Product Review: Celestix HOTPin
Product: Celestix’s HOTPin
Product Homepage: Click here
Remote access is where it is at these days. There are a number of reasons for this:
- Economic constraints make it attractive to allow employees to work from home
- Fears of world wide epidemics make contingency planning for working from home a key factor in business continuity
- Many workers are more productive when they are able to work from home
- Employees need access to information on the corporate network when visiting clients and partners
- Remote access to information makes it possible for people to work from anywhere, anytime from virtually any device, increasing overall productivity
Productivity is key. Business in the last decade or so was built on a model of debt – grow the business by leveraging debt. As we have seen, debt based business models turned out to not be quite as robust as many thought. In the future, we are going to have to focus our efforts in other areas in order to grow business. The most likely area of focus will be in productivity. The IT industry in general and remote access in particular, is going to be a key player in driving business growth in the next decade.
That is where the Microsoft Intelligent Application Gateway 2007 (IAG 2007) comes in. IAG 2007 is an integrated Microsoft remote access solution that allows users to connect to information on your corporate network from any location, at any time, from virtually any device. While often seen as an SSL VPN gateway, IAG 2007 allows secure remote access using a number of different technologies:
- Reverse Web Proxy
- Port forwarding over an SSL tunnel
- Socket forwarding over an SSL tunnel
- SSL-based network-level VPN
- Traditional IPsec-based network-level VPN
There are two things that set IAG 2007 apart from almost all other SSL VPN gateways on the market today:
- Sophisticated application layer inspection that uses both positive and negative logic filters, preventing both known and zero-day attacks
- A comprehensive and robust platform that supports an extensive array of authentication protocols
In fact, advanced authentication protocol support is one of the reasons why people deploy IAG 2007 SSL VPN gateways. One of the reasons for this is that two-factor authentication is quickly becoming the de facto standard for secure remote access authentication and authorization. The customary user name and password approach is quickly falling out of favor because of well-known weaknesses in that approach. Some of these include:
- Easily guessed passwords
- Brute force and offline dictionary attacks
- Social engineering
- Network sniffing
- OS bugs that allow for password dumping
While weaknesses in the standard username and password approach make it clear that you need a stronger solution, even more important for most companies is the issue of regulatory compliance. Some firms are reluctant to spend on improving security, but realize that they must do whatever it takes to come into compliance either before or after an audit.
Given compliance issues and established weaknesses in the simple username and password approach to authentication, the demand for strong two-factor authentication has grown. The trick is to determine what two-factor authentication method to use while keeping in mind that the solution needs to integrate tightly with your existing authentication infrastructure and be cost effective.
Two-Factor Authentication using One Time Passwords
Two-factor authentication means that at least two methods must be used to successfully authenticate a user. In some cases, there are more than two factors, making those solutions multi-factor authentication products. What they all have in common is that there is something that must be provided in addition to a user name and password. There are various data-points that can be used, such as:
- What I know
- What I have
- What I am (biometric)
And the combinations can include multiple instances of one of these data points. For example, the “what I know” might be a user name and password, and then a “pin” of some kind, such as a one-time password.
A one-time password is just that – it is good for a single authentication attempt. This is useful since the password, if intercepted by an attacker, can not be used to access the system in the future. One-time passwords are generated in a number of ways, including:
- Using an algorithm that generates a new password based on a key or shared secret that has been provided by the system
- Using a time-sync method between the authentication server and the software that generates the password
- Using an algorithm that creates a new password based on a challenge of some kind; such as a random number chosen by the authentication server or a counter of some sort
One popular method used to generate a one-time password is described in RFC 4226 HOTP: An HMAC-based One-Time Password Algorithm. In the introduction of this RFC, the authors state the case for an open source method in order to generate “one-time” passwords:
“In the last two years, the rapid rise of network threats has exposed the inadequacies of static passwords as the primary mean of authentication on the Internet. At the same time, the current approach that requires an end user to carry an expensive, single-function device that is only used to authenticate to the network is clearly not the right answer. For two-factor authentication to propagate on the Internet, it will have to be embedded in more flexible devices that can work across a wide range of applications”
The key point made by the author’s of RFC 4226 is that current approaches that require users to possess key fobs and similar pieces of hardware are not sustainable. They add to the cost of the solution, they add to the complexity of the solution, they make end-user compliance more difficult, and present environmental and deprovisioning issues.
Celestix HOTPin for IAG 2007
Earlier on in this article I pointed out that a two-factor authentication system needs to meet two core requirements: it needs to be tightly integrated into the authentication infrastructure that you are currently using and it needs to be cost effective. If you are using a Celestix WSA IAG 2007 appliance, then your solution is going to be Celestix HOTPin.
Celestix HOTPin is based on the HMAC One-Time Password method described in RFC 4226 and provides all the advantages this method of one-time password generation has to offer. Celestix HOTPin tightly integrates with your WSA IAG 2007 appliance and enables strong two-factor authentication with one-time passwords.
In addition to the obvious advantage of tight integration, there is the fact that there is a single vendor who supports the SSL VPN platform, the hardware, and the two-factor authentication solution. With all other two-factor authentication vendors, there will be the inevitable conflicts between the hardware, the security platform and the two-factor authentication solutions. Finger pointing between vendors slows down time to resolve problems and adds to the frustration and reduced productivity by both IT admins and End Users who need remote access to information right there and then.
HOTPin does not require any kind of hardware tokens, keyfobs, or smart cards to deliver the one-time password to the users. Instead, users receive their one-time passwords on a mobile phone, or through a simple Win32 based application that can be installed on a PC.
For mobile phones, one-time passwords can be provided in a client or clientless mode:
- In clientless mode, the HOTPin server application generates the one-time passwords and sends them to the user over either SMS (text messages) or SMTP (e-mail messages).
- If users have a smart phone, or have access to a computer, then they can take advantage of client mode. Users install the client software on the smart phone or computer. The client applications generate the one-time passwords. The advantage here is that users do not need to worry about not having a mobile phone signal at the time, in addition to the fact that you do not need to have to trust the communications network between the phone and the server.
For client mode, Celestix currently supports RIM BlackBerry, Windows Mobile 5 and 6, and the iPhone.
Keep in mind that as an owner of a WSA IAG 2007 appliance, the HOTPin server application is free. That’s right – it costs you nothing. Since you already have the WSA server and deploy one-time passwords on users’ mobile phones you need no added hardware. The only cost is for economical user licenses beyond the five free user licenses you receive with the HOTPin system. Consider the two-factor authentication solution you might be using with your WSA SSL VPN appliance at the moment, with a few simple calculations I think you will see that HOTPin is the hands-down winner in the TCO department.
So how much does this solution cost? Most two-factor authentication vendors charge over $100US per year per user – a pretty steep toll for more small and midsized businesses. Celestix breaks the model of high priced two-factor authentication solutions by: first, allowing you to use a five-user evaluation version for free and second, charging only $10US per user per year for over five users. When I first heard this all I had to say was “Wow!”
Now you might be thinking “there’s got to be a catch right?” You are probably thinking that you have in fact come across other free software offerings in the past that sounded too good to be true and you ended up spending your “free” by having to learn some byzantine command line control language, making the solution more expensive than it would have cost had they just completed the software and charged you for it.
Not so for HOTPin. Installing it on your WSA VPN gateway is as simple as double clicking on a .msi file. Subsequently, server configuration is done through the WSA management console. Create a user, configure the method for the password delivery to the user, and that’s about it. There are other options that you can dig into too, but the basic setup is a no-brainer.
The same goes for client configuration. The preferred method is client mode, mostly because this is the most secure option. To set up client mode, you configure the secret key on the server and send that to the user. The user installs the key into his HOTPin client and then configures his pin by connecting to the WSA server. The entire client setup process takes less than 60 seconds, which includes both administrator and user time.
The old user name and password routine for logging on is quickly becoming a thing of the past. If you want to be compliant, or at least reasonably secure, you are going to need a two-factor authentication. While most admins understanding this, there has been pushback because most two-factor authentication solutions are either too expensive or so complex to set up that it’s just not worth the time. Celestix HOTPin two factor authentication for Celestix WSA SSL VPN gateways solves both of the problems – the software is free to all owners of WSA SSL VPN appliances and the server and client side configuration is drop-dead easy to setup and configure.
The addition of HOTPin to the WSA appliance (and coming soon to MSA ISA Server appliances) offering makes the WSA the most attractive IAG 2007 based SSL VPN gateway product on the market today. I have always recommended WSA SSL VPN appliances, and the addition of HOTPin makes that recommendation even stronger. For a v1 product, HOTPin has a lot to offer and promises even more in the future. HOTPin gets 4/5 stars based on price, security model, and ease of configuration.
For more information on Celestix HOTPin, please visit the Celestix Web site at http://www.celestix.com/
ISAserver.org Rating: 4/5
Get more information about Celestix HOTPin