Strengthening VPN Access & Data Leak Prevention without changing employee’s experience

The SSL VPN Business Challenges

• A SGX-listed company in Singapore with over 3,000 employees, and assets of over 2 billion dollars
• Allowing thousands of employees remotely connecting to the company network using SSL-VPN

The Security Challenges

• Keep the existing login with UserID-Password - verified against the in-house Windows AD
• Avoid keyboard sniffing virus attacks which can be deployed to steal the UserID-Password credentials
• Block potential data leak of informational assets due to employees using unauthorized machines

The Provided Solution

Data Security Systems Solutions (DS3) was selected as their Two-Factor Authentication (2FA) provider using:

The employee’s notebook is used as 2nd factor device during the VPN login

• DS3 Browser One-Time Password (OTP) token using the OATH TOTP algorithm based on the characteristics of the notebook
• DS3 Authentication Security Module (ASM) used for notebook pre-registration and authentication

The reasons for choosing the DS3 solution are because the DS3 offering is able to:

• Comprehensively address all the requirements in a single implementation (something which even hardware OTP tokens cannot)
• The solution does not change the way employees have to login to the VPN: UserID-Password remains.

The Authentication Method

DS3 Enhanced VPN multi-factor authentication solution

Each company-authorized notebook is pre-registered with the DS3 ASM, and tagged specifically to the assigned employee.

The solution works by relying on the employee’s notebook as the 2nd-factor device during the VPN login. During each VPN login, the DS3 Browser OTP token is dynamically downloaded as part of the SSL VPN login page, and generates an OTP (one-time password) using the OATH TOTP algorithm based on the machine characteristics of the notebook.

Together the generated OTP and the UserID-Password credential are submitted transparently to the DS3 ASM. Authentication is achieved by:

• Internally verifying the OTP against the notebook/notebooks registered for that employee
• Forwarding the UserID-Password credential to the Windows AD for verification

If both credentials match, effectively authenticating the employee and the machine, then VPN access is allowed.

From the employee’s usage experience, there is no change in the way how the VPN access is carried out.

DS3 Authentication Security Module (ASM)

DS3 ASM is the complete 2-factor authentication solution for the enterprise. It supports the standard RADIUS authentication protocol to seamlessly enable 2-factor logins for common enterprise applications such as VPNs, UNIX, SSH, etc. The flexible token management system allows enterprises a choice of alternative of 2-factor authentication including OTP sent over SMS, Java Browser OTP tokens, Mobile phone OATH tokens, and hardware OTP tokens from RSA, VASCO, SafeNet and Gemalto.