Firewalls: Cisco & SDI

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Cisco & SDI
From:	Michael Platoff <michael . platoff @ scr . siemens . com>
Date:	Tue, 16 Aug 1994 09:14:15 -0400
To:	BAUMANNM +61 68 73 52 0 <michael . baumann @ roche . com>
Cc:	firewalls @ greatcircle . com
In-reply-to:	<9255310916081994/A57690/RBIZ07/1188825F3300* @ MHS>

BAUMANNM +61 68 73 52 0 writes:
 > 
 > 
 > I found this information in comp.security.unix! Is there someone who uses ore 
 > tested  the software?
 > 

We've been using the ACE Server with our cisco products for quite
a while.  We modified the public domain TACACS server to
communicate with the ACE Server to authenticate users. I haven't
actually looked at Security Dynamics' modified TACACS server.

It works quite nicely.  We selected the SecurID product over
challenge/response systems because, in most cases, it only
requires entry of one passcode.  This made it easy to treat the
passcode as a password that could be handed off to a TACACS
server for authentication.  There are some special cases that are
not easy to handle. For example, the ACE server must sync itself
with each card. When the card's time and the server's idea of the
card's time drift too far, the user must enter two consecutive
pseudo-random numbers generated by the card. This can't be done
easily with the "closed" authentication code on the cisco
product.

If you plan on using their library, you should know it is not
easy to work with and requires lots of patience. The library
documentation is poor.  You don't get source (obscurity ==
security?), which makes things frustrating.  I don't get the idea
that a lot of people have used the library.

Their server also has bugs. For instance, it leaves zombie
processes around on occasion on our authentication server. Every
once and a while we kill the ACE server and init cleans up the
zombies. 

In all, the product is useful. The company is eager to help and
seems responsive, but a bit slow to correct some of the problems.

The cards only last for about three years, and then you have to
buy new ones.  Challenge response systems have a calculator.  You
simply replace the battery when it expires.  The cards can break.
I don't know whether it's my users mishandling them, or poor
quality control.  In these cases, you have to wait for Security
Dynamics to make new cards for you.  Of course you can buy some
cards in advance, but they just tick away if they are not used.

Michael Platoff        			email: map @
 scr .
 siemens .
 com
Siemens Corporate Research		phone: (609) 734-3354
755 College Road East			fax:   (609) 734-6565
Princeton, NJ 08540-6668

References:

Cisco & SDI
From: BAUMANNM +61 68 73 52 0 <michael . baumann @ roche . com>

Indexed By Date	Previous:	Re: Cisco & SDI From: John Murray <John . Murray @ Germany . EU . net>
Indexed By Date	Next:	RFC mail headers Re: Cisco & SDI From: matt @ uts . EDU . AU (Jas (Matthew K))
Indexed By Thread	Previous:	Re: Cisco & SDI From: John Murray <John . Murray @ Germany . EU . net>
Indexed By Thread	Next:	RFC mail headers Re: Cisco & SDI From: matt @ uts . EDU . AU (Jas (Matthew K))