Strong authentication for businesses large and small

RSA SecurID Appliance 2.0
RSA Security
Price: From $4,000 for 10-user to $34,000 for 250-user bundle

Two-factor authentication has long been an attractive alternative to simple reliance on passwords. But it has been difficult to implement and manage, and dogged by incompatibility with key networking components such as VPN gateways, Web portals, wireless access points and routers. After two decades of research and development, we are finally seeing products that come close to meeting enterprise expectations.

RSA Security's RSA SecurID Appliance, released last year, addressed most of these issues, but was geared towards small- and medium-sized organizations. Now, the highly scalable 2.0 version extends this functionality to large enterprises with capabilities of up to 50,000 users. The unit is shipped with support for up to 10 replicas, which can be used for load-balancing as well as high availability in situations when the primary is down for maintenance or other reasons.

The initial configuration was fairly smooth because of the product's well-designed Web interface. With good preparation and use of the planning worksheet included with the appliance, it is hard not to meet the 15-minute deployment (basic setup and configuration) claim made by RSA.

At the heart of SecurID is RSA's time-tested 4 GL-based Authentication Manager (the latest version includes wireless support and SecurID for Windows 2.0); we were able to carry out the majority of administrative tasks through the appliance's Web interface. However, you'll need to use the terminal service interface for advanced administrative tasks, such as importing users from an existing LDAP database instead of adding them manually and setting up synchronization jobs with LDAP databases.

In our lab, we used the SecurID Appliance to protect an IIS-based Web application, as well as for local Windows authentication. Both required installing an agent to relay authentication requests and a configuration file on the servers. The configuration file is created by the appliance after adding the servers. Similar agent software is required for Sun Microsystems' Java Web servers, Apache servers, UNIX/Linux hosts and the Novell eDirectory; in fact, more than 340 products, including remote access servers, IPSec- or SSL-based VPN gateways, Web portals, wireless APs and routers from various vendors are shipped with built-in support for RSA SecurID.

Like any other (Windows-based) device, the RSA SecurID Appliance did require extra reboots every time it experienced an unexpected power loss. Considering the criticality of the appliance and not-so-small price tag, provisioning an extra power supply doesn't seem unreasonable. We weren't impressed with the amount of time it took from opening a trouble ticket to receiving a call back from customer service.

The 1U rack-mountable appliance is built on a hardened Microsoft Windows 2003 Server. Patches and updates are provided through RSA's SecurCare Online portal. The unit comes with two 1 Gbps and two 10/100 Mbps network interfaces, and multiple USB and serial ports.

The 40x2 character-long LCD shows the basic status of the appliance, and a jog dial is provided for scrolling through the LCD options. Unfortunately, the LCD displays a "System Ready" message until the OS is completely up. (Be careful not to rotate the dial during boot-up--it can throw you into restore mode, which may result in losing configuration.) After that, it displays the name, IP address, connection status and whether the device is the primary unit or a replica.

Overall, we were pleased with the protection, ease of use and administration of the RSA SecurID Appliance, which gives both large and small organizations the robustness of RSA software in an easy-to-configure and -deploy box.

This article originally appeared in the July 2006 edition of Information Security magazine.