Firewall Wizards mailing list archives
Re: SecurID Agent-Server through proxy firewall
From: Vin McLellan <vin () shore net>
Date: Wed, 17 Feb 1999 18:14:29 -0500
Martin Bishop <martybishop () yahoo com> queried the List:
A customer of mine is planning to launch a public web server for online electronic commerce. The system is already built and already in use internally for three months now so it has been adequately tested before external users start using it. Users are all authenticated with SecurID tokens, which is implemented with a SecurID Agent running on the web server. The web server and ACE servers are at the moment in the same (internal) subnet without even a router between them and all works fine. Now, as we go public, we will move the web server from internal network to a DMZ (if you will -:). We have already decided to use an application gateway firewall and that the web server will reside on its third network interface. <snip...>
While testing, we successfully managed to move the web server to the desired location (3rd interface), but we are having serious problems with SecurID authentication that we can't seem to solve.
Bruce Leary <bleary () securitydynamics com>, director of Customer Technology Solutions at SDTI, passed along a comment on my initial response to Mr. Bishop from a gentleman who is, among other things, the administrator for a large ACE/SecurID site. According to Bruce, this site uses an architecture similar to that sketched out by Martin, with SecurID-supported WebID Access Controls on a public web server attached to the third interface of a Raptor firewall. The note from the Admin on the Line offered some terse advice: "The first part of the problem -- yes you do need to tunnel the traffic (ie: no IP translation). "For the second part, check the permissions on the directory where the SecurID file is kept. What we do here at [Heaven on Earth*] is open the directory to let the first authentication work, it writes the secret file, then we lock down the directory to read only execute only." Hope this is helpful if this is still an issue. Surete, _Vin * Names changed to protect the innocent and to conform to corporate policy ----- Vin McLellan + The Privacy Guild + <vin () shore net> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --
Current thread:
- SecurID Agent-Server through proxy firewall Martin Bishop (Feb 10)
- Re: SecurID Agent-Server through proxy firewall Joseph S D Yao (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Mark Plesser (Feb 11)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 18)
- Re: SecurID Agent-Server through proxy firewall carson (Feb 19)
- Re: SecurID Agent-Server through proxy firewall Vin McLellan (Feb 19)
- Re: SecurID Agent-Server through proxy firewall carson (Feb 19)
- <Possible follow-ups>
- Re: SecurID Agent-Server through proxy firewall Stefan Jon Silverman (Feb 12)
- Re: SecurID Agent-Server through proxy firewall Randy Garbrick (Feb 17)