[Dshield] remote access with token

Stephane Grobety security at admin.fulgan.com
Fri Dec 16 14:56:20 GMT 2005


Hello Isaac,

I've had good results with Aladdin eToken pro. Their security model is
sound (key is generated inside the device and doesn't leav it) and you
can integrate more than on certificate in the same token, for instance
using once for VPN authentication and one for loging in the remote
machine.

eToken drivers works fine in Windows 2000, XP and 2003 and you can
easily use the windows certificate services server to generate
"smartcard logon" certificates directly in the token allowing the
users to access their desktop through this. After that, it's a matter
of setting up the user rights properly on the machine to limit logon
to the smartcard (you can do that via GPO).

Since the token is a USB device, you don't need special hardware to
use it, only to install the drivers. IIRC, that isnatllation doesn't
require a reboot (although I wouldn't swear it).

For the VPN, it depends a bit on how you are doing your user
authentication but you should be able to make the token work with any
device that supports X509 authentication (I've had little trouble
configuring Astaro Linux to use it).

Good luck,
Stephane

Friday, December 16, 2005, 2:07:34 PM, you wrote:

IP> I want to connect a remote computer with xp to a netowrk, for terminal
IP> server, with a vpn, because I prefer to make the vpn and after connect
IP> to the server and not open the server directly to internet.
IP> I have a netscreen 5gt with vpn capabilities.
IP> Alsoo I want authentication by token.
IP> What client software you recommend?
IP> Thanks



IP> _________________________________________
IP> Learn about Intrusion Detection in Depth from the comfort of your own couch:
IP> https://www.sans.org/athome/details.php?id=1341&d=1

IP> _______________________________________________
IP> send all posts to list at lists.dshield.org
IP> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com



More information about the list mailing list