AstaroOS: Support for Two-Factor Authentication (SMS,Token, OTP, Moble App etc..)
Dual-factor authentication is much stronger than password-based authentication which Astaro now using. Astaro has implemented the certificate authority and OpenVPN project has implemented support for PKCS#11 in version 2.1. What there is left ? Only to implement dual-factor authentication in Astaro.
Radius challenge response over PAP and MSChapv2 for e.g. IPsec clients for use with SMS PASSCODE Two Factor Authentication
real 2-way SMS-OTP-VPN Authentication:
SSL Client VPN (and SSL Clientless VPN):
1. enter username and password.
2. the ASG will send a sms otp token and waits for user input
3. enter sms token
4. authentication completely.
to realize this, we need the Radius Challenge / Response feature
or the ASG sends an email with a token to a smsgateway and wait for the user input..
Add support for Google Authenticator for VPN authentication (in addition to the password to make it two factor). Web admin and user portal would also be a plus, but less important.
After entering in their regular user name and password, the Astaro would dynamically generate a one-time password. Users will receive an email and/or a text message, which will contain the temporary one-time password. No additional hardware token or card is required.
It would like to see the ability to have a true two form factor authentication option when logging into the Web Administration console. While it is possible to supplement the password field currently with a backend RADIUS server and OTP, this isn’t two form factor authentication, even though there are many articles suggesting so: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-the-astaro-security-gateway
For true two form factor the authentication inputs need to be:
Gateway appliances from Juniper, Cisco and alike provide this functionality, I’m hopeful Astaro can do the same.
the option to send one time passwords from the ASG to have another security level additional to the AD Authentication.
this would add a one time use password to regular authentication. http://www.yubico.com/home/index/
It would be nice to have an one time password system "out of the box" for (SSL-)VPN. Without the need of an Radius-Server within your LAN/DMZ.
Enduser Portal can be configured that it can be accessible from WAN. The problem is then, that when then enduser portal is hacked, It could be possible to download SSLVPN Client or to do other works on this site.
It would be great, when the possibility of an additionals Token authentication could be enabled on enduser portal. In this case we could inprove the security on that access.
SSL VPN - Better integration with the extended Radius information that the RSA SecurID radius server provides such as Next Token Code mode and initial passcode setup.
Right now a user gets themselves locked out via failed attempts the token is moved to next code mode which can only be resolved by an administrator.
It would be nice to have two-factor authentication with sms one time password for the end user portal and SSL vpn. This means when I login to such a feature I get an SMS to my phone which I must use in addition to my name and password to be granted access.
Similar to googles implementation: "http://krebsonsecurity.com/2010/09/google-adds-2-factor-security-to-gmail-apps/"
This feature will be released as part of UTM 9.2 later in 2013. We are on it!
I do hope for Radius Challenge Response to be added, as real time session secure based 2FA is a market demand today.
We have customers that used to use Astaro, but have changed this with something else, that supports Challenge response.
Markus Kreissl commented
Finally, there's a solution: you can use the 2FA product of SecurEnvoy (www.securenvoy.com). I downloaded, installed, configured to work together with the ASG and tested it: it really works! Why? No challenge-response process but Passcodes via SMS in advance or via seed-based calculation as a Softtoken App on your smartphone. It's up to you what you want to secure, all is possible from Webadmin, over Enduser portal to VPN connections. Instead of merely user name and password (which is e.g. even the Microsoft AD password of the user) you now use username in one line and in the password line the original password followed by the 6-digit dynamic passcode. Any further questions? Contact me: email@example.com (English Oder German language).
Markus Kreissl commented
To my opinion, YubiKey's would not be that good. As far as I can see, there's no possibility to integrate devices which has no acceptance of a usb keyboard, like smartphones and tablets etc...
YubiKey's could be great for this!
Please provide a build in dual Factor authentication as soon as possible. Especially if the HTML5-VPN Feauter is used, a more secure way to Auithenticate ist needed!!
There are very separate features merged and mixed in this thread:
Implementation of challenge-response support for the SSL VPN client and for RADIUS on Sophos UTM to support highly authenticated VPN access.
Setting up the wireless hotspot to capture mobile number for deliver of OTP (one time password) requiring challenge response support also. Wireless hotspot access authentication needs beefing up.
It would be fantastic to have built in support for dual factor authentication out of the box - but this is completely separate feature. It does not require support for challenge response - but it would be so much better - especially for the hotspot feature above - if it did.
The full implementation of challenge response user dialogue handlers for each of WebAdmin, User Portal and Hotspot Portal (as well as for the SSL VPN client of course).
Please consider integrating Duo Security two factor authentication support.
I would like to see this done for Hot Spot authentication. You provide a username and password to the user in the normal way printed on a bit of paper. They then enter these details into the hotspot portal, which then asks them for a mobile number to send a One Time Password to. They get an SMS with a OTP which they then enter to gain access.
1. Astaro gets to register a Mobile number against an otherwise anonymous internet user.
2. Access is limited to the owner of the mobile phone, people who pick up a discarded paper with U/P cannot do anything with it.
It now costs 20 euros per month for unlimited texts. Challenge response is the perfect way to interface this form of two factor authentication to the back end AD system. You could even use this to get Users to register themselves onto an AD system.
What's not to like.
Also see http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/184787-astaroos-support-for-two-factor-authentication-s
for similar feature request.
Wow - this feature request has been open since 2009, and 2FA has been around since what, the 90s???
I would like to be able to have a Sophos UTM provide a dual factor authentication mechanism - out of the box - for locking down
2. User Portal
3. Roadwarrior VPN access
At the moment WebAdmin out of the box is vulnerable to
c) password harvesting duplicate passwords (i.e. Webadmin pw = Twitter pw)
d) TCP session replay
e) Brute force attacks
f) Man in the middle attacks
I know I am supposed to be unbearably upbeat about this security product here, but seriously guys - a security device who's primary means of authentication is still only passwords. You must be kidding, right?
I am pretty sure that most security experts think that passwords are not a good enough form of authentication for a security device that is protecting the IP (which does not stand for Internet Protocol in this context) of the companies it is sold to. Any hacker's response to the statement - that passwords were enough - would be to ROFLOL pause for a second and then ROFLOL some more.
Please don't say - "but you can buy a bolt on RADIUS server from RSA/Vasco/etc. to fix this - and BTW sorry about the lack of challenge response". The whole point of Astaro is that 99/100 I should not need to spend extra money buying enhanced and more expensive versions of smart features like WAF, Wireless or RED from third parties. I want a smart feature like 2FA and preferably with the following features:
- One Time Passwords
- Password is tied to the SSL Session ID
- Uses SMS messaging which now costs 20 euros per month for unlimited texts
Would like to say something to the comment :
"Elmar Haag commented · December 15, 2009 9:38 a.m"
The workaround you discribe here maybe could be the Userportal?
you could argue if it's benificial to just the certificates in combination with a username/password. But i think there is differentiation between SMS/OTP and/or hardware 2 factor authentication. The other users seem to think so aswell as there are at the time of my comment 134 votes to this request.
Solutions like PhoneFactor and Duosecurity works for OTP and SMS but for actually getting a phone call and pressing a number to authenticate, the ssl vpn client disconnects before it can finish. Extending the time before soft failing the authentication would be great.
Daniel Ruf commented
It's nice to know, that there is exactly one product supporting two factor authentication with the sophos UTM. But nearly every other competitor supports challenge and response, so we probably need to change our UTM product to one from another vendor, if you are not willing to support this soon.
It looks as if some solutions such as PhoneFactor will work through AD/RADIUS implmentation. This is also one of the most expensive solutions. Sonicwall, Cisco, Fortinet offer many more options. Our clients are requesting options beyond certificates for VPN access. I think this is a critical feature moving forward.
My point is that Sophos/Astaro support for two factor authentication is not good enough for serious customers to actually use it in anger. Our experience is that our customers try it, find the limitations, and then go back to using Checkpoint, Cisco or someone else. The overhead of support calls due to the lack of advanced feature support is too high to justify using 2FA with Astaro.
Then my other crucial point was that it is impossible to secure these lovely new features on Sophos UTM like HTML5 without dual factor authentication. It is just too risky, and without 2FA makes the Astaro the ideal launch pad for an intrusion - which is just wrong.
Password policy enforcement that you mention, was developed when IBM mainframes were the norm and men had long hair down to their shoulders and wore flared trousers and flowery shirts. A new approach to user authentication is desperately needed. I have 115 unique user names and passwords at the moment. IBM would have me change all of those once per month. If I spent a whole 8 hour day doing it, that would be 4 minutes and 10 seconds per password. One day a month doing password changes is just insane.
This is about trying to find a way to address one of the top security issues affecting the industry - passwords.
Sophos/Astaro could do a lot worse than pre-integrating a couple of full 2 factor cloud solutions like Blackshield/Safenet or SMSPasscode. They would then fix the poor support for Radius in the process, to make the solution workable and deal with this feature request.
My 2 cents also.
I don't fully get your point here:
a) Astaro is able to enforce password policies for locally defined accounts and passwords. Authentication Services - Advanced - Require complex passwords.
b) From all I know you are able to enforce 2 factor authentication in all different areas that need authentication. This includes also the admin access to the device. Simply make sure that you pick distinct user names that are not available in other backend authentication systems and thus you could make sure that you'd only be able to log in to the ASG with the 2 factor credentials.
c) Just to make this clear again (as the topic here might be a bit misleading): Astaro does support the RSA token via RADIUS, the only operation situation in which it fails is if the token is out of sync, as Challenge-Response RADIUS is currently (at least to my knowledge, might have changed with v9) not supported and this is needed to ask for the 2nd token number to get the token back in sync with the RSA server clock.
d) Plenty of other 2 Factor tokens and solutions are also supported out of the box, whatever uses RADIUS and does not to Challenge Response can be used. This rules out most of the SMS based token systems with the exception of those using tokens of the day, but includes most time based tokens.
Just my 2 cents,
The real issue is the user authentication security in Astaro has not evolved since (at least) Version 4. Local passwords, plus limited support for Radius dual factor features and AD. Basic, basic, basic. So what I hear people say? So Astaro/Sophos need to pull their head out of the sand, before the weak support for dual factor authentication in particular and user authentication in general causes customers to suffer from serious security breaches.
Dual factor is important because it shrinks the attack surface from anyone in the world with an Internet connection, to just one person who has grabbed my token.
I would like to see full support established for existing dual factor authentication solutions from RSA, etc. I would like to see password policy enforcement available and applicable to locally defined usernames and passwords. Then it is about time that Astaro integrated one of the many innovative dual factor solutions available out there in the marketplace.
Because HTML5 now makes it possible to set up the UTM as the administrative hub of your entire infrastructure. Awesome, and really convenient, not to mention time-saving access using just a browser on my iPad from Brighton beach without interrupting my holiday. I can do anything from my iPad. I can SSH access my linux server to flush the dns cache, then RDP access AD2 to tweak some setting, and VNC onto my desktop (because I use linux) and check my work email. All from my iPad while my ice cream is melting and the children are building sandcastles. The problem is, if I can do anything from the browser on my iPad, then so can a hacker from their browser.
First problem for the hacker, get my user portal username and password. That is doable with shoulder surfing, or key logging if they are in a cybercafé or business PC in a hotel, or have a Trojan installed on their iPad. Then the infrastructure is **** out in the user portal under the HTML5 tab. Then they can have fun (having totally bypassed the firewall) trying to password ***** my internal infrastructure.
Dual factor authentication shrinks the Sophos UTM attack surface from anyone in the world with an Internet browser, to just one person who has grabbed my token. This is why this issue is becoming more and more important, and especially for accessing the user portal.
That is why the big long comment here. A security hole you can throw a whole company or at least a UTM product line through.
Please add your own thoughts, for or against.
P.S. I have over 120 different accounts each with unique passwords. This is normal for any IT admin. If you think you have maybe 10-20 accounts accessed via a handful of standard passwords with modifiers, then you are deluding yourself. Get a password manager and you will go through 50 accounts in less than a month, and I bet you will go through 100 within 3-6 months.
P.P.S. This is the other reason user authentication is so important.
Pieter van Stokkom commented
In over 3 years nothing is done about this?
Quite a shame, it makes for administrators to look outside the box. The box being Astaro/Sophos in this case, meaning they'll be moving on (back?) to other vendors...
I have 107 different passwords. The average is 5. Yahoo have just had half a million clear text passwords hacked. The lack of password security is one factor driving dual factor authentication adoption. The "cloudification" of the service commoditizing is another.
Dual factor authentication is increasingly being used by the SMB sector, and the basic RADIUS implementation, is too basic for supporting dual factor authentication on Astaro/Sophos UTM.
Its a shame this is not under Authentication, as this applies not only for VPN, but user portal access, etc.
Alun James commented
Since dual-factor authentication is inbuilt, it'd be nice if they implemented it properly! This doesn't just apply to RSA but any RADIUS. Oh, well back to Cisco...