HA deployment of IAG, using CLB

I spent the last couple of days in Wakefield, helping out a reseller with a high available deployment of Celestix WSA appliances using Celestix Load Balancers. Thanks for the company David!! :)

We started by configuring the Celestix Load Balancer (also known as CLB), after configuring the solution we were informed that the internet lines would be a number of weeks away, and we would not know whether the IPs that would be provided would be either external internet facing IP addresses, or NAT'd internal addresses. Why would this be an issue?

Well the customer wanted four IAG portals to be created, and as each portal would have to be created on both appliances. With the CLB in front of the IAG appliances, the way the IP addresses are presented will impact on how to deploy the solution.

If the addresses are external facing, we would need 12 external IP address, three for each portal (one on each appliance, and one for the virtual IP). If the addresses are NAT'd, then there would only be a need for one external address as the virtual IP on each portal.

We only configured one IAG appliance, and then backed up and restored the configuration on the second IAG appliance. Obviously the IP addressing needs to be changed, and the certificate information to be modified, but that was pretty much it.

We were deploying OWA, Sharepoint, Citrix, Mapped Drives, File Access, RDP and an IIS based intranet site.

From an authentication perspective, we looked at AD, AD & HOTPin, AD & Vasco Middleware (RADIUS) and just HOTPin. As expected the authentication methods were straight forward and I got a chance to use HOTPin a bit more. We configured HOTPin on the primary box, and had the secondary box referencing the primary box. You only have to allow port 10000 access between the appliances, and using local administration credentials is fine. The only pain was HOTPin not scanning AD correctly in subtrees, which means each OU would need to be defined when importing users, but I'll let Celestix know about that.

We also encoutered the Java issue, so that was resolved using the fix from one of my previous blog posts.

We can only complete the deployment, once we know how the IPs will be presented.... which will also impact the way we can balance the load (do we use DSR or not, VRRP, Loopback adapter configuration, etc, etc).... Let's see!

IAG & VASCO?

Another search phrase that I thought I could answer!

Yes, IAG will work with VASCO!

VASCO Middleware and Identikey use the RADIUS protocol, and RADIUS can be configured as one of the authenication methods on IAG.

You will need to define the VASCO server, along with the correct ports and shared secret.

I would configure Windows AD authentication and VASCO, so the user would need to login with AD username, AD password and VASCO one time password.

In the past, I have installed VASCO Middleware on the IAG appliance, but this would be subject to the number of users/tokens required. Unless you are looking at single figures of VASCO tokens, I would recommend that the VASCO server be installed somewhere else.

Authentication...

I was giving a web demostration today and the conversation turned to authentication.

They currently run VASCO, but found it a bit of a hassle having to issue and manage tokens, and it would not allow for pandemic situation, where there would be a need for more people than usual to have access to a remote solution.

There was mention of some solutions that relied on grids, picture, icons, keys on screens or security questions.

I had to take a step back and talk about two factor authentication, which should be:

• Something you know - Username, password, passphrase, answers to static questions
• Something you are given - One time password, digital certificates
• Something you are - Biometrics, such as fingerprint, iris scan

Two factor authentication is made up of two of the above.

If you are using a solution that still relies on something you know, such your username and password, along with a picture/icon you know, it surely is still just one factor of authenication, albeit a strong one. This may stop brute force attacks on keyloggers, but all the security is all based on information you know. As we all the know, security is normally compromised by the human element!

Although it can be an administrative overhead running a Vasco solution, you don't have to pre-issue the tokens. Send an unassigned token to the user, and get them to log into a self assignment website. This will obviously remove the need for the administrator to go through the time consuming process of assigning a token and then posting it out to a user. There is also a security concern as the token is already assigned, and the user details are probably on the envelope!!

As VASCO can work with an existing RADIUS server, which is normally considered "AAA" or triple A. The "AAA" stands for Authentication, Authorisation and Accounting. The VASCO server will carry out the Authenication component, but a RADIUS server can then deal with the authorisation and the accounting. This way we can be sure of who the user is, what services they can access and account of what they have used.

There was also a comment about not liking hard tokens, so why not use VASCO tokens that run on mobile phones, soft tokens to run on a computer, or an SMS solution to text the one time password out to mobiles.

More VASCO qualifications!

Today's training course went very well and I feel confident that it gives enough information to the attendees to get installing and using the product immediately!

The exam covers all aspects learnt in the last two days and is an open book exam which I know some people love and some people hate. I have to say that in the "real world" you'd be able to look at the product, speak to people, refer to manuals, use Google, etc, so I agree with open book exams.

Fortunately, I passed the exam to gain more VASCO qualifications. That now means I'm a VASCO Certified Engineer (VCE) for Middleware 3.0, aXsGUARD 7.0 and now Identikey 3.1. As I passed with over 80%, it also qualifies me to carry out training in this product as well.

e92plus are now an Authorised Training Centre for VASCO Identikey, as well an ATC for Websense and Cyberoam.

We'll start to run the certified training course for VASCO Identikey 3.1 from September 2009, so I may see you soon! :)

VASCO Training

Who is the worlds largest two factor token provider?

RSA?? Nope, although that's probably the answer, if you spoke to someone in the UK or US.

Speak to someone in Europe or from the banking industry, then the answer would be.... VASCO!

VASCO provide tokens to commerical banking worldwide and in fact all verticals, but as such have more functioning tokens in the real world than any other token provider.

I spent today in technical training, learning more about VASCO Identikey 3.1. Vasco is one of the vendors that we distribute for at e92plus.

Initial reaction is that it's much better structured than the old VASCO Middleware 3.0 course. I'd highly recommend this course for someone new to two factor authentication, as well as someone who has experience of other solutions.

Advantages over Middleware, include a web interface, reporting, much improved AD integration and a SOAP interface. More to come tomorrow, along with an exam!!