More Than a Token Overhaul of the VPN
A move to two-factor authentication gives our security manager a chance to secure his VPN infrastructure.
Computerworld - Our executive team finally approved the use of two-factor authentication for all virtual private network access into our corporate network. This means we'll get to overhaul the way we deploy our Cisco VPN infrastructure.
Currently, when a user requests virtual private network access, we provide the VPN software and a VPN profile that the user has to import into the VPN client.
The user then launches the VPN software, authenticates and is placed in a group that's defined within the Cisco Secure Access Control Server (ACS). As things now stand, all groups are configured to allow access to just about everything in the company.
This isn't very secure, of course, because a user within the sales organization, for example, has the ability to reach out to production Unix servers. Granted, if the server was configured properly, access would be denied if the user didn't have a valid account on the Unix server.
But if the server wasn't configured properly, a malicious user could gain unauthorized access. What's more, a malicious user who isn't barred from any part of the network could attempt any number of other activities, including denial-of-service and man-in-the-middle attacks. So, as we now move to strong two-factor authentication, we have an opportunity to tie down our systems much more securely.
In implementing two-factor authentication, we're using RSA Security Inc.'s SecurID tokens, with corresponding access control provided by Cisco Systems Inc. The RSA SecurID token servers and associated tokens provide only for authentication; the tokens don't dictate which areas of the network an employee will have permission to access. This authorization piece is handled by the Cisco ACS.
With the ACS, groups of users are defined and then assigned specific networks or hosts that they can access.
For example, a contractor assigned as an auditor in the finance department doesn't need access to human resources systems. We can configure a group within the ACS and place in that group only the finance servers that the contractor will need to perform his job, plus some common areas of the network, such as the company Web site and the Exchange e-mail servers.
Once we've configured all of the groups we're going to need, it's just a matter of placing each user in the correct group. So, how do we do that? Manually entering thousands of users is too cumbersome and time-consuming to be an option. For this task, we'll turn to a directory server. We use Lightweight Directory Access Protocol for many functions within the company and have had great success with it.
Our LDAP environment is becoming more
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts