RSA polishes its smart token system
Web-based management tools improve SecurID's small office/branch office potentialFollow @infoworld
Branch offices aren’t always just nests for employees further down the food chain. Sometimes they comprise critical pieces of business infrastructure that are just geographically removed from HQ. Unfortunately, managing high-end authentication becomes troublesome when target nodes are distant from knowledgeable IT staff.
One solution is RSA’s SecurID Appliance 2.0, which allows admins to configure, assign, and manage industrial-grade, token-based authentication across any number of branch offices from a central site.
RSA has improved on the previous version of the offering, which required a lot of heavy-duty editing of config files and the like to get it up and running. The current system boasts a Web-based management app and a surprisingly straightforward installation routine, yet it still offers the granular control admins need for token management and server setup.
The SecurID architecture is pretty straightforward. The SecurID Appliance resides in the central office, maintaining an encrypted link to the remote servers running SecurID agents.
When a user attempts to access a protected resource, such as a file or folder, on one of the servers, he or she is taken to the SecurID login interface. There, the user, armed with a token, must type in his or her personal PIN, followed by a string of numbers appearing on the token’s LCD screen -- a highly effective authentication method.
Setting up the SecurID Appliance is a step-by-step process. The only real obstacle is keeping the installation CDs straight; one of them is your license, and the other has the seeds for your SecurID tokens.
You must immediately label the Admin token, which you need to control the appliance. Take great pains not to lose it: It represents the beating heart of the SecurID Appliance. Without it, you’re dead in the water.
Installation is fairly easy, but pay attention to system prerequisites. For one, the appliance and the servers running SecurID agent must be visible in a DNS. If the servers never get accessed by anyone outside of the company, you can use your internal DNS. Otherwise, make sure your public DNS servers know about the appliance and the servers running agents.
You’ll also need a Web server; we used Windows 2003 Enterprise Server with IIS enabled. Enabling IIS requires simply installing an agent, easily downloadable from the RSA Web site.
Notably, SecurID supports numerous platforms -- more so than rival token-based systems -- including AIX, e-Directory, Solaris, Windows, and more. Unfortunately, if you run Linux, you need an older version; Mac OS isn’t supported at all on the client side.
After the appliance is configured, admins can begin defining active tokens. The appliance merely picks the first token listed on your token-seeding CD, displays its characteristics on the management console, and allows you to match it to a user. A general PIN code can be selected at this time. The token will recognize when a user uses it for the first time and will prompt him or her to create an individual PIN.
Subsequently, admins can begin designating which resources will require SecurID authentication. You simply use the Web management utility to locate target files or folders, then right click. Underneath the resulting tab, you select ‘Protect this Resource with RSA SecurID’ and decide whether to apply the change recursively.
One downside to the system: You’ll eat up at least two IP addresses and DNS entries with just a base installation. That kind of appetite can cut things a mite close for many small offices.
Also, although you can manage the token authentication from a central site after setup, initial configuration will require visiting the site and spending a little quality time at the console.
Overall, we like the SecurID Appliance from a security standpoint, but it’s still a bit unwieldy when it comes to management across multiple SOBOs. Remote access needs to be better addressed in the Web client, and the strict reliance on the Admin token could become a real problem should it fall out of IT hands. Lastly, although it’s certainly low-cost from a smart-token platform perspective, the price is still enough to give bean counters pause.