It is widely accepted that one of the best things you can do to secure your sslvpn infrastructure is implementing a two-factor authentication scheme. Typically, this has been accomplished using a one-time password token technology. But what about using digital certificates that are tied to usernames instead of an OTP token approach? The idea being that the certificate is the something you have and the username/pwd is the something you know. This is a newly supported feature on the Cisco ASA, but not new to the industry, so I thought it might be interesting to examine it.
The common reasons given for choosing a certificate approach are cost savings, ease of use, standards based, and lower total cost of ownership. I’m not completely sold on the idea yet but think it is worth discussing and analyzing. This approach is relatively new but gaining in popularity.
So here is the user experience and behind the scenes flow of the solution:
Let’s dig into the details of how this certificate approach works. As is typical, to use validated digital certificates you must have a Public Key Infrastructure (PKI) that is available to your SSLVPN users. As with any PKI, you can either build your own PKI or outsource it to someone like VeriSign. As a rule of thumb, it is easiest to outsource it to a trusted Certificate Authority (CA). This eliminates the need to install trusted root certificates in every sslvpn user’s browser. The well known trusted root CA companies are already in there. The downside of outsourcing PKI is cost, it can get expensive. But even this expense should be considerably cheaper than implementing a hardware token solution for two factor authentication.
Ok, so you have your PKI in place. Now you need to issue certificates to all sslvpn users. This process varies, but can be as simple as sending users an email that contains their username, a one-time password, and a digital certificate enrollment url. The user must then go through the certificate enrollment process which will install a unique, per user, digital certificate onto their PC. Other methods of installing a certificate on each user’s PC exist so do your homework.
Now, you need to establish a typical username/password authentication mechanism for the sslvpn headend device to use to authenticate users. Popular choices are RADIUS and Active Directory LDAP.
Tying the user’s digital certificate together with their username/password is the next step to creating our two-factor authentication solution. The two must be paired together for this to work properly. This is accomplished by using the value of an attribute, found in the certificate, as the enforced username of the sslvpn user. Typically, it is a value in the subject field of the digital cert. For example, OU=jamey. The cert field chosen is determined by the headend sslvpn device administrator and can vary from tunnel group to tunnel group. The headend sslvpn device will query the certificate for this value. It will also take the value and pre-fill the username field of the typical authentication window the user sees at the client side. The user must then input the correct password for that username into the login box.
Trying to hack, change, or modify the pre-filled username field on the client side is largely irrelevant because the ASA sslvpn device effectively ignores it anyway. It only trusted the value that it received directly from its query of the certificate itself. So the hacker would have to be able to modify the certificate while maintaining its validity. A non-trivial task to say the least.
So there you have it, a two factor solution using digital certificates and username/passwords. The Cisco ASA devices support this feature starting in 8.0.3.1 code. I think this approach is very interesting but I am still biased towards the traditional OTP token solutions. Would you consider this solution truly two-factor? What pros and cons do you see? Could this approach kill the costly OTP hardware tokens, I think not, but what say you?
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Hi jheary, Good article. I
Hi jheary,
Good article. I do not see it as a "real" two-factor authentication. Please correct me if I am wrong.
In OTP, you have "really" two things, the OTP password generator or token and the password. But with PKI, the cert is already in your PC/laptop and you only have your password. What if the PC/laptop is stolen (or if the bad-guy gets access to your PC/laptop). You loose the cert along with it. Right? So, the bad-guy only need to guess the password to get into the SSLVPN. So, I see it as only one factor authentication using the password, although technically it is a two-factor authentication.
Your thoughts!
Regards,
Mohan Muthu
two-factor
If we go with the text book definition of two-factor then I believe this solution is a real two-factor solution. But I agree with you that it might not be the best solution, or the most secure. Its one big advantage is that from a cost perspective it is hard to beat. You are correct that if the laptop is stolen your down to a compromised two-factor auth state.
Thats right, but with this
Thats right, but with this if we use some endpoint security like pointsec. then i think it will be difficult to get cert even someone has stolen th elaptop
Good point. But the
Good point. But the possibility of your OTP token getting stolen cannot be ruled out.
Great overview. I have been
Great overview.
I have been wondering if certificates could replace OTP hardware token for some time now. The solution you provide would, I beleive, be very attractive to some organisations who rely on 2 factor authentication to help protect their assets. The only drawbacks I can see is that the end-user would always need to use the same PC (the one containing their certificate), but in some cases this may not be a problem. It could also be argued that having the certifcate on the PC is the same as leaving your OTP hardware token with your PC (not very secure). But I guess it's the same old arguement: cost versus security. Incidentally, would it be correct to say that in the scenario you give, the digital certificate is a 'software token'? or is that something completley different.
same PC
It is possible to allow the user to export their certificate to another PC or to request to enroll a new PC with a new certificate. However, if we allow the user to export their certs then you open a potential security hole. A rogue user could simply post their certificate and key password on the internet for all to enjoy, Doh!
In this scenario the certificate fills the two-factor requirement of the something you have. I wouldn't call it a software token necessarily.
And his is two factor exactly how?
How is this any different from a user laptop with a book mark for the sslvpn and LDAP only security? If a thief has the laptop, the certificate becomes moot since presumably the username is available and the cert is already installed. In fact, I'd say that by autofilling the username field, this actually reduces the amount of work/knowledge required for a successful hack. (and of course, the likely password is the user's Active directory password which is likely cached on the laptop and recoverable with any number of tools).
At least with OTP you need to know the user name and PIN code (which is not cached on the machine anywhere), and have the token, AND know the URL of the sslvpn. A much higher burden, imo.
jk
agreed
JK,
I agree with you. As I said in the article I'm not sold on this idea, but do find it worth talking about. Once a thief takes your laptop it is now one-factor auth, for practical purposes. I tend to disregard the username as any form of security however. Just because they are so easy to find out, easy to guess, and typically follow normal naming conventions (like ..
Also, it appears that the PCI regs will accept this as two factor. I'm not an auditor so don't take this to the bank but here is what they say.
"8.3 Implement 2-factor authentication for remote access to the network by employees, administrators,and third parties. Use technologies such as RADIUS or TACACS with tokens, or VPN with
individual certificates."
Any PCI auditors out there that can verify this?
-Jamey
Every authentication solution is Two-factor!
This, and pretty much every authentication solution I can think of is at least two factor IF we agree to use a rather simplistic definition: something you know, and something you have (or are).
For example, when I access my online bank account with just a password then most would consider this to be single factor BUT I also need a PC! Take away the PC and I cannot be authenticated. Now this solution would be fine if there were only one PC in the whole wide world but there ain't. So, we try and make the PC unique using a digital certificate, software token or even some sort of plug in hardware. The problem is the PC gets left on a desk and so all the intruder needs is the password. However, I could argue that my smartcard or OTP keyfob could be left on a desk and again all the intruder needs is a password (and a PC, but we have already established that there are plenty of those around).
So, I would argue that certificates DO enable a two factor solution, but that they have a serious weakness: people can't keep a laptop in their pocket like they can a OTP keyfob.
Steve
Thanks
Thanks for the great discussion. These are exactly some of the issues I have been examining about two factor/digital certificates/PCI requirements. I am asking a PCI auditor about the the subject and will let you know when he responds.
Post new comment