Are there VMware View, Two-Factor Authentication solution, alternatives to using RSA SecurID?
In these times of budget tightening, organizations are experiencing concerns about the growing costs of RSA al-a-carte pricing for each component and license count. As a result, this article will explore the question of RSA alternatives.
Currently, the organization is using RSA SecureID Tokens for two factor authentication. In addition to Active Directory usernames and passwords, users are required to enter a SecureID Passcode when accessing certain resources. Additionally, the user is required to prefix the generated token with a PIN. In this case, the PIN is required to be an alpha-numeric value of a minimum length and character combination type. Passwords and TokenPINs are required to be changed after a specified number of days.
As the organization seeks to protect additional resources and make more services available to a mobile workforce, they are finding the RSA costs can grow very quickly. In some cases, adding another RSA feature can effectively double the organizations license costs.
As a result, I’ve been asked two investigate several alternative solutions for compatibility with VMware’s View products.
With View 4.x, VMware provided significant ease of integration for incorporating RSA Secure ID. Here we’ll be looking at what additional capabilities (and compatibilities) are available in View 5.x.
The organization is particularly interested in potential compatibility with Entrust or Symantec. I’ll note any other two-factor solutions I find for View 5.x, but I’ll focus on the details of the two customer preferred solutions.
VMware View 5.x supports a variety of client types making inbound connections via the View Manager Server or the View Connection Server. The View Connection Server functions as a security gateway and also enables some protocol optimizations which help simplify and improve the service for external user connections.
VMware architecture documentation for View 5.0 states VMware View uses your existing Active Directory infrastructure for user authentication and management. For added security, you can integrate VMware View with RSA SecurID and smart card authentication solutions.
- Active Directory Authentication – Each view connection server is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.
- RSA SecurID Authentication – RSA SecurID provides enhanced security with two-factor authentication, which requires knowledge of the user’s PIN and token code. The token code is only available on the physical SecurID token.
- Smart Card Authentication – A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and large enterprises use smart cards to authenticate users who access their computer networks. A smart card is also referred to as a Common Access Card (CAC).
Using Smart Cards with View
Smart card authentication is only supported by the Windows based View Client and View Client with Local Mode. It is not supported by View Administrator.
View Connection Server instances can be enabled for smart card authentication. This requires adding your root certificate to a truststore file and modifying the View Connection Server settings. Client connections must be SSL enabled.
To use smart cards, client machines must have smart card middleware and a smart card reader.
The requirement to pre-install middleware and hardware card readers means that Smart Cards solutions are not compatible with usage of untrusted end-point computers such as internet cafe machines and other public internet kiosks.
Additionally, there are few available Smart Card reader solutions for mobile devices. This web page lists some Bluetooth CAC readers military users have found for connecting to DOD services. Costs range from $200 to $500.
Although DOD approved Bluetooth CAC readers are available, VMware’s mobile client apps do not support this authentication method.
Other security solutions vs compatibility with View 5.x
RADIUS – Customers have been asking VMware for RADIUS support for quite some time now. As of Dec 6th, 2011, View still does not support RADIUS. While VMware personnel have long stated they are working on it, there remains no indication of when it might ever become available.
Some customer have speculated that this could have something to do with EMC ownership. VMware still trades under it’s own NYSE stock ticker (VMW), but it was acquired by EMC in 2004 and operates as a separate software subsidiary. RSA was acquired by EMC in 2006 and operates as a security division. EMC does not provide separate financial information for the RSA division. I won’t speculate on this theory, but I do believe due diligence require that customers understand the material relationships of their key vendors.
There are numerous VPN solutions available for a multiple of user scenarios. Two many to list here. Instead I’ll just briefly describe VPN two scenarios which might satisfy most use cases.
Browser Based VPN
The concept is two provide a mobile user with a client-less VPN service. The user accesses a browser based service which can then authenticate and launch a VPN tunnel to the end user’s device. Some of these offerings create tunnels which can be used by non browser applications.
Juniper is one vendor providing a commercial offering via their line of SSL VPN products. Juniper does offer support for two factor authentication; but verifying the extent of that support is beyond the scope of this VMware View document.
Mobile Device VPN
Most mobile devices now include native operating system support for multiple VPN technologies by including client software APIs from commercial vendors such as Cisco and Juniper. Many of these Mobile VPN clients support multi-factor authentication. Additional certificates, keys, passcodes, or secrets can be included in the provisioning and authentication process to enable identification of the device and the user.
Custom integration of alternate Two Factor solutions
In many technology projects, we would at least consider customer integration of an alternate solution. Usually I will present a case against in-house customization; but I do prefer to provide the option so the customer can decide for themselves. Unfortunately, VMware does not offer or support any mechanisms for integrating custom authentication services into the View Client, the View Administrator, or the View Connection Server.
There is no supportable means to have View utilize the two-factor solutions from Entrust, Symantec, or others.
Given the current realities of the VMware View product, there appear to be only two solutions for using two-factor authentication with this service.
VMware provides tight integration between View Clients, View Servers, and the RSA products. Given their relationship with EMC and RSA, it is highly probable that RSA integration and support will continue to be a strong feature of the View products.
Mobile Device VPN
For users accessing these services from a mobile device, a Device VPN offer many choices for two-factor authentication solutions. Additionally, the Device VPN greatly simplifies the user experience as they only have one connection to manage from which they can access all of their authorized organizational resources. However, a Device VPN solution may not satisfy the organization’s security requirements for non-managed personally procured equipment (ie., private cell phones). Requiring users to “opt-in” to organizational device management solutions in exchange for gaining access can mitigate security issues inherent in personal devices.
If a Mobile Device VPN solution is implemented for a community of View Client users, then a security and policy review may determine that Active Directory authentication would be sufficient for the final View Client connection (which would occur within a two-factor authenticated VPN tunnel).
In my opinion a Mobile Device VPN solution wins out for the following reasons:
- better leverage of network infrastructure. I believe in controlling network access and admission prior to reaching the application service.
- less vendor lock-in.
- easier to respond to evolving authentication challenges.
- easier to maintain separation of application security from network security.
- better overall user experience when consuming multiple services from the hosting organization.
Some additional thoughts on remote access
VPN on a stick
For remote users who require a largest desktop experience during their Vmware View Windows session, there is another option I was not asked to include in the analysis but will mention here. PC on a stick.
The user is provided an USB Thumb Drive containing a bootable Linux image. The Department of Defence (DoD) provides a free Linux image which government agencies or (private organizations) can freely customize to their own needs. Or you can roll your own from a wide variety of Linux distributions. The DoD image is referred to as Lightweight Portable Security (LPS) and distributed in ISO form.
Organization can pre-configure this bootable image with authentication agents, VPN clients, application clients (such as View or Citrix), and whatever else appropriate.
Several USB Thumb drives are available which incorporate keypads to require a PIN entry before booting. Other even provide a built-in finger print reader on the surface of the drive.
Client-less VPN or Browser Based SSL VPNs
Some organizations are resistant to provisioning their users these additional security devices, and even go so far as to insist they need a way to remotely authenticate a user who has lost their laptop, cell phone, identification badge, secure token, and pc on stick usb drive.
If that user was just mugged, they’ll probably be more concerned with contacting 911 and their bank then logging in to update another spreadsheet for the office. On the other hand, if that user just mysteriously lost all of these items with no apparent cause… perhaps they shouldn’t have access to secure environments in the first place.