Authentication of VPN Enterprise Mobile Device Users - dummies

Authentication of VPN Enterprise Mobile Device Users

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

Before you allow access to the corporate network from any mobile device, you should first identify the user. One type of user identity validation is authentication. User authentication is the validation that a user truly is who she says she is. In other words, user authentication proves that the person attempting to log in to the VPN as SueB really is Sue Berks, and not Joe Hacker.

As with many security technologies, a range of security strengths are offered through these various solutions. Organizations that are very security conscious typically use a strong authentication solution such as a one-time password system or X.509 digital certificates. The use of strong authentication has become very popular in recent years; it is a best practice for all organizations. Less security-conscious organizations stick with static username and password systems for remote user authentication.

Local authentication

Local authentication is an onboard database for authentication of users. The entire user account management and record storage is done on the VPN appliance.

Most VPN vendors offer this type of authentication, though it’s used primarily for administrator authentication or for smaller organizations.

Lightweight Directory Access Protocol (LDAP)

LDAP (Lightweight Directory Access Protocol) is a standard protocol for querying a directory database and updating database records. As one of the more commonly used interfaces in VPN deployments, LDAP acts as the protocol of choice for querying many types of databases, including Active Directory.

Active Directory (AD)

Active Directory is one of the leading directory servers, and most organizations deploy it, to some extent. Many VPN servers offer a native Active Directory authentication server interface, but AD deployments can also leverage LDAP/LDAPS (LDAP over SSL) for queries and updates.

RADIUS authentication and one-time password systems

Most VPN systems provide a standard way to interface with these OTP systems through the RADIUS protocol. Remote Authentication Dial-In User Service (RADIUS) provides authentication, authorization, and accounting services; and most OTP systems available on the market today support RADIUS.

X.509 certificate authentication

In recent years, X.509 digital certificates have become more popular as an authentication method. They’re issued by several trusted certificate authorities (CAs) to organizations and end users. The deployments within the U.S. Government have been a huge driver for adoption of X.509 certificates. As a result, support has improved significantly in recent years, making deployment and ongoing administration much simpler.

When a VPN appliance supports X.509 digital certificates, that appliance must perform validation of a certificate to ensure that the certificate hasn’t been revoked. The VPN validates the certificate with either

  • CRLs (certificate revocation lists): CRLs are essentially lists of revoked certificates that are distributed by the certificate issuer.

  • OCSP (Online Certificate Status Protocol): OCSP is a way to bypass some of the limitations of CRL checking (such as the size of the lists), and it specifies a way to verify certificate status in real time.

In addition to certificate status validation, the VPN might also retrieve user attributes from the certificate so that the VPN access control system can compare to attributes in a directory.

Security Assertion Markup Language

Security Assertion Markup Language (SAML) is a standard for authenticating and authorizing users across different systems. Essentially, it’s a Single Sign-On (SSO) technology. Some SSL VPN appliances provide support for SAML, allowing users who are already logged in to other systems the ability to seamlessly log in to the SSL VPN system as needed. SAML authentication solutions aren’t usually associated with IPsec VPNs.