[CALUG] seeking RSA advice -- RSA "SecurID" perhaps?

Bryan J Smith b.j.smith at ieee.org
Wed Jul 1 00:01:38 EDT 2009

On Tue, 2009-06-30 at 22:41 -0400, benalgo at speakeasy.net wrote:
> Wow, Thanks Bryan !

Don't thank me yet, I haven't done anything, made assumptions, and may
be totally off-the-mark.  ;)

> Sorry for the ambiguity.

Dude, it happens.  Right now I'm deep into SAS solutions, trying to find
out the exact modules in use, how the scheduling is done, data sets,
etc... and all people say to me is, "oh, we're just doing SAS."  ;)

[ SAS is a company name as well ;]

> Based on my limited knowledge in this area (mostly being an app developer), 
> per the direction of our boss were told to explore RSA two factor remote 
> access solutions.
> Hence, the "RSA" solutions we exploring were those offered by the RSA EMC 
> subsidiary.
> We are considering the (SecureID) token fobs (non USB) and either the 
> server or the appliance back end solution.

What justification did the "app developer" give for exclusively looking
at an RSA solution?  You need a multi-factor RAS solution with, I
assume, hardware at the client and, ideally, server.

There are SmartCard and other solutions out there that are
vendor-agnostic.  E.g., the US military doesn't like single vendor
lock-in solutions, hence why they've tapped Red Hat regularly.  ;)

> Currently we use tokenless Sonicwall VPN.

Many organizations use similar Internet security products, typically a
single appliance without much defense-in-depth.

> We're mostly a MS development shop so we would integrate into AD.

But RSA doesn't natively.  AD utilizes either:  
- Legacy NTLM (simplistic hashes)
- MIT Kerberos (DES and, in newer AD, AES)
- X.509 Certificates (various asymmetric, symmetric and hash options)

AD is a rip of Michigan LDAP, as is Netscape iPlanet (who hired the
original Michigan developers -- iPlanet code is now GPL/MPL c/o Red
Hat), paired with the above, native options.  RSA offers either software
plug-ins or an external solution (RADIUS and other things) for AD,
iPlanet/Red Hat DS, etc...

Novell (own DAP + RSA) and Sun One (iPlanet, but with RSA added) support
RSA natively.

> We'd like to do this ourselves, if possible. My colleague was exploring the 
> actual pricing /procurement and it seemed like you are directed to the VAR 
> channel, where you buy the HW, setup services and maintenance agreement.

Given the complexity, that is typical.  Most shops don't have the
knowledge.  In all honesty, since you're an AD shop, I'd look at just
leveraging its enterprise certificate services (CS) and smart cards.
The CS/smart card options also exist for non-AD as well.

RSA is often liked because you just add the 6 digit token to the end of
your password, and that's something that can be parsed out in a stream.
There are positives and negatives to doing it.  Most of the time, RSA
gets the nod out of "familiarity."

But it's a single vendor lock-in detail.

Bryan J  Smith     Professional, Technical Annoyance 
Linked Profile:   http://www.linkedin.com/in/bjsmith 
      Fission Power:  An Inconvenient Solution       

More information about the CALUG mailing list