2-Factor Authentication with SSL-VPN and Yubikey Token - AIKCU.org

Discuss the challenges with our old VPNsystem Show what we replaced it with Demo

IT administrators and engineers Faculty accessing research material Staff from Registrar, AdmissionsCounselors, and Business Divisions

How many here have a VPN system? Who has a 2-factor authenticationsystem integrated with VPN?

Is a way of confirming someone’sidentity by challenging them with twoseparate methods› Something you know (username/password)› Something you have (token)

Windows Point-to-Point (PPTP) VPN Strikeforce ProtectID Out-of-Bandauthentication Connection Process› User initiates a VPN connection› ProtectID verifies credentials and initiates acall-back› User answers their phone and confirmsconnection

Wide compatibility with devices No need to purchase hardware tokensBenefits No having to setup/use software tokens Integration possible for IPSec and SSL VPNsystems Call back process can be cumbersome Difficult/Impossible to use overseasLimitations

Simplified VPN connection solution Can be used without the need of aphone call Can work with PC and smart devices More secure and managed connection

New Firewall with VPN

Built-in SSL-VPN & IPSecSupport of end users Supports Windows, OS X,Linux, iOS 4.0+, Android4.0.3+ No license limit for # of users* Authentication integrateseasily with Active Directory,LDAP, or RADIUS servers

Can use HIP Profiles tocontrol access› *Subscription licenserequired Limitations:› No 2-factorAuthentication

New 2 nd -FactorAuthentication system

Founded in 2007 Seeking FIPScertification Open source servercompnents Uses 128 bit AESencryption Tamper proof casing

Provides 2-Factorauthentication Generates OTP andtypes it in for you Supported byWindows, OS X,Linux… Supports Yubico OTP,OATH-HOTP,Challenge Response,& Static Passwords

OTP generatoravailable for iOS andAndroid› If you need to VPNfrom a phone ortablet No support for otherplatforms at this time(i.e. Windows Phone,Blackberry, …) Only works withYubiRADIUS. No officialYubiCloud support

YubiCloud Free and easy web API integration Removes complexity of managing avalidation service Claimed 100% availability since 2010YubiRAIDUS Free virtual appliance for remote access Integrates with Active Directory or LDAP Uses local key storage module orhardware security module Or can use YubiCloud as back-end 2ndfactorauthentication

Free virtual appliance in OVF or VMWareformats› Small resource footprint Automatic provisioning of YubiKeys tousers Redundancy by utilizing two servers andenabling synchronization

Easy as 1-2-3

Import OVF template Configure networksettings Secure root andyubikey accountpasswords ConfigureAuthentication backend(local orYubicloud) Configure global keyprovisioning options

Add Domain Import desired usersfrom Active Directoryor LDAP Configure domainlevel key provisioningoptions Add RADIUS clients

Reprogram YubiKeyswith new identities Upload YubiKeyinformation to server Assign Yubikeys tousers

Point Firewall/VPNserver to YubiRADIUSserver Use client secretfrom earlier

Download/Install VPN Client Initiate login Credentials required› Username: › Password: Connected

“Love this new system…” “…I wholeheartedly think this solutionshould completely replace the callbacksolution. “

Tony Morrowamorrow@bellarmine.eduBellarmine University