An Elegant Approach

 
 
By Frank Ohlhorst  |  Posted 2011-12-07 Email Print this article Print
 
 
 
 
 
 
 


 

It is an elegant approach, which eliminates much of the integration challenges found in other multifactor security solutions. VIP avoids most of those integration challenges by using a Web API to integrate with the network security (LDAP, VPN, etc.) methodology.

Setup is straightforward. All I had to do was visit the VIP Manager Website and set up credentials for each user who was going to access the network using a token-based log-in. Tokens are available in several different fashions, but software tokens that work with a smartphone or other device may be the most desirable for the majority of businesses. With a "soft token," an application is installed on the smartphone or portable device, which generates a synchronized code that is used in conjunction with a user name/password challenge.

Think of it this way: A user wants to access an application on the corporate network using the VIP methodology. The user will log on to an access portal, which will ask for the user name and password, as well as a third piece of information, which is a security token, referred to as a security code (or even a one-time password). That code is randomly generated and is sent to the user's smartphone (or other device) and is valid only for a few minutes. The user enters that code with his or her traditional authentication elements (user name and password), and the information is validated by the hosted service, which is integrated into the corporate Remote Authentication Dial In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP) or VPN server. If everything checks out, the user is granted access.

Although it sounds like there are a lot of moving parts involved in the system, it is surprisingly easy to implement. Symantec has provided straightforward configuration wizards, which makes setup a snap, and detailed online documentation and context-sensitive help further make things easy. Symantec also provides automated tools that help users install the token generator application on their smartphones, including support for Apple's iPhone and iPad via Apple's App Store.

In other words, Symantec makes things very easy for both administrators and end users, without compromising security. I tested VIP with several devices, including a BlackBerry from Research In Motion, an iPhone, an iPad and a notebook computer, and I experienced no difficulties. I found the client software intuitive and the system easy to manage as a whole.

I encountered some challenges when I integrated the service into my Microsoft Windows 2008R2 Server (64-bit), which was using Active Directory as a primary security mechanism. Here, there was some confusion on how to configure the various security components. However, referring to the deployment guide smoothed out the path to a successful integration.

When deploying VIP, it is important to understand the network infrastructure that you already have in place and how incorporating VIP's technology will impact the configuration. In most cases, you will need to deploy a RADIUS server or modify your VPN settings, or make changes to your directory (LDAP) services. However, the included deployment guide offers multiple scenarios, tips and detailed instructions that make the installation straightforward for a networking pro.

Perhaps, the biggest challenge associated with VIP is the plethora of choices available. VIP integrates with a multitude of servers, directories and VPNs, while supporting a vast array of endpoint devices, including Android devices, iPhones, tablets, dedicated key fobs, secureID cards and traditional PCs.

From the end-user perspective, using VIP is quite simple. The only additional chore the end user may have to perform is the installation of the credential software, which is a simple application that generates the temporary security code needed for authentication. That application can be pushed down to the device, delivered via email or, in the case of an Apple product, installed from the App Store. Optionally, the service can be configured to deliver a security code via SMS to a cell phone.

Regardless of the authentication service selected, end users will find VIP easy to use, which promises to provide additional benefits, such as fewer calls to the help desk for password help and a more secure posture for accessing critical information while working remotely.

Conclusions

Symantec's VIP offers several advantages to organizations looking to improve their security and meet compliance needs. First, no major capital investment is needed to deploy VIP, simply because it is a service that works with most of the technologies already in hand, such as Windows Servers, smartphones, etc.

That goes hand in hand with how easy the service is to deploy, at least compared with traditional hardware-based multifactor authentication systems. For a simple network, deployment can usually be accomplished in a few hours, further helping to reduce costs. What's more, the system is easy to manage, administer and use, which further reduces operational costs.

All things considered, Symantec VIP proves to be the easiest way to bring multifactor authentication to most any network or cloud service. The integration options are extensive as is the support for existing hardware, while logging and reporting round out the offering, making it a good fit for those driven by compliance needs and enhanced security.

What's more, the service enhances mobility and brings security to sites that were once difficult to secure, making it a good fit for those looking to use tablets or other devices from satellite offices, without having to invest in on-premises-based security hardware. 




 
 
 
 
Frank Ohlhorst Frank J. Ohlhorst is the Executive Technology Editor for eWeek Channel Insider and brings with him over 20 years of experience in the Information Technology field.He began his career as a network administrator and applications program in the private sector for two years before joining a computer consulting firm as a programmer analyst. In 1988 Frank founded a computer consulting company, which specialized in network design, implementation, and support, along with custom accounting applications developed in a variety of programming languages.In 1991, Frank took a position with the United States Department of Energy as a Network Manager for multiple DOE Area Offices with locations at Brookhaven National Laboratory (BNL), Princeton Plasma Physics Laboratory (PPL), Argonne National Laboratory (ANL), FermiLAB and the Ames Area Office (AMESAO). FrankÔÇÖs duties included managing the site networks, associated staff and the inter-network links between the area offices. He also served at the Computer Security Officer (CSO) for multiple DOE sites. Frank joined CMP TechnologyÔÇÖs Channel group in 1999 as a Technical Editor assigned to the CRN Test Center, within a year, Frank became the Senior Technical Editor, and was responsible for designing product testing methodologies, assigning product reviews, roundups and bakeoffs to the CRN Test Center staff.In 2003, Frank was named Technology Editor of CRN. In that capacity, he ensured that CRN maintained a clearer focus on technology and increased the integration of the Test CenterÔÇÖs review content into both CRNÔÇÖs print and web properties. He also contributed to NetseminarÔÇÖs, hosted sessions at CMPÔÇÖs Xchange Channel trade shows and helped to develop new methods of content delivery, Such as CRN-TV.In September of 2004, Frank became the Director of the CRN Test Center and was charged with increasing the Test CenterÔÇÖs contributions to CMPÔÇÖs Channel Web online presence and CMPÔÇÖs latest monthly publication, Digital Connect, a magazine geared towards the home integrator. He also continued to contribute to CMPÔÇÖs Netseminar series, Xchange events, industry conferences and CRN-TV.In January of 2007, CMP Launched CRNtech, a monthly publication focused on technology for the channel, with a mailed audience of 70,000 qualified readers. Frank was instrumental in the development and design of CRNTech and was the editorial director of the publication as well as its primary contributor. He also maintained the edit calendar, and hosted quarterly CRNTech Live events.In June 2007, Frank was named Senior Technology Analyst and became responsible for the technical focus and edit calendars of all the Channel GroupÔÇÖs publications, including CRN, CRNTech, and VARBusiness, along with the Channel GroupÔÇÖs specialized publications Solutions Inc., Government VAR, TechBuilder and various custom publications. Frank joined Ziff Davis Enterprise in September of 2007 and focuses on creating editorial content geared towards the purveyors of Information Technology products and services. Frank writes comparative reviews, channel analysis pieces and participates in many of Ziff Davis EnterpriseÔÇÖs tradeshows and webinars. He has received several awards for his writing and editing, including back to back best review of the year awards, and a presidentÔÇÖs award for CRN-TV. Frank speaks at many industry conferences, is a contributor to several IT Books, holds several records for online hits and has several industry certifications, including NovellÔÇÖs CNE, MicrosoftÔÇÖs MCP.Frank can be reached at frank.ohlhorst@ziffdavisenterprise.com
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel