More Than a Token Overhaul of the VPN
A move to two-factor authentication gives our security manager a chance to secure his VPN infrastructure.
Computerworld - Our executive team finally approved the use of two-factor authentication for all virtual private network access into our corporate network. This means we'll get to overhaul the way we deploy our Cisco VPN infrastructure.
Currently, when a user requests virtual private network access, we provide the VPN software and a VPN profile that the user has to import into the VPN client.
The user then launches the VPN software, authenticates and is placed in a group that's defined within the Cisco Secure Access Control Server (ACS). As things now stand, all groups are configured to allow access to just about everything in the company.
This isn't very secure, of course, because a user within the sales organization, for example, has the ability to reach out to production Unix servers. Granted, if the server was configured properly, access would be denied if the user didn't have a valid account on the Unix server.
But if the server wasn't configured properly, a malicious user could gain unauthorized access. What's more, a malicious user who isn't barred from any part of the network could attempt any number of other activities, including denial-of-service and man-in-the-middle attacks. So, as we now move to strong two-factor authentication, we have an opportunity to tie down our systems much more securely.
In implementing two-factor authentication, we're using RSA Security Inc.'s SecurID tokens, with corresponding access control provided by Cisco Systems Inc. The RSA SecurID token servers and associated tokens provide only for authentication; the tokens don't dictate which areas of the network an employee will have permission to access. This authorization piece is handled by the Cisco ACS.
With the ACS, groups of users are defined and then assigned specific networks or hosts that they can access.
For example, a contractor assigned as an auditor in the finance department doesn't need access to human resources systems. We can configure a group within the ACS and place in that group only the finance servers that the contractor will need to perform his job, plus some common areas of the network, such as the company Web site and the Exchange e-mail servers.
Once we've configured all of the groups we're going to need, it's just a matter of placing each user in the correct group. So, how do we do that? Manually entering thousands of users is too cumbersome and time-consuming to be an option. For this task, we'll turn to a directory server. We use Lightweight Directory Access Protocol for many functions within the company and have had great success with it.
Our LDAP environment is becoming more
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!