RSA SecurID Appliance 2.0
RSA
Security
Price: From $4,000 for 10-user to $34,000 for 250-user bundle
Two-factor authentication has long been an attractive
alternative to simple reliance on passwords. But it has been
difficult to implement and manage, and dogged by incompatibility
with key networking components such as VPN gateways, Web portals,
wireless access points and routers. After two decades of research
and development, we are finally seeing products that come close to
meeting enterprise expectations.
RSA Security's RSA SecurID Appliance, released last year,
addressed most of these issues, but was geared towards small- and
medium-sized organizations. Now, the highly scalable 2.0 version
extends this functionality to large enterprises with capabilities
of up to 50,000 users. The unit is shipped with support for up to
10 replicas, which can be used for load-balancing as well as high
availability in situations when the primary is down for maintenance
or other reasons.
The initial configuration was fairly smooth because of the
product's well-designed Web interface. With good preparation and
use of the planning worksheet included with the appliance, it is
hard not to meet the 15-minute deployment (basic setup and
configuration) claim made by RSA.
At the heart of SecurID is RSA's time-tested 4 GL-based
Authentication Manager (the latest version includes wireless
support and SecurID for Windows 2.0); we were able to carry out the
majority of administrative tasks through the appliance's Web
interface. However, you'll need to use the terminal service
interface for advanced administrative tasks, such as importing
users from an existing LDAP database instead of adding them
manually and setting up synchronization jobs with LDAP
databases.
In our lab, we used the SecurID Appliance to protect an
IIS-based Web application, as well as for local Windows
authentication. Both required installing an agent to relay
authentication requests and a configuration file on the servers.
The configuration file is created by the appliance after adding the
servers. Similar agent software is required for Sun Microsystems'
Java Web servers, Apache servers, UNIX/Linux hosts and the Novell
eDirectory; in fact, more than 340 products, including remote
access servers, IPSec- or SSL-based VPN gateways, Web portals,
wireless APs and routers from various vendors are shipped with
built-in support for RSA SecurID.
Like any other (Windows-based) device, the RSA SecurID Appliance
did require extra reboots every time it experienced an unexpected
power loss. Considering the criticality of the appliance and
not-so-small price tag, provisioning an extra power supply doesn't
seem unreasonable. We weren't impressed with the amount of time it
took from opening a trouble ticket to receiving a call back from
customer service.
The 1U rack-mountable appliance is built on a hardened Microsoft
Windows 2003 Server. Patches and updates are provided through RSA's
SecurCare Online portal. The unit comes with two 1 Gbps and two
10/100 Mbps network interfaces, and multiple USB and serial
ports.
The 40x2 character-long LCD shows the basic status of the
appliance, and a jog dial is provided for scrolling through the LCD
options. Unfortunately, the LCD displays a "System Ready" message
until the OS is completely up. (Be careful not to rotate the dial
during boot-up--it can throw you into restore mode, which may
result in losing configuration.) After that, it displays the name,
IP address, connection status and whether the device is the primary
unit or a replica.
Overall, we were pleased with the protection, ease of use and
administration of the RSA SecurID Appliance, which gives both large
and small organizations the robustness of RSA software in an
easy-to-configure and -deploy box.
This article originally appeared in the July 2006 edition of
Information
Security magazine.