Forum Discussion

Don_Ryles_52501's avatar
Don_Ryles_52501
Icon for Nimbostratus rankNimbostratus
Feb 19, 2010

FirePass user authentication security

Hi,

 

 

I'm looking for ideas on ways to increase the security of the logon to the FirePass. The biggest concern is key-loggers on remote clients which could capture the URL, username and password. What I need is something simple but secure. We've locked down the FirePass as far as we can, no network tunnels and limited app tunnels but obviously still concerns about improving security.

 

 

I've looked at the standard options and all of them are unsatisfactory for different reasons:

 

Use two-factor device like RSA tokens - too expensive & management overheads.

 

Security software needs to be installed on client - too restrictive.

 

On-screen keyboard - works but very fiddly and liable to shoulder surfing.

 

Check for a file being present - works but not suitable for locked down clients.

 

Client certificates - complexity, support issues and not in locked down situation.

 

Check for a process running (e.g. notepad.exe) - no process check on FirePass for Macs.

 

Check a registry key or value - no solution for Macs and lockdown issues for PCs.

 

Collect a value in an extra field at logon - still typed from keyboard.

 

 

So has anyone done anything creative which might offer a solution?

 

 

Thanks,

 

Kevin
BIG-IP Access Policy Manager (APM)
remote access
security
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 19, 2010
    Hi Kevin,

     

     

    If you're concerned about key loggers on the client and want a simple solution that doesn't require additional software/hardware, is platform independent and has low management requirements, I think the on screen keyboard would be ideal.

     

     

    Radius auth is another common solution. I believe the costs are fairly reasonable these days. And it can be used in combination with many other applications for two factor auth.

     

     

    What else did you have in mind outside of what you've listed?

     

     

    Aaron
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Feb 19, 2010
    So... Is the question for MAC or PC? You have to treat them differently right now. I would suggest coming up with a security process for the PC and one seperate for the MAC.

     

     

    F5 is developing the Opswat Binaries for the MAC OS. No ETA as of yet.
  • Don_Ryles_52501's avatar
    Don_Ryles_52501
    Icon for Nimbostratus rankNimbostratus
    Feb 19, 2010
    Aaron - thanks really no definite ideas, jusr fishing to see if anyone has done anything creative. RADIUS itself is fine but how to engineer a separate one time password for the session, something which is no repeatable at a reasonable cost.

     

     

    Mike - This is for both Mac and PC although I guess the bigger concern is for the PC at this time. I wasn't aware of MacOS developments for the FirePass, it does seem to be the poor relation at the moment. Is there somewhere to see roadmap info for the FirePass?

     

     

    The other thing that I stumbled across today which can be used is an endpoint security check based on something which F5 call "Far-end security integration". This allows a check to be done with Symantec's "Confidence Online for Web Applications". There is an F5 document on this but the FirePass interface and documents refer to it under its previous owner, WholeSecurity. It certainly doesn't seem to be a product that Symantec market very actively and I haven't managed to find licence terms and costs yet. It does seem to rely on an ActiveX componenet to be available on (or downloaded to) the remote client to do the malware scan. I guess it could also be slow but I'm still trying to find out more.

     

     

    Does anyone have any experience of using that product?

     

     

    Thanks,

     

    Kevin