This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
All five products were able to use all three of these servers, although it took some doing to get everything working.
We also examined each product to see how granular their access levels could be--such as restricting users to only log in at a particular time of day, or with specific source IP addresses. All the products except Check Point can set access by time of day or by source IP address
Check Point clearly lagged behind the others in terms of setup and features, and Cisco was superior in this category.
The most vexing part of our setup was in connecting each box to the Stanford LDAP server. This was a combination of our own mistakes in getting the various parameters right--such as entering the correct IP address of each server--and each product's poor debugging tools in telling us when we made mistakes.
Check Point had the worst set of debugging tools, while Aventail and Juniper had the best. Juniper provides syntax examples you can use to type in the correct strings, and Aventail has the clearest screens that prompt you for the required information.
Getting the RSA SecurID ACE server set up was simple for those vendors--all but Aventail--that explicitly support it. For Aventail, we had to connect to the ACE server via RADIUS protocols.
Cisco, Aventail and Juniper segregate their authentication realms for each user group on their Web-based login pages, making it easier to test whether each realm is working properly.
Each product comes with two network interfaces and can be run in what is called dual-homed configuration--one interface is connected to the public network, and one lives on a private network with access to protected resources.
However, we weren't able to connect Juniper and Aventail's products in this fashion because of how both products work with external network resources--they assume that all authentication servers are attached on the internal network. In our situation, these RADIUS and LDAP servers were outside the protected network and operated on the general campus network.
Having dual NICs is a better security practice, because you physically separate your two networks. Having the AAA servers on the internal network is also a better security practice, but what's the point if you can't get there via the VPN?
So, we had to operate both of these products on a single interface, which may not be acceptable in certain corporate situations. A typical example is an organization that uses three layers of firewalls to separate its most important apps and critical servers from the outside. One plus for Cisco is that you can assign authentication servers on either its internal or external interfaces.
This was first published in September 2006