ADDING STRONGER AUTHENTICATION
for VPN Access Control
LoginTC Solution Guide | November 2012
ADDING STRONGER AUTHENTICATION
for VPN Access Control
AVIRTUAL PRIVATE NETWORK (VPN) allows remote users to connect to their corporate or organization’s networks that would otherwise be inaccessible.
Traffic established through the VPN stays isolated by building a secure
“tunnel” protected by encryption or using a dedicated connection.
VPN ACCESS AUTHENTICATION
Implementing a VPN solution with centralized management of client access is the most optimal way to deliver secure remote access to your corporate network and applications. RADIUS is one method to centralize client administration for either single or multiple VPN switches. RADIUS coordinates authentication and authorization information between a network access server (VPN switch) and a central authentication and authorization server. There are many methods to accomplish this task, but ideal deployments use MS Active Directory or LDAP servers to leverage the existing data stores of your end-users.
Enterprises wishing to upgrade their VPN remote access to stronger authentication face challenges with existing hardware or software based two-factor solutions. Hardware-based technologies like PKI certificates,
one-time password (OTP) tokens, smartcards, and USB tokens do not scale above several thousand users. Beyond that, the burden of administration and deployment is too high and cost-prohibitive.
Additionally, the use of software, SMS or mobile app based OTPs expose the risk of man-in-the-middle and phishing attacks. LoginTC addresses all of these shortcomings head-on.
LoginTC
Platform LoginTC RADIUS
VA
LoginTC Cloud
LoginTC Connect LoginTC app
User VPN Device RADIUS Server MS AD or LDAP
THE LOGINTC PLATFORM
The LoginTC platform is a versatile solution which can quickly add an additional layer of security to any authentication process. The platform combines several products into an integrated, cloud-based identity and access management solution:
LoginTC Cloud, which provides core functionality for administrators to manage users, domains and devices
LoginTC Connector, a set of modules that integrate directly with various service provider end points (this guide focuses on the LoginTC RADIUS connector)
LoginTC Apps, a token credential storage your users download and install on their mobile devices
LoginTC Cloud
LoginTC Cloud is a fully featured web based control panel used by administrators to manage and monitor their users, domains and devices.
Administrator access is protected with LoginTC two-factor authentication.
An administrator can delegate privileges to other administrators, such as managing users and entitlements, managing domains and devices, and accessing audit information and reports.
LoginTC Cloud hosts its infrastructure in a level one PCI DSS compliant data center with audit reporting in accordance with SAS 70 Type II and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards.
LoginTC Connector
The LoginTC RADIUS Virtual Appliance is a purpose-built virtual appliance which integrates directly into an existing corporate network. The appliance is downloaded and installed in your on-premise environment. If required, you can deploy the appliance in a load balanced and high availability manner.
The appliance is the gateway between your VPN, Wi-Fi or any RADIUS- based device and the LoginTC Cloud. It leverages your existing
username/password first factor and adds a second factor layer with the LoginTC app. Active Directory and LDAP integration tools are provided to administrators to leverage existing user repositories.
LoginTC Apps
The LoginTC app is a token credential store and authentication tool installed in your user’s mobile device. Users create a second factor credential by loading administrator issued VPN tokens in the app. Each remote access attempt pushes a second factor request to the user’s mobile
device. The rich app interface allows users to easily decide whether to approve or deny an access request. The app is available for iOS, Android and BlackBerry platforms.
LOGINTC TWO-FACTOR
Since the LoginTC app can be found in the most popular mobile
marketplaces, it is easier and less expensive to deploy to your users, even to suppliers, partners, and contractors. That gives you complete flexibility for delivering the VPN enrolment tokens via user self-service provisioning, user bulk upload, or using the LoginTC Manager with automated email delivery.
To reach LoginTC apps in the mobile network, LoginTC Cloud leverages push technology from the platforms' advanced notification services.
Cutting-edge security and monitoring technologies allows the LoginTC to deliver out-of-band notifications to registered LoginTC users via the cellular network or Wi-Fi access points. This powerful interface allows users to interact only with LoginTC-enabled devices or websites.
VPN Integration
The LoginTC RADIUS Connector is packaged as a virtual appliance to run within your corporate network. You download the appliance from the LoginTC website. The download will consist of a .ZIP file containing an
Open Virtualization Format (OVF) virtual machine. This virtual machine is installed in your virtual machine host; such as ESXi or VirtualBox. The LoginTC RADIUS Virtual Appliance is configured as the gateway between the LoginTC Cloud and your existing VPN and user data stores.
Using the step-by-step instructions found in the LoginTC RADIUS Virtual Appliance installation guide, you will enable, configure and
LoginTC Cloud Services https://vpn.corp.com
Existing AD RADIUS
Server LDAP
LoginTC RADIUS
VPN VA
Corporate Network Existing 1stFactor
1 2
3
4
5 6
7 8
9
Download the app Receive CC Add Token with CC Lock Token with PIN
test your VPN with LoginTC two-factor authentication.
Step LoginTC Authentication Flow
1 User attempts to access the Corporate VPN via a web-based form or VPN client application
2 The VPN has been configured to use the LoginTC RADIUS VA for authentication
3 If configured with a first factor credential, the LoginTC RADIUS VA presents user’s credential to existing first factor RADIUS Server 4 The LoginTC RADIUS VA initiates session with LoginTC Cloud for
second factor
5 The LoginTC Cloud sends out-of-band authentication request to user’s smartphone or tablet
6 The user acknowledges notification and enters PIN or passcode to unlock VPN token credential
7 The LoginTC Cloud confirms validity of user’s token and 2FA success
8 The LoginTC RVA confirms to VPN that user is valid
9 The VPN accepts user’s session and redirects the user to internal network and applications
Users can access the corporate VPN using a VPN client application, a web- based VPN access form, or through the wireless network as shown below.
You can configure your existing first factor to be used in conjunction with the LoginTC; for example, Active Directory / LDAP or an existing RADIUS server. You may also opt to not use a first factor, in which case LoginTC will be the only authentication factor.
Access to VPN from a mobile device
Users can access your corporate VPN with LoginTC in tandem with any VPN Mobile Client or a default VPN profile in their smartphone or tablet device. LoginTC allows you to deliver strong authentication for people on the move.
BENEFITS OF USING LOGINTC
Whether your users have a company smartphone or tablet, or your
organization is fostering BYOD (bring your own device) access to corporate resources, LoginTC delivers the freedom to innovate how they work. The LoginTC Apps have been designed to provide the most advanced user experience, with intuitive displays and messages that your users can recognize and adopt.
Users attempting to access a VPN switch protected with LoginTC RADIUS VA are notified out-of-band to enter a PIN or passcode. Point-to-point communication between LoginTC Cloud and LoginTC app prevents
phishing, password cracking, and Man-in-the-Middle attacks. A correct PIN challenge response grants your users access to VPN-protected applications and data. Multiple incorrect PIN attempts render the credential inoperable, preventing fraudsters to access protected information with lost or stolen devices.
There are multiple benefits of adding LoginTC to your VPN deployment:
Out-of-the-box integration: Enhancing VPN authentication
management capabilities is made easy to VPN administrators while eliminating upfront capital investment and the typical time to acquire, deploy and implement new infrastructure
User Experience: It’s simple and smart; the LoginTC app efficiency, convenience and ease of use make it a practical and secure tool to your VPN remote users
Improved security: Protects against new Internet threats like Man- in-the-Middle that defeat One-Time Password (OTP) tokens
Reduced risk: Multi-factor authentication reduces risk of identity theft and network access threats by enabling safe, secure remote access to data and applications from anywhere
Improved compliance: Comply with regulatory policies or industry best practices for two-factor authentication for employees,
suppliers and partners
Works worldwide: even without cell service, the LoginTC app can receive secure notifications via Wi-Fi access points
Lower and reduced cost: With the LoginTC, there are no tokens or cards to lose, passwords to remember, and less calls to the help desk. It provides the lowest cost of ownership of any multi-factor authentication technology on the market today
Mobility — working away from a traditional office setting or fixed location
— has become a common requirement for today’s knowledge worker. With millions of smartphones and tablets in use in Canada and the US, the
LoginTC provides the most affordable and secure 2FA that your organization can adopt. LoginTC delivers instant secure access to network and applications to your mobile workers, either through a PC or in the mobile device itself.
DEPLOYING LOGINTC
By default LoginTC platform is delivered as a cloud-based service. However, LoginTC can be deployed in two other ways:
Private Cloud-based 2FA services on demand
On-premise
In a Private Cloud deployment, LoginTC is delivered as Security-as-a- Service with components sand-boxed exclusively for your organization.
The On-Premise solution includes a Virtual Appliance license that can be easily integrated into corporate IT infrastructures, and can be architected in load balance and high availability mode.
LoginTC is developed by Cyphercor Inc., which develops and delivers mobile security solutions which enable two-factor authentication credentials. Cyphercor's mobile-based approach offers unprecedented capabilities to smartphone and tablet users and security conscious
organizations.
Cyphercor helps users and organizations meet or exceed their security and business goals by providing mobile solutions that:
protect digital identities with encryption and safe transactions
deliver free and easy to use apps to access cloud and business applications
deploy and enable in minutes
For more information, visit www.logintc.com or email [email protected]
Copyright © 2012 Cyphercor Inc. All rights reserved. LoginTC and its families of related marks, images, and symbols are the exclusive properties of Cyphercor Inc.
