of users are defined and then assigned specific networks or hosts that they can access.
For example, a contractor assigned as an auditor in the finance department doesn't need access to human resources systems. We can configure a group within the ACS and place in that group only the finance servers that the contractor will need to perform his job, plus some common areas of the network, such as the company Web site and the Exchange e-mail servers.
Once we've configured all of the groups we're going to need, it's just a matter of placing each user in the correct group. So, how do we do that? Manually entering thousands of users is too cumbersome and time-consuming to be an option. For this task, we'll turn to a directory server. We use Lightweight Directory Access Protocol for many functions within the company and have had great success with it.
Our LDAP environment is becoming more

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!