Frank Willoughby said:
>Hopefully, the SecurID connection is being used to authenticate internal
>users before they go to the Internet and not for incoming connections.
>
>Using SecurID (or Digital Pathways, S/Key, etc) is *lethal* if you are
>planning on using it to authenticate users from the Internet who wish
>to access a system on your internal network which is protected by the
>firewall. The reason is that the user may have his/her session hijacked
>by an attacker.
>Please note that this is *NOT* a security problem with Gauntlet or any
>other firewall. The problem is relying on authentication-only mechanisms
>for protection. Implementing User->Firewall encryption will help to solve
>this problem.
>
>Again, I strongly advise against using SecurID (or any other authentication-
>only solution) for incoming Internet connections to an internal system.
Since there is a significant reason in many cases to have remote users
communicating through a firewall, what do you currently consider the best
method with todays technology. My preference is a combination of two factor
authentication (like SecurID or one of the challenge/response cards) used
together with an encryption tunnel like Raptor Eagle's).
Jon Tegethoff
|
|
