Implementing more secure VPN access

Vertigo

Vertigo

Vertigo

Soldato
Joined
28 Dec 2003
Posts
16,502
We're a relatively small company and several employees use basic PPTP VPN access via an ISA 2006 server to remotely access office systems when necessary.

I'm getting increasingly concerned about the security risks involved as, frankly, I don't trust some of these people to keep passwords sufficiently complex or secure and am thus wondering what I can do to improve things.

Ideally I'd like a system which uses the RSA-type fobs with a rotating code the user has to type in but I know nothing about how such a system is implemented nor the costs involved, as these may be prohibitive for a small outfit such as ours.

Does anyone have any info or advice or can point me in the right direction to do some more reading up on this?
 
Have you considered using client certificate based authentication, a lot more secure and basically free if you got a server to install a certificate authority on for your domain.
 
No I haven't - don't really know what it involves or what benefits it would convey in terms of security - willing to consider if it'd help.

Regards the RSA SecurID stuff, I've done some research and it appears my ISA 2006 box will support this as standard - do I just need to buy the fobs and configure it or do I need an account/subscription with RSA too?
 
You'll either need your own RSA server on site, or buy it as a service from people like Signify (http://www.signify.net/).

That's probably going to be your best bet as it means no new software or hardware for you, it's a managed service.
 
Havent worked with the RSA stuff myself so not sure what the costs are like or what is required backend.

In regards to certificate based authentication it removes the Username/Password authentication method and relies upon a unique certificate that is generated/installed on each client.

http://www.isaserver.org/tutorials/configuring_the_vpn_client_and_server_to_support_certificatebased_pptp_eaptls_authentication__part_2.html#

The link above is for ISA Server 2000 but should give you the general idea. We use a dedicated VPN appliance not ISA server but the theory is pretty much the same.
 
Thanks, I'll look into it.

Basically I'm looking for a way to implement two-part authentication along the lines of the "something you know, something you have" paradigm.

Passwords alone simply aren't secure enough so a certificate or RSA fob would give me the "something you have" too. I'd obviously need to be able to instantly disable or remove access from certain certificates or fobs in the case they were lost or stolen etc.
 
Certificates is the cheaper way of doing it, something you have is the laptop with a certificate installed on it and you can have a password as well.

It's not strictly 2 factor auth but it is more secure than passwords alone.

I know with certificates you can revoke them on the CA server. I assume you can do the same with RSA tokens
 
You could look at yubikey instead of RSA, RSAs recent security issues would put me off their product right now. It's a slightly different product but it's robust and reliable and isn't too much hassle to integrate.

I'd also say a certificate is a really poor second factor, for a number of reasons:

- If a users machine gets compromised the attacked just needs a copy of the certificate and a keylogger installed. Then your protection is void.

- Certificates, being digital, are easily copied, you have no means of knowing if somebody else has a copy of it. If you have a physical token then you can be sure nobody else does.

- Certificates will eventually get used on personal and public machines and not get properly removed. Therefore the risk of copying is pretty high.

Basically, they're not particularly secure and managing them effectively is a real pain, hardware tokens are far more effective.
 
As a middle ground it might be worth looking into something like Portwise to provide two-factor authentication using SMS. I'd agree with bigredshark about certificates not being that secure.
 
RSA is stupidly expensive, we had a quick play around with 'phone factor' which calls your phone and you have to press a button when it plays the message to authenticate you. Works pretty well and wasn't that expensive when we were looking. They were pretty helpful too setting up a trial with credit and what not. One time SMS or phone calls is pretty handy as most people have a phone on them these days. We're pretty much stuck with RSA at the moment, but I dread to think about the masses of tokens that expire over the next year :(
 
Have used Signify as an RSA provider at a previous employer and the costs weren't too bad.

Current employer uses a different brand of token, safenet or safeword or something, no idea if it's built on rsa though.

Yeah the recent security issues they have had has dented their reputation quite a bit, but it's still not a bad solution.

I'm by no means loyal to the brand though, anything else that does the same job is a good bet, and even better if it's more cost effective :)
 
pfsense 2 offers a great openvpn implementation that is 100% free, you just have to pay for the server for pfsense to sit on. It works with ldap and offers client packages that can be downloaded and ready to be installed on to the client pcs that are preconfigured to work with that user account.

Found a video on youtube, this has been further updated now that it is final.

 
Last edited:
You must log in or register to reply here.
Back
Top Bottom