Re: Worldwide authentication

["Chris Berry" <compjma () hotmail com>]

> >>> marti () videotron ca 10/17/02 06:34PM >>>
> Hi everybody,
> One of our client need to authenticate users that are roaming from city
> to city.
> They don't necessarly own portable PCs.
> We need to authenticate the users to let them access data from the
> mainframe.
> Note that the data is very sensitive.
> What is the (esiest/not too expensive) solution?
> We are already using Cryptocard/Cisco for our VPN.
> We've looked at USB key token, certificates...
> Our idea is to use a SSL session with authentication, need to decide
> wich authentication solution is best.

The way I see it you have two problems:
1) Make sure the user logging in is the correct user

Since you can't ensure that they have any client software, I recommend a 
dual authentication system, such as that marketed by RSA which involves a 
password, and a code.  The code is displayed on a small device about the 
size of a fat key and changes every 30 seconds or so.  (No, I don't work for 
RSA, nor am I saying they are the best or only provider for this)  In my 
opinion this system is very secure when combined with some sort of encrypted 
communications channel.

2) Ensure that no one piggybacks or sniffs your signal.

For this encryption is the way to go, either VPN, SSL, SSH, whatever is 
appropriate for your desired level of access.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Ok, so the servers are down, the lights are out, and all I have to work 
with is a roll of duct tape, a ball point pen, a lighter, and a twenty year 
old copy of emacs.  Where's the problem? "


_________________________________________________________________
Unlimited Internet access for only $21.95/month.  Try MSN! 
http://resourcecenter.msn.com/access/plans/2monthsfree.asp