IPsec and User Authentication

David Gillett dgillett at NIKU.COM
Wed Feb 14 15:06:48 EST 2001


> Mainly, I've used Cisco based VPN technologies (router/PIX and 3000
> concentrator).  The best choice for authentication is the 3000
concentrator.
> You can have it authenticate directly to an NT database or tacacs server.
> Perfect. However, it can be very expensive.

  Authenticating against NT was one of the things that attracted us to the
3000.  The bulk of our users find two account/password combinations taxing,
and 3 or 4 would simply be impractical to support.  [Yes, I know that
different passwords on different systems should limit the scope of an
account compromise, but real-world users see our network as one
"system"....]
  Although the up-front hardware cost of the 3000 was on the high side for
the scale of device we needed, we were attracted by the scope for growth and
by the client licensing; we concluded that on a TCO basis, it was actually
quite competitive.

> As for authenticating the clients that terminate at a router or VPN, most
> implementations that I have seen/done have been simply pre-shared keys
with
> either a local username and password at the PIX or router or a Tacacs
> server.  People choose this over certs and other authentication methods
> because it is easy to deploy in a large-scale.  Simply export/import the
> client policy to a new machine, etc.

  Ease of deployment counts for a whole lot, especially when the person on
the other end is of unknown/limited background -- and, in the case of an
extranet, may not even be an employee of the same company.  Again, we know
how to make things more secure, but only by depressing usability beyond the
current critical threshold.

David Gillett
Senior Network Engineer
(650) 701-2702
Niku Corp. "Transforming the Service Economy"



-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of BHaney
Sent: Tuesday, February 13, 2001 9:06 AM
To: VPN at SECURITYFOCUS.COM
Subject: Re: IPsec and User Authentication


As a consultant, I've set it up with a variety of different authentication
policies.  But usually people want something that is low administration and
transparent.  Most travelling sales people or the CEO who wants to VPN in
from home don't want to deal with the problems associated with extensive
authentication.

Mainly, I've used Cisco based VPN technologies (router/PIX and 3000
concentrator).  The best choice for authentication is the 3000 concentrator.
You can have it authenticate directly to an NT database or tacacs server.
Perfect. However, it can be very expensive.

As for authenticating the clients that terminate at a router or VPN, most
implementations that I have seen/done have been simply pre-shared keys with
either a local username and password at the PIX or router or a Tacacs
server.  People choose this over certs and other authentication methods
because it is easy to deploy in a large-scale.  Simply export/import the
client policy to a new machine, etc.

I've worked with quite a few reputable companies and you would be surprised
at how lax the security is simply because they don't want the hassle of
synchronizing databases, etc.

That's my experience.


-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina
Bird
Sent: Tuesday, February 13, 2001 8:43 AM
To: VPN at SECURITYFOCUS.COM
Subject: IPsec and User Authentication


Hi all --

I am in the middle of revising my VPN tutorial (the
USENIX/SANS class), and in looking at the IPsec
section a question has arisen.

How many of you are using IPsec for remote access
VPN -- that is, for replacing dial-ups for individual
users, rather than site-to-site?  If you are, what
are you doing for user authentication?

The book answers seem to be user-based digital
certificates (if you've got some way to associate
them with a user rather than a machine), one of the
"hybrid" authentication mechanisms (XAUTH and its
relatives), or some layering of IPsec with protocols
like PPTP or L2TP (which include "traditional" user
authentication support).  But I'm curious to see
what people who are really >doing< it are doing.

Thanks for any info.  For those who are curious,
I will post results to the list -- and if you really
want to get the gorey details, I'll be teaching the
class at SANS in Baltimore in May.

cheers -- tbird

VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list