Discuss the challenges with our old VPN system Show what we - - PowerPoint PPT Presentation

ž Discuss the challenges with our old VPN

system

ž Show what we replaced it with ž Demo

ž IT administrators and engineers ž Faculty accessing research material ž Staff from Registrar, Admissions

Counselors, and Business Divisions

ž How many here have a VPN system? ž Who has a 2-factor authentication

system integrated with VPN?

ž Is a way of confirming someone’s

identity by challenging them with two separate methods

› Something you know (username/password) › Something you have (token)

ž Windows Point-to-Point (PPTP) VPN ž Strikeforce ProtectID Out-of-Band

authentication

ž Connection Process

› User initiates a VPN connection › ProtectID verifies credentials and initiates a

call-back

› User answers their phone and confirms

connection

Benefits Limitations

ž Wide compatibility with devices ž No need to purchase hardware tokens ž No having to setup/use software tokens ž Integration possible for IPSec and SSL VPN

systems

ž Call back process can be cumbersome ž Difficult/Impossible to use overseas

ž Simplified VPN connection solution ž Can be used without the need of a

phone call

ž Can work with PC and smart devices ž More secure and managed connection

New Firewall with VPN

ž Built-in SSL-VPN & IPSec

Support of end users

ž Supports Windows, OS X,

Linux, iOS 4.0+, Android 4.0.3+

ž No license limit for # of users* ž Authentication integrates

easily with Active Directory, LDAP, or RADIUS servers

ž Can use HIP Profiles to

control access

› *Subscription license

required

ž Limitations:

› No 2-factor

Authentication

New 2nd-Factor Authentication system

ž Founded in 2007 ž Seeking FIPS

certification

ž Open source server

compnents

ž Uses 128 bit AES

encryption

ž Tamper proof casing

ž Provides 2-Factor

authentication

ž Generates OTP and

types it in for you

ž Supported by

Windows, OS X, Linux…

ž Supports Yubico OTP,

OATH-HOTP, Challenge Response, & Static Passwords

ž OTP generator

available for iOS and Android

› If you need to VPN

from a phone or tablet

ž No support for other

platforms at this time (i.e. Windows Phone, Blackberry, …)

ž Only works with

• YubiRADIUS. No official

YubiCloud support

YubiCloud YubiRAIDUS

ž Free and easy web API integration ž Removes complexity of managing a

validation service

ž Claimed 100% availability since 2010 ž Free virtual appliance for remote access ž Integrates with Active Directory or LDAP ž Uses local key storage module or

hardware security module

ž Or can use YubiCloud as back-end 2nd-

factor authentication

ž Free virtual appliance in OVF or VMWare

formats

› Small resource footprint

ž Automatic provisioning of YubiKeys to

users

ž Redundancy by utilizing two servers and

enabling synchronization

Easy as 1-2-3

ž Import OVF template ž Configure network

settings

ž Secure root and

yubikey account passwords

ž Configure

Authentication back- end (local or Yubicloud)

ž Configure global key

provisioning options

ž Add Domain ž Import desired users

from Active Directory

• r LDAP

ž Configure domain

level key provisioning

• ptions

ž Add RADIUS clients

ž Reprogram YubiKeys

with new identities

ž Upload YubiKey

information to server

ž Assign Yubikeys to

users

ž Point Firewall/VPN

server to YubiRADIUS server

ž Use client secret

from earlier

ž Download/Install VPN Client ž Initiate login ž Credentials required

›

Username: <Bellarmine username>

›

Password: <Bellarmine password><Yubikey OTP>

ž Connected

ž “Love this new system…” ž “…I wholeheartedly think this solution

should completely replace the callback

• solution. “

Tony Morrow amorrow@bellarmine.edu Bellarmine University