AstaroOS: Support for Two-Factor Authentication (SMS,Token, OTP, Moble App etc..)
Dual-factor authentication is much stronger than password-based authentication which Astaro now using. Astaro has implemented the certificate authority and OpenVPN project has implemented support for PKCS#11 in version 2.1. What there is left ? Only to implement dual-factor authentication in Astaro.
Radius challenge response over PAP and MSChapv2 for e.g. IPsec clients for use with SMS PASSCODE Two Factor Authentication
real 2-way SMS-OTP-VPN Authentication:
SSL Client VPN (and SSL Clientless VPN):
1. enter username and password.
2. the ASG will send a sms otp token and waits for user input
3. enter sms token
4. authentication completely.
to realize this, we need the Radius Challenge / Response feature
or the ASG sends an email with a token to a smsgateway and wait for the user input..
Add support for Google Authenticator for VPN authentication (in addition to the password to make it two factor). Web admin and user portal would also be a plus, but less important.
After entering in their regular user name and password, the Astaro would dynamically generate a one-time password. Users will receive an email and/or a text message, which will contain the temporary one-time password. No additional hardware token or card is required.
It would like to see the ability to have a true two form factor authentication option when logging into the Web Administration console. While it is possible to supplement the password field currently with a backend RADIUS server and OTP, this isn’t two form factor authentication, even though there are many articles suggesting so: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-the-astaro-security-gateway
For true two form factor the authentication inputs need to be:
Gateway appliances from Juniper, Cisco and alike provide this functionality, I’m hopeful Astaro can do the same.
the option to send one time passwords from the ASG to have another security level additional to the AD Authentication.
this would add a one time use password to regular authentication. http://www.yubico.com/home/index/
It would be nice to have an one time password system "out of the box" for (SSL-)VPN. Without the need of an Radius-Server within your LAN/DMZ.
Enduser Portal can be configured that it can be accessible from WAN. The problem is then, that when then enduser portal is hacked, It could be possible to download SSLVPN Client or to do other works on this site.
It would be great, when the possibility of an additionals Token authentication could be enabled on enduser portal. In this case we could inprove the security on that access.
SSL VPN - Better integration with the extended Radius information that the RSA SecurID radius server provides such as Next Token Code mode and initial passcode setup.
Right now a user gets themselves locked out via failed attempts the token is moved to next code mode which can only be resolved by an administrator.
It would be nice to have two-factor authentication with sms one time password for the end user portal and SSL vpn. This means when I login to such a feature I get an SMS to my phone which I must use in addition to my name and password to be granted access.
Similar to googles implementation: "http://krebsonsecurity.com/2010/09/google-adds-2-factor-security-to-gmail-apps/"
This feature will be released as part of UTM 9.2 later in 2013. We are on it!
Please allow authentication against SMSPasscode and RSAId for the second factor. Perhaps it could be implemented as a Radius Client for the second factor? Seen it done as a second factor via Radius to say, RSAId or SMSPasscode which can be a Radius server.
Google Authenticator and yubico are my votes on this. (also just as a fyi yubico has a nfc option that doesn't work with iphone as of iphone 5 but should work with most new android and the iphone 5s if that has nfc)
Leon Krown commented
Adding compliance with Google Authenticator would wonderful. Codes via SMS would be a nice fallback option. Don't try to home bake your own system, use a system already proven, accepted and very well tested and free like GA.
i want that, too!
I do hope for Radius Challenge Response to be added, as real time session secure based 2FA is a market demand today.
We have customers that used to use Astaro, but have changed this with something else, that supports Challenge response.
Markus Kreissl commented
Finally, there's a solution: you can use the 2FA product of SecurEnvoy (www.securenvoy.com). I downloaded, installed, configured to work together with the ASG and tested it: it really works! Why? No challenge-response process but Passcodes via SMS in advance or via seed-based calculation as a Softtoken App on your smartphone. It's up to you what you want to secure, all is possible from Webadmin, over Enduser portal to VPN connections. Instead of merely user name and password (which is e.g. even the Microsoft AD password of the user) you now use username in one line and in the password line the original password followed by the 6-digit dynamic passcode. Any further questions? Contact me: email@example.com (English Oder German language).
Markus Kreissl commented
To my opinion, YubiKey's would not be that good. As far as I can see, there's no possibility to integrate devices which has no acceptance of a usb keyboard, like smartphones and tablets etc...
YubiKey's could be great for this!
Please provide a build in dual Factor authentication as soon as possible. Especially if the HTML5-VPN Feauter is used, a more secure way to Auithenticate ist needed!!
There are very separate features merged and mixed in this thread:
Implementation of challenge-response support for the SSL VPN client and for RADIUS on Sophos UTM to support highly authenticated VPN access.
Setting up the wireless hotspot to capture mobile number for deliver of OTP (one time password) requiring challenge response support also. Wireless hotspot access authentication needs beefing up.
It would be fantastic to have built in support for dual factor authentication out of the box - but this is completely separate feature. It does not require support for challenge response - but it would be so much better - especially for the hotspot feature above - if it did.
The full implementation of challenge response user dialogue handlers for each of WebAdmin, User Portal and Hotspot Portal (as well as for the SSL VPN client of course).
Please consider integrating Duo Security two factor authentication support.
I would like to see this done for Hot Spot authentication. You provide a username and password to the user in the normal way printed on a bit of paper. They then enter these details into the hotspot portal, which then asks them for a mobile number to send a One Time Password to. They get an SMS with a OTP which they then enter to gain access.
1. Astaro gets to register a Mobile number against an otherwise anonymous internet user.
2. Access is limited to the owner of the mobile phone, people who pick up a discarded paper with U/P cannot do anything with it.
It now costs 20 euros per month for unlimited texts. Challenge response is the perfect way to interface this form of two factor authentication to the back end AD system. You could even use this to get Users to register themselves onto an AD system.
What's not to like.
Also see http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/184787-astaroos-support-for-two-factor-authentication-s
for similar feature request.
Wow - this feature request has been open since 2009, and 2FA has been around since what, the 90s???
I would like to be able to have a Sophos UTM provide a dual factor authentication mechanism - out of the box - for locking down
2. User Portal
3. Roadwarrior VPN access
At the moment WebAdmin out of the box is vulnerable to
c) password harvesting duplicate passwords (i.e. Webadmin pw = Twitter pw)
d) TCP session replay
e) Brute force attacks
f) Man in the middle attacks
I know I am supposed to be unbearably upbeat about this security product here, but seriously guys - a security device who's primary means of authentication is still only passwords. You must be kidding, right?
I am pretty sure that most security experts think that passwords are not a good enough form of authentication for a security device that is protecting the IP (which does not stand for Internet Protocol in this context) of the companies it is sold to. Any hacker's response to the statement - that passwords were enough - would be to ROFLOL pause for a second and then ROFLOL some more.
Please don't say - "but you can buy a bolt on RADIUS server from RSA/Vasco/etc. to fix this - and BTW sorry about the lack of challenge response". The whole point of Astaro is that 99/100 I should not need to spend extra money buying enhanced and more expensive versions of smart features like WAF, Wireless or RED from third parties. I want a smart feature like 2FA and preferably with the following features:
- One Time Passwords
- Password is tied to the SSL Session ID
- Uses SMS messaging which now costs 20 euros per month for unlimited texts
Would like to say something to the comment :
"Elmar Haag commented · December 15, 2009 9:38 a.m"
The workaround you discribe here maybe could be the Userportal?
you could argue if it's benificial to just the certificates in combination with a username/password. But i think there is differentiation between SMS/OTP and/or hardware 2 factor authentication. The other users seem to think so aswell as there are at the time of my comment 134 votes to this request.
Solutions like PhoneFactor and Duosecurity works for OTP and SMS but for actually getting a phone call and pressing a number to authenticate, the ssl vpn client disconnects before it can finish. Extending the time before soft failing the authentication would be great.
Daniel Ruf commented
It's nice to know, that there is exactly one product supporting two factor authentication with the sophos UTM. But nearly every other competitor supports challenge and response, so we probably need to change our UTM product to one from another vendor, if you are not willing to support this soon.
It looks as if some solutions such as PhoneFactor will work through AD/RADIUS implmentation. This is also one of the most expensive solutions. Sonicwall, Cisco, Fortinet offer many more options. Our clients are requesting options beyond certificates for VPN access. I think this is a critical feature moving forward.
My point is that Sophos/Astaro support for two factor authentication is not good enough for serious customers to actually use it in anger. Our experience is that our customers try it, find the limitations, and then go back to using Checkpoint, Cisco or someone else. The overhead of support calls due to the lack of advanced feature support is too high to justify using 2FA with Astaro.
Then my other crucial point was that it is impossible to secure these lovely new features on Sophos UTM like HTML5 without dual factor authentication. It is just too risky, and without 2FA makes the Astaro the ideal launch pad for an intrusion - which is just wrong.
Password policy enforcement that you mention, was developed when IBM mainframes were the norm and men had long hair down to their shoulders and wore flared trousers and flowery shirts. A new approach to user authentication is desperately needed. I have 115 unique user names and passwords at the moment. IBM would have me change all of those once per month. If I spent a whole 8 hour day doing it, that would be 4 minutes and 10 seconds per password. One day a month doing password changes is just insane.
This is about trying to find a way to address one of the top security issues affecting the industry - passwords.
Sophos/Astaro could do a lot worse than pre-integrating a couple of full 2 factor cloud solutions like Blackshield/Safenet or SMSPasscode. They would then fix the poor support for Radius in the process, to make the solution workable and deal with this feature request.
My 2 cents also.
I don't fully get your point here:
a) Astaro is able to enforce password policies for locally defined accounts and passwords. Authentication Services - Advanced - Require complex passwords.
b) From all I know you are able to enforce 2 factor authentication in all different areas that need authentication. This includes also the admin access to the device. Simply make sure that you pick distinct user names that are not available in other backend authentication systems and thus you could make sure that you'd only be able to log in to the ASG with the 2 factor credentials.
c) Just to make this clear again (as the topic here might be a bit misleading): Astaro does support the RSA token via RADIUS, the only operation situation in which it fails is if the token is out of sync, as Challenge-Response RADIUS is currently (at least to my knowledge, might have changed with v9) not supported and this is needed to ask for the 2nd token number to get the token back in sync with the RSA server clock.
d) Plenty of other 2 Factor tokens and solutions are also supported out of the box, whatever uses RADIUS and does not to Challenge Response can be used. This rules out most of the SMS based token systems with the exception of those using tokens of the day, but includes most time based tokens.
Just my 2 cents,