2-Factor Authentication with SSL-VPN and Yubikey Token - AIKCU.org
2-Factor Authentication with SSL-VPN and Yubikey Token - AIKCU.org
2-Factor Authentication with SSL-VPN and Yubikey Token - AIKCU.org
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Discuss the challenges <strong>with</strong> our old <strong>VPN</strong>system Show what we replaced it <strong>with</strong> Demo
IT administrators <strong>and</strong> engineers Faculty accessing research material Staff from Registrar, AdmissionsCounselors, <strong>and</strong> Business Divisions
How many here have a <strong>VPN</strong> system? Who has a 2-factor authenticationsystem integrated <strong>with</strong> <strong>VPN</strong>?
Is a way of confirming someone’sidentity by challenging them <strong>with</strong> twoseparate methods› Something you know (username/password)› Something you have (token)
Windows Point-to-Point (PPTP) <strong>VPN</strong> Strikeforce ProtectID Out-of-B<strong>and</strong>authentication Connection Process› User initiates a <strong>VPN</strong> connection› ProtectID verifies credentials <strong>and</strong> initiates acall-back› User answers their phone <strong>and</strong> confirmsconnection
Wide compatibility <strong>with</strong> devices No need to purchase hardware tokensBenefits No having to setup/use software tokens Integration possible for IPSec <strong>and</strong> <strong>SSL</strong> <strong>VPN</strong>systems Call back process can be cumbersome Difficult/Impossible to use overseasLimitations
Simplified <strong>VPN</strong> connection solution Can be used <strong>with</strong>out the need of aphone call Can work <strong>with</strong> PC <strong>and</strong> smart devices More secure <strong>and</strong> managed connection
New Firewall <strong>with</strong> <strong>VPN</strong>
Built-in <strong>SSL</strong>-<strong>VPN</strong> & IPSecSupport of end users Supports Windows, OS X,Linux, iOS 4.0+, Android4.0.3+ No license limit for # of users* <strong>Authentication</strong> integrateseasily <strong>with</strong> Active Directory,LDAP, or RADIUS servers
Can use HIP Profiles tocontrol access› *Subscription licenserequired Limitations:› No 2-factor<strong>Authentication</strong>
New 2 nd -<strong>Factor</strong><strong>Authentication</strong> system
Founded in 2007 Seeking FIPScertification Open source servercompnents Uses 128 bit AESencryption Tamper proof casing
Provides 2-<strong>Factor</strong>authentication Generates OTP <strong>and</strong>types it in for you Supported byWindows, OS X,Linux… Supports Yubico OTP,OATH-HOTP,Challenge Response,& Static Passwords
OTP generatoravailable for iOS <strong>and</strong>Android› If you need to <strong>VPN</strong>from a phone ortablet No support for otherplatforms at this time(i.e. Windows Phone,Blackberry, …) Only works <strong>with</strong>YubiRADIUS. No officialYubiCloud support
YubiCloud Free <strong>and</strong> easy web API integration Removes complexity of managing avalidation service Claimed 100% availability since 2010YubiRAIDUS Free virtual appliance for remote access Integrates <strong>with</strong> Active Directory or LDAP Uses local key storage module orhardware security module Or can use YubiCloud as back-end 2ndfactorauthentication
Free virtual appliance in OVF or VMWareformats› Small resource footprint Automatic provisioning of YubiKeys tousers Redundancy by utilizing two servers <strong>and</strong>enabling synchronization
Easy as 1-2-3
Import OVF template Configure networksettings Secure root <strong>and</strong>yubikey accountpasswords Configure<strong>Authentication</strong> backend(local orYubicloud) Configure global keyprovisioning options
Add Domain Import desired usersfrom Active Directoryor LDAP Configure domainlevel key provisioningoptions Add RADIUS clients
Reprogram YubiKeys<strong>with</strong> new identities Upload YubiKeyinformation to server Assign <strong>Yubikey</strong>s tousers
Point Firewall/<strong>VPN</strong>server to YubiRADIUSserver Use client secretfrom earlier
Download/Install <strong>VPN</strong> Client Initiate login Credentials required› Username: › Password: Connected
“Love this new system…” “…I wholeheartedly think this solutionshould completely replace the callbacksolution. “
Tony Morrowamorrow@bellarmine.eduBellarmine University