Archive for the '2 Factor Authentication' Category

27
Aug
09

Two-Factor Authentication

By vpnhaus Leave a Comment
Categories: 2 Factor Authentication and Posts

Secure remote access on an enterprise scale often means supporting two-factor authentication (2F), meaning identifying both the device and the person. With NCP engineering’s VPN client, enterprises can maintain any combination for 2F they want – OTPs (one-time passwords), biometrics, PKI certificates, etc.  Specifically, the NCP Secure Enterprise Client integrates fully with:

  • Any hardware OTP such as RSA SecurID, Vasco Digipass, Aladdin Safeword, OTP Mobile by T-Systems and T-Mobile
  • Most Software OTPs on the market
  • All major biometric devices that use the PKCS #11 standard
  • Every PKI-based certificate, including multiple certificate / trust center support with a single client

We’ll keep this list updated as more are added. Let us know if you would like to see other devices / software integration (you never know, NCP just might do it!).

22
Jul
09

Where do you keep your VPN Gateway?

By vpnhaus Comment
Categories: 2 Factor Authentication, PCI, Posts and Rethink Remote Access

We’re following a great discussion on LinkedIn as to where to keep a VPN gateway – in the DMZ or on the LAN directly. Pros and cons are argued for both sides (mostly pro-DMZ) and we’d like to hear your views on this debate. The views split over admin setup issues and effective security.

Placing the gateway within the DMZ provides an extra security cushion, with significant admin work related to the firewall settings. Of interest to us was Joerg Gerschuetz’s comment:

So to allow the full LAN access to legitimate VPN users you simply have to implement a ‘allow IP-Pools LAN-IPs any’ rule in the inner firewall. And make sure that these VPN-IP-pools are blocked at the outer firewall. So security relies on your VPN authentication method and robustness, but with a multi-factor authentication these is a valid approach from my perspective.

The DMZ also gives network admins the comfort of knowing that even if an attacker get’s a hold of the gateway’s static IP, they can’t get out of the DMZ an into the LAN. There’s also the issue of PCI compliance, namely to be compliant the gateway has to be in the DMZ.

All agree that placing the gateway on the LAN directly by-passes the safety of the DMZ (IPS/IDS, two firewalls, etc), however with two-factor authentication this might be ok.

Bottom line: placing the gateway in the DMZ is the most secure option, but it comes with the headache of managing how to manipulate both firewalls. Read it for yourself and comment on VPN Haus.