Re: Double authentication (User & Machine) with VPN SSL

[Peyman <peyman.secu () gmail com>]

Hi,

Here are some details on our environment :
  - the devices are only on Windows (2k or xp)
  - our users will soon have a certificate in a USB token; the laptops
have a machine certificate in the Windows certificates container (we
consider that this certificate cannot be stolen).
  - there is no solution deployed for the moment; we'd like to provide
a remote access, and are investigating to find the best solution. For
some reasons, we don't want IPSec/L2TP, even if it allows us to make
the user & machine authentication. That's why I'm asking my question
about the VPN SSL solutions.

Thanks a lot
Peyman

On 10/14/05, Roger A. Grimes <roger () banneretcs com> wrote:
> Need a little bit more about your environment:
>
> Using Windows or Linux, or both? Using what versions of OS?
>
> Using built-in software or is a third party solution solution
> acceptable?
>
> Are smart cards or token devices an option, or do you want it to be a
> software only implementation?
>
> Roger
>
> ************************************************************************
> ***
> *Roger A. Grimes, Banneret Computer Security, Consultant
> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, CHFI, TICSA
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> ************************************************************************
> ****
>
>
>
> -----Original Message-----
> From: Peyman [mailto:peyman.secu () gmail com]
> Sent: Thursday, October 13, 2005 1:36 PM
> To: security-basics () securityfocus com
> Subject: Double authentication (User & Machine) with VPN SSL
>
> Dear all,
>
>  I was wondering if with a VPN SSL solution, it is possible to
> authenticate the user and the machine both, with their certificates.
>  I know that this could be possible with IPSec Over L2TP (machine
> authentication with L2TP, and user authentication with IPSec), and not
> possible with pure IPSec (just a basic login/password with X-Auth
> available in IKE for a user authentication).
>  Just to precise my needs :
>    - I'd like to authenticate my users with a certificate because this
> is useful for a remote vpn connection, and also for others needs
> (emails, access to some ressources, applications, etc.)
>    - I'd like to authenticate the corporate laptops with a unique
> certificate stored securely on it : this is useful to only allow a full
> network access to the corporate network to trusted machines, and also to
> revocate certificates of laptops that might be stolen/lost.
>
> Thanks a lot for any help,
> Peyman