Better security with dual password control to UAG portal pages (RSA, SAFEWORD style security) RRS feed

  • Question

  • I just thought I would post my observations and thoughts of the topic of 2-factor authentication when applied to UAG (and in my case, Citrix Access Gateway). About 2 years ago, we implemented UAG 2010 and to harden the internet accesses to this portal, we implemented RSA 2-factor security using a couple of RSA security appliances and we issued staff with RSA tokens.

    Our users hate the tokens since they are fiddly, and somehow dissuade add-hoc access to our remote working systems. Then of course RSA had a bit of a security 'blip' last year :(http://en.wikipedia.org/wiki/SecurID) which did not exactly endear me to the company and finally, the tokens we purchased begin to expire very soon, incurring a significant cost to replace.

    So, the point of my posting is to say that it took me just a couple of weeks to build a RADIUS 'PIN' server, (using the industry standard FreeRadius open source software) and a bit of PHP to implement a self service portal to allow users to select simple 4 digit PIN's.

    This Radius server is now working *perfectly* with UAG 2010 SP1 Update 1, and Citrix Access Gateway, ensuring that users must know there AD username/pwd plus a PIN in order to access the company remote working systems. I'm about to cut-over our live systems to from RSA to PIN, and throw away our RSA appliances. Really... 

    Now, I'm sure that some folk will say "Thats not 2-factor Authentication" - thats true, since you dont need to have physical possession of an RSA token device, instead just a PIN must be remembered, but if your security needs are not military or banking, then you probably don't need 2FA, but instead just need to stop breaches caused by staff who insist on using easily guessable passwords such as "Password1" ! (this example is allowed by our AD password complexity filter)

    I'd *strongly* encourage anyone who is considring putting UAG 2010 or Citrix Acces Gateway onto the internet with only Active Directory security to consider that there are legions of hackers from you-know-where who are continually attempting to guess there way into Western companies internet portals, so if you cannot justify RSA, Safeword et-all, put together a cost-free PIN server instead!

    Happy to advise anyone wishing to do this.

    Tuesday, March 13, 2012 2:15 PM

All replies

  • For completeness, I will add the obligatory "that's not 2FA" comment :D

    Agreed that people need to assess the risk and perhaps look at 1.5 factor solutions that use images or other more friendly approaches for "a bit better security than a simple user name and password, but not full 2FA" solution.

    Often companies don't have choice though and have to adhere to regulations or compliance rules that dictate certain specific 2FA needs...

    SMS-based solutions from cloud providers are also becoming more popular where people can use their phone to replace the expensive hardware token element. Even PayPal and Google offer that now.



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, May 1, 2012 4:45 PM