Discuss the challenges with our old VPN system Show what we - PowerPoint PPT Presentation

ž Discuss the challenges with our old VPN system ž Show what we replaced it with ž Demo

ž IT administrators and engineers ž Faculty accessing research material ž Staff from Registrar, Admissions Counselors, and Business Divisions

ž How many here have a VPN system? ž Who has a 2-factor authentication system integrated with VPN?

ž Is a way of confirming someone’s identity by challenging them with two separate methods › Something you know (username/password) › Something you have (token)

ž Windows Point-to-Point (PPTP) VPN ž Strikeforce ProtectID Out-of-Band authentication ž Connection Process › User initiates a VPN connection › ProtectID verifies credentials and initiates a call-back › User answers their phone and confirms connection

ž Wide compatibility with devices ž No need to purchase hardware tokens ž No having to setup/use software tokens Benefits ž Integration possible for IPSec and SSL VPN systems ž Call back process can be cumbersome ž Difficult/Impossible to use overseas Limitations

ž Simplified VPN connection solution ž Can be used without the need of a phone call ž Can work with PC and smart devices ž More secure and managed connection

New Firewall with VPN

ž Built-in SSL-VPN & IPSec Support of end users ž Supports Windows, OS X, Linux, iOS 4.0+, Android 4.0.3+ ž No license limit for # of users* ž Authentication integrates easily with Active Directory, LDAP, or RADIUS servers

ž Can use HIP Profiles to control access › *Subscription license required ž Limitations: › No 2-factor Authentication

New 2 nd -Factor Authentication system

ž Founded in 2007 ž Seeking FIPS certification ž Open source server compnents ž Uses 128 bit AES encryption ž Tamper proof casing

ž Provides 2-Factor authentication ž Generates OTP and types it in for you ž Supported by Windows, OS X, Linux… ž Supports Yubico OTP, OATH-HOTP, Challenge Response, & Static Passwords

ž OTP generator available for iOS and Android › If you need to VPN from a phone or tablet ž No support for other platforms at this time (i.e. Windows Phone, Blackberry, …) ž Only works with YubiRADIUS. No official YubiCloud support

ž Free and easy web API integration ž Removes complexity of managing a validation service YubiCloud ž Claimed 100% availability since 2010 ž Free virtual appliance for remote access ž Integrates with Active Directory or LDAP YubiRAIDUS ž Uses local key storage module or hardware security module ž Or can use YubiCloud as back-end 2nd- factor authentication

ž Free virtual appliance in OVF or VMWare formats › Small resource footprint ž Automatic provisioning of YubiKeys to users ž Redundancy by utilizing two servers and enabling synchronization

Easy as 1-2-3

ž Import OVF template ž Configure network settings ž Secure root and yubikey account passwords ž Configure Authentication back- end (local or Yubicloud) ž Configure global key provisioning options

ž Add Domain ž Import desired users from Active Directory or LDAP ž Configure domain level key provisioning options ž Add RADIUS clients

ž Reprogram YubiKeys with new identities ž Upload YubiKey information to server ž Assign Yubikeys to users

ž Point Firewall/VPN server to YubiRADIUS server ž Use client secret from earlier

ž Download/Install VPN Client ž Initiate login ž Credentials required Username: <Bellarmine username> › Password: <Bellarmine password><Yubikey OTP> › ž Connected

ž “Love this new system…” ž “…I wholeheartedly think this solution should completely replace the callback solution. “

Tony Morrow amorrow@bellarmine.edu Bellarmine University