Re: Securing VPN connections with token's

I'll try to answer some of this for you.

We use the USB tokens. I also have a keychain token for myself. Both work
great. We want to limit the computers people log in from. The USB tokens
require a little client-side app to do the authentication, which prevents
users from logging in from airport kiosks or libraries. I use the keychain
token when traveling, so that if I have to log in from a computer without
the client software for troubleshooting purposes, I'm not prevented from
doing so. With that token, all I need is access to be able to create a VPN
connection from XP. (There would be nothing to prevent a user from
installing the auth software him/herself, but we trust them not to do that).

I have not yet set Cryptocard up for OWA or RWW. I'm preparing for a swing
migration to new hardware. The old box is running ISA 2000, which will
definitely not work this way. I'm thinking that once I get to ISA 2004,
I'll be able to use Cryptocard to authenticate OWA and RWW as well as VPN.
I'm not 100% sure of that, but I'm pretty confident that Cryptocard support
will work with me to figure it out. If we can get this working, it'll be
the first 2-factor auth solution for RWW, which I would think would be a
good selling feature for them.

I looked at other companies. RSA is very small-business unfriendly - too
costly, has a 25-license minimum, the tokens expire and need to be replaced,
and it requires dedicated server hardware to run on. The cost of the server
and OS alone would easily exceed what I paid for 15 Cryptocard licenses,
without even starting to pay for RSA. Not to quote anyone's prices, but
last I knew the RSA appliance that's offered as an alternative to a
standalone server was $4500. Cryptocard's web site charges $500 for 5
users, and your reseller may even discount from that.

I looked at Aladdin smartcard tokens using Certificate Services and IAS.
This has the advantage of being all Windows, configured the way you want it.
Aladdin makes generic smartcard tokens, so there would be no 3rd party
proprietary software or hardware involved in this solution. I wanted to do
this for that reason, but time pressures intervened - there's a learning
curve for setup, and I already had a trial of Cryptocard installed and
working. FWIW, the smartcard tokens alone are not much less expensive than
the Cryptocard tokens, software, and licenses.

Another one I would have looked at is Safeword, made by Secure Computing. I
would have given this a better look if it had come to my attention sooner,
but by the time it came up I was 99% of the way there with Cryptocard.

I used Authenex for a couple of years. They're great people but I had some
reliability issues with them. E-mail me directly if you're considering
Authenex and I'll give you the details.

What made me choose Cryptocard? SBS MVP Susan Bradley referred me to Dana
Epp's blog. Although I've never met Dana, he has great credibility with me
because of Susan, so his recommendation in the blog carried a lot of weight.
His situation is very similar to mine, and he was using Cryptocard
successfully in his production environment. When I started investigating
Cryptocard, I found them to be very responsive to my inquiries. When I got
serious about it, they put me in touch with a support engineer who spent a
significant amount of time getting me up to speed. They did all of this
knowing that I could easily have chosen a different solution, but by the
time I was ready to make a decision, there were just no negatives to be
found.

Cryptocard will give you a full trial version that you can install to try it
for yourself. You'll get a software token (maybe more than one) that you
can use to log in remotely just as you would in production - it just
installs on the actual client PC rather than on the USB token or whatever.
If you decide to buy it, you just go through a little procedure to convert
the trial license to full, and you're in business. Especially if OWA and
RWW integration is important to you, that would be worth doing to see how
easy or hard that all is to configure. And when you find out, let me know.




"Dave Taylor" <noemail@xxxxxxxxx> wrote in message
news:uBS8vomIGHA.1876@xxxxxxxxxxxxxxxxxxxxxxx
> Dave,
>
> Thanks for the post this looks very interesting. I've just a few
> questions that I hope you don't mine answering for me:-
>
> What devices are you using?
> Have you been able to use the pin request on the Remote Web Workspace as
> well as the OWA page?
> Did you look at other companies (ie RSA Security devices)?
> What made you decide to use the cyptocard?
>
> Thanks
> Dave
>
> "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:%23lvTcldIGHA.1132@xxxxxxxxxxxxxxxxxxxxxxx
>>I use Cryptocard for this. They offer different types of tokens depending
>>on what you're looking for. I've only been running it for a few weeks,
>>but so far I've found it very reliable, simple, and trouble-free. I had a
>>great experience with their support department in assisting with the
>>initial installation and configuration questions, which leads me to
>>suspect that if I ever have a problem, I'll be very satisfied. You can
>>get any quantity of tokens/licenses in groups of 5, which IMO makes the
>>pricing small business friendly.
>>
>> Cryptocard: http://www.cryptocard.com/
>>
>> How I found it: http://silverstr.ufies.org/blog/archives/000833.html
>>
>>
>>
>>
>> "Dave Taylor" <noemail@xxxxxxxxx> wrote in message
>> news:us8fGYZIGHA.964@xxxxxxxxxxxxxxxxxxxxxxx
>>> All,
>>>
>>> Does anyone use a 3rd party token to help secure vpn connections into
>>> SBS Prem with ISA? We are looking at securing a network with this type
>>> of device and just wondered if anyone has done this with SBS and got any
>>> pointers.
>>>
>>> Thanks
>>> Dave
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Securing VPN connections with tokens
    ... I'm running it on a member server. ... > questions with regards to our setup of providing support to our customers. ... >> We use the USB tokens. ... >> I have not yet set Cryptocard up for OWA or RWW. ...
    (microsoft.public.windows.server.sbs)
  • Re: Securing VPN connections with tokens
    ... One of there engineers has replied to that question but said that the server ... > We use the USB tokens. ... > user from installing the auth software him/herself, ... > I have not yet set Cryptocard up for OWA or RWW. ...
    (microsoft.public.windows.server.sbs)
  • usb token & FIPS 140-1
    ... I don't quite understand how some of the security levels can be applied ... to usb tokens. ... protection of the internal circuit of the tokens? ... the critical security parameters are zeroized'. ...
    (comp.security.misc)
  • Re: usb token
    ... >I've read some USB token documents and they say that the private keys never ... At least they seem to imply that their USB tokens contain proessing power ...
    (comp.security.misc)
Loading