Firewall Wizards mailing list archives

Re: SecurID Agent-Server through proxy firewall

From: Vin McLellan <vin () shore net>
Date: Wed, 17 Feb 1999 18:14:29 -0500

        Martin Bishop <martybishop () yahoo com> queried the List:

A customer of mine is planning to launch a public web server for
online electronic commerce. The system is already built and already in
use internally for three months now so it has been adequately tested
before external users start using it. Users are all authenticated with
SecurID tokens, which is implemented with a SecurID Agent running on
the web server. The web server and ACE servers are at the moment in
the same (internal) subnet without even a router between them and all
works fine.

Now, as we go public, we will move the web server from internal
network to a DMZ (if you will -:). We have already decided to use an
application gateway firewall and that the web server will reside on
its third network interface. <snip...>

While testing, we successfully managed to move the web server to the
desired location (3rd interface), but we are having serious problems
with SecurID authentication that we can't seem to solve.


        Bruce Leary <bleary () securitydynamics com>, director of Customer
Technology Solutions at SDTI, passed along a comment on my initial response
to Mr. Bishop from a gentleman who is, among other things, the
administrator for a large ACE/SecurID site.

        According to Bruce, this site uses an architecture similar to that
sketched out by Martin, with SecurID-supported WebID Access Controls on a
public web server attached to the third interface of a Raptor firewall.

        The note from the Admin on the Line offered some terse advice:

"The first part of the problem -- yes you do need to tunnel the traffic
(ie: no IP translation).

"For the second part, check the permissions on the directory where the
SecurID file is kept.  What we do here at [Heaven on Earth*] is open the
directory to let the first authentication work, it writes the secret file,
then we lock down the directory to read only execute only."

        Hope this is helpful if this is still an issue.

        Surete,
                _Vin

* Names changed to protect the innocent and to conform to corporate policy

-----
      Vin McLellan + The Privacy Guild + <vin () shore net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                         -- <@><@> --

Current thread:

SecurID Agent-Server through proxy firewall Martin Bishop (Feb 10)
- Re: SecurID Agent-Server through proxy firewall Joseph S D Yao (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Mark Plesser (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 18)
  - Re: SecurID Agent-Server through proxy firewall carson (Feb 19)
    - Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 19)
- <Possible follow-ups>
- Re: SecurID Agent-Server through proxy firewall Stefan Jon Silverman (Feb 12)
- Re: SecurID Agent-Server through proxy firewall Randy Garbrick (Feb 17)