Preview only show first 10 pages with watermark. For full document please download

Digipass Authentication For Aep Netilla With Vasco Vacman Controller Integrated

Rating
Date

August 2018
Size

2.7MB
Views

4,963
Categories

computers & electronics networking VPN security equipment

Transcript

DIGIPASS Authentication for AEP Netilla With VASCO VACMAN Controller integrated DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007Integration VASCO Data Security. All rights reserved. Guidelines Page 1 of 36 Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS , VACMAN, IDENTIKEY, IDENTIFIER & AXSGUARD are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright  2010 VASCO Data Security. All rights reserved. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 2 of 36 Table of Contents 1 Overview ................................................................................................... 5 2 Solution .................................................................................................... 5 3 2.1 Web Access .......................................................................................... 5 2.2 Thin Access .......................................................................................... 6 2.3 SSL/VPN tunnel ..................................................................................... 6 NSP configuration ..................................................................................... 7 3.1 4 3.1.1 Import DPX .................................................................................... 8 3.1.2 DIGIPASS assignment.....................................................................12 3.2 Create V-Realm....................................................................................16 3.3 Access configuration .............................................................................20 3.3.1 V-Realm access ..............................................................................20 3.3.2 SSL Tunnel access ..........................................................................21 3.3.3 Web access ...................................................................................23 3.3.4 Thin access / Application access .......................................................23 NSP Test ................................................................................................. 24 4.1 Authentication .....................................................................................24 4.1.1 Response Only ...............................................................................24 4.1.2 Challenge / Response .....................................................................25 4.2 SSL Tunnel ..........................................................................................26 4.3 Applications .........................................................................................29 4.3.1 Notepad ........................................................................................29 4.3.2 Desktop ........................................................................................30 4.4 5 VASCO Authentication Store ................................................................... 8 Web....................................................................................................32 NSP Features .......................................................................................... 33 5.1 DIGIPASS Features ...............................................................................33 DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 3 of 36 5.1.1 Reset Application ...........................................................................33 5.1.2 Reset PIN ......................................................................................33 5.1.3 Set PIN .........................................................................................33 5.1.4 Unlock ..........................................................................................33 5.1.5 Get Info ........................................................................................33 5.1.6 Test ..............................................................................................33 5.2 NSP Features .......................................................................................34 6 About AEP ............................................................................................... 35 7 About VASCO Data Security .................................................................... 36 DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 4 of 36 1 Overview The purpose of this document is to demonstrate how to use an AEP Netilla Security Platform (NSP) in combination with a DIGIPASS. We will show you how to import a DPX file, how to assign a DIGIPASS to a user and show some administrative options. 2 Solution The NSP can serve 3 access modes to a user, Web Access (Figure 1), Thin Access (Figure 1) and a SSL Tunnel (Figure 2). We can compare these modes like a firewall, the first two have a general rule to deny all traffic and specify which connections are allowed, the SSL/VPN tunnel allows all traffic, so you have to specify what kind of connections you want to deny. Figure 1: Web portal Figure 2: SSL Tunnel 2.1 Web Access Allows users to gain access to their web applications from any location, based on their local DNS addresses. The web servers remain safely hidden behind the firewall and are not publicly reachable. Administrators have the advantage to deploy granular access control on a user or group basis. For this solution the user only needs a browser on their local client. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 5 of 36 2.2 Thin Access Thin access allows users to access their remote applications that have to be run on the office or remote network. Even here, only a browser is necessary and no client application software is needed. 2.3 SSL/VPN tunnel Users have the ability to run their corporate client/server application from any location. Access can be filtered on Port, IP or IP range, giving administrators the ability to control application access on a user or group basis. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 6 of 36 3 NSP configuration Browse to the configuration page of the NSP: https://. Authenticate with an administrative account. (The default administrative user is “admin” basically located in the “local” V-Realm.) In our test case this is https://aep.labs.vasco.com. Figure 3: NSP configuration (1) Through the Netilla Admin we are able to perform all required configuration changes. Figure 4: NSP configuration (2) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 7 of 36 3.1 3.1.1 VASCO Authentication Store Import DPX In case you would like to use the internal validation method for the DIGIPASS, you will have to upload your DPX file and enter the transport key. Using this method, you will eliminate the need to install an external DIGIPASS validation tool (VACMAN Controller, Identikey Server,…). To insert a DPX file on the NSP, go to the Authentication Settings menu and select Datastores and click Vasco Auth. Store. In the right page of the screen, select Create New Store. Figure 5: Import DPX (1) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 8 of 36 Type in a meaningful Store Name for this Authentication Store and click Create. In our case we entered “VASCO”. Figure 6: Import DPX (2) Once the new authentication store is created, click the “» Back to store selection” link. Figure 7: Import DPX (3) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 9 of 36 Select the new authentication store in the Stores list and click the “» Digipass Mgmt.” link. Figure 8: Import DPX (4) Click the Browse button to select the correct DPX file. Afterwards, fill in the correct transport key in the Key field. Click Import to add all the DIGIPASS from the DPX file. Figure 9: Import DPX (5) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 10 of 36 Next, you will receive a list of unassigned DIGIPASS. Including the one’s you recently imported and also DIGIPASS that may have been imported before but are still unassigned. Click the “» Back to store selection” link. Figure 10: Import DPX (6) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 11 of 36 3.1.2 DIGIPASS assignment The next job is to create a user who we can assign a DIGIPASS to. Click on the “» User List” link. Figure 11: DIGIPASS assignment (1) Select the “» Add New User” link. Figure 12: DIGIPASS assignment (2) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 12 of 36 Type in the User Name and click the “Add User” button. Figure 13: DIGIPASS assignment (3) Click the “» Back to user selection” link. Figure 14: DIGIPASS assignment (4) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 13 of 36 Select the user you recently created and click the “» Edit Properties” link. Figure 15: DIGIPASS assignment (5) To assign a DIGIPASS to this user, click the Assign button. If there is already a DIGIPASS assigned, but you want to assign another DIGIPASS to this user, click the Unassign button first. Figure 16: DIGIPASS assignment (6) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 14 of 36 Select the correct DIGIPASS to assign to this user and click the “Assign Selected” button. Watch for different applications (Type field) from the same DIGIPASS serial number. (RO = response only, SG = signature and CR = challenge/response) Figure 17: DIGIPASS assignment (7) The next screen will show you more detailed options about this DIGIPASS. We will explain this page in more detail further on in Chapter 5.1 DIGIPASS Features. Figure 18: DIGIPASS assignment (8) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 15 of 36 3.2 Create V-Realm A V-Realm is the link between your authentication and the different Datastores you can create. The V-Realm you want to use for authentication can be chosen on the login page as you saw in the beginning of this chapter.  Figure 3: NSP configuration (1). More than one authentication stage can be assigned to a V-Realm. This means you have to authenticate two or more times before you will be able to access the requested page or application. We will only use one authentication stage because DIGIPASS authentication is already a sufficiently strong authentication stage. Click the “» Add Realm” link. Figure 19: Create V-Realm (1) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 16 of 36 Fill in the V-Realm Name and click the Submit button. Figure 20: Create V-Realm (2) Select Vasco as the Stage type and click Submit. Figure 21: Create V-Realm (3) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 17 of 36 The following fields are explained below: • • • • • • Authentication Scope: (required) » The name of this Scope. Domain: (not required) » The domain you want to use if you are using a domain setup. Username Template: (leave default) » Pass the username to the next stage. If you are using more than one stage. Reauthentication Interval: » Amount of minutes after which you have to authenticate again. Reauthentication Retries: » Amount of tries after which your account will be blocked for 30 minutes. Authentication Store: » The store you selected in the step before. Click the Submit button when done. Figure 22: Create V-Realm (4) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 18 of 36 Once you clicked the submit button, you will see three links appearing below the Submit button. Click the “» Ready to commit changes” link. Figure 23: Create V-Realm (5) Now click the “Apply Changes” button to save the V-Realm settings and to enable this V-Realm at the login page. Figure 24: Create V-Realm (6) You can use the “» Toggle V-Realm Pull-Down Menu” to change the order of appearance on the login page. Currently “local” will be the default value. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2007 VASCO Data Security. All rights reserved. Page 19 of 36 3.3 Access configuration There are different levels of access to configure before you are able to access any resources. First you have to enable V-Realm access to some detailed applications or webpages. Next you have to make sure the V-Realm users have access to the depending services behind those application or webpages. 3.3.1 V-Realm access Go to the “Manage Access” menu. Select the correct V-Realm and click the “» Edit Realm Properties” link. Figure 25: Create V-Realm (8) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 20 of 36 Under the “Application Associated with ‘’”, you will see your current application list. Add the required applications to Members window. These application will be available for the users in this V-Realm. Figure 26: V-Realm access (1) This is the way it should look when the application are in the Members window. Figure 27: V-Realm access (2) 3.3.2 SSL Tunnel access Now select the Services menu and click Tunnel. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 21 of 36 Change your from the NonMembers to the Members side. This way the users of this V-Realm will have the ability to start an SSL Tunnel. Figure 28: SSL Tunnel access (1) This is the way it should look after you made those changes. Figure 29: SSL Tunnel access (2) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 22 of 36 3.3.3 Web access Under the Services menu, click Web. Repeat the steps above to enable Web access for the users in your V-Realm. 3.3.4 Thin access / Application access Under the Services menu, click Thin. Repeat the steps above to enable Application access for the users in your V-Realm. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 23 of 36 4 NSP Test Go to the NSP webpage, located at https://. In our example this is https://aep.labs.vasco.com. 4.1 4.1.1 Authentication Response Only To authenticate with a response only DIGIPASS type, you just have to enter the username and an OTP (One Time Password) in the password field. If your V-Realm is not selected by default, do not forget to pick the correct V-Realm. Figure 30: Response Only DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 24 of 36 4.1.2 Challenge / Response When you are using a challenge response DIGIPASS, you only will have to enter a username and the correct V-Realm. No password needs to be specified. Figure 31: Challenge / Response (1) Afterwards, you will be shown a Challenge code, which you will have to enter on your DIGIPASS (with numeric keypad) to calculate the Response code. Figure 32: Challenge / Response (2) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 25 of 36 4.2 SSL Tunnel Once you are authenticated you will be shown the portal page. As a first test, we try to make an SSL tunnel. Click the Netilla Tunnel icon. Figure 33: SSL Tunnel (1) We receive an overview page of the SSL Tunnel Access. In the bottom of the screen you can see what kind of access you have once a tunnel is created. Click Connect. For this test, we have unrestricted LAN access. Figure 34: SSL Tunnel (2) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 26 of 36 You will see a progress bar, indicating what actions are taken to start the SSL Tunnel. Figure 35: SSL Tunnel (3) The initial page will also show you the progress when building the tunnel. Figure 36: SSL Tunnel (4) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 27 of 36 Once the tunnel is created, you will see the connection details on the initials tunnel page. Figure 37: SSL Tunnel (5) Also in the Windows status bar, you will see the ssl tunnel icon change from to . If you right-click this icon, you can request the Status… from the tunnel you created. Figure 38: SSL Tunnel (6) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 28 of 36 4.3 4.3.1 Applications Notepad Now try to open an application. Click on the Notepad icon. Figure 39: Notepad (1) You will see the Thin Component starts to load. Figure 40: Notepad (2) Figure 41: Notepad (3) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 29 of 36 Once the component is loaded, the application will open in a new window. You will be able to use an internal application over the internet. Figure 42: Notepad (4) 4.3.2 Desktop The Windows Desktop works the same way as any other application. The Thin Component will load and afterwards your application will be opened, in this case your desktop. Figure 43: Desktop (1) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 30 of 36 You will see that the connection is build upon the terminal service from Microsoft. The NSP knows your username, but doesn’t know your password, so you need to specify your credentials a second time. Figure 44: Desktop (2) Once you are authenticated, you can access the secured desktop. This method works from any location. Figure 45: Desktop (3) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 31 of 36 4.4 Web To see a protected web page in action, click the VASCO Labs icon. Figure 46: Web (1) Notice that the URL in the address bar looks like this: https://aep.labs.vasco.com/,host=dc1,port=80,proto=http/. The security permits us to browse the site completely, but denies any other access than this host. Allowed: https://aep.labs.vasco.com/,host=dc1,port=80,proto=http/files/dc1.crt Denied: https://aep.labs.vasco.com/,host=dc2,port=80,proto=http/ Figure 47: Web (2) DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 32 of 36 5 NSP Features 5.1 DIGIPASS Features As already mentioned in Chapter 3.1.2 DIGIPASS assignment, there are some extra DIGIPASS related features integrated in the NSP. Figure 48: DIGIPASS Features 5.1.1 Reset Application This button allows the reset of this application, this resets the following things : use counter, time shift, error counter, last time used, … The reset will be used when trying to troubleshoot a DIGIPASS login. 5.1.2 Reset PIN Allows you to reset the PIN when a DIGIPASS with a static server PIN is used. 5.1.3 Set PIN Allows you to specify a static server PIN when supported by that DIGIPASS. 5.1.4 Unlock Allows you to unlock a DIGIPASS with a numeric keypad that has a locked user PIN. 5.1.5 Get Info This overview shows you all the options of the current selected DIGIPASS. 5.1.6 Test Allows you to test an OTP for the current selected DIGIPASS. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 33 of 36 5.2 • • • • • • • • • • • • NSP Features Policy-defined, web-based access to Citrix, Windows Terminal Services, X11, UNIX, Linux, and Mainframe (3270/5250) Identify-enforced deployment of individual applications through an icon-driven webtop Policy-based Web application access via secure web reverse proxy and unique Java rewrite technology Sophisticated V-Realms™ authentication and authorization architecture integrates seamlessly with existing authentication infrastructures (LDAP/AD/Radius/PKI/2-Factor/NT Domain) Fine-grained Network Extension capabilities for VOIP and other TCP or UDP based applications Client Integrity tools eliminate data theft (cache cleaning, secure desktop, host integrity, adaptive policies, machine identification) Web application security protects against cookie snooping, Denial of Service and Network Access Attacks, Authentication Hijacking, DMZ Protocol attacks, Man in the middle attacks, and more! Powerful, VPNC and ICSA Labs-approved security at the network edge Surprisingly quick installation and little ongoing management High productivity: Print, move files, leverage high-color applications (like CAD/CAM, X-Ray and imaging) and work seamlessly from anywhere Lower costs - As much as 20% less than alternative SSL VPN solutions Supports geographical clustering and high availability across multiple data centers for disaster planning (via the AEP NSP Load Balancer). DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 34 of 36 6 About AEP Company Overview AEP Networks offers a comprehensive Policy Networking solution that provides complete security starting at the endpoints and working throughout a network – from the edge to the core. AEP’s integrated portfolio of security products includes network admission control enforcement points, identity-based application security gateways, SSL VPNs, high assurance IPSec-based VPN encryptors, and hardware security modules for key management. Our products address the most demanding security requirements of public-sector organizations and commercial enterprises internationally. The company is headquartered in Somerset, New Jersey, with offices worldwide. Technology Overview Our award-winning products include identity-based network access and resource control, securing Windows Terminal Services and Outlook Web Access, remote computer access, and data encryption. AEP’s product range utilizes advanced SSL and IPsec virtual private networking (VPN) and secure application access technologies as well as high-performance cryptographic data encryption and ASIC (Application-Specific Integrated Circuit) technologies. AEP also offers Policy Networking products for your network core, as well as the edge of your network. AEP’s identity-based network admission control (NAC) product controls access to your network based on user identity and the health status of devices accessing the network. Our application-layer security gateway products are designed for large-scale, distributed information sharing environments that require strong data encryption, access control, federated identity and audit logging. Our secure application access (SSL VPN) products, which provide access to Windows, Citrix, Outlook Web Access, and more, enable Web-based secure remote computer access to corporate resources. Our highly secure IPSec-based VPNs are designed for site-to-site secure communications optimized for public sector and financial markets, while our Key Management solutions offer the most comprehensive hardware cryptographic module of its class for secure key management. More information: www.aepnetworks.com DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 35 of 36 7 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-Business and e-Commerce. VASCO’s User Authentication software is carried by the end user on its DIGIPASS products which are small “calculator” hardware devices, or in a software format on mobile phones, other portable devices, and PC’s. At the server side, VASCO’s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO’s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO’s time-based system generates a “one-time” password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO’s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved. Page 36 of 36

Digipass Authentication For Aep Netilla With Vasco Vacman Controller Integrated

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.