Yeah, I remember them in my mainframe days, we used them for our remote access. Like'em, I thought they sold out.
Cheers Paul Standards are like toothbrushes, everyone wants one but not yours -----Original Message----- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: 19 September 2003 22:55 To: Exchange Discussions Subject: RE: OWA front end server - licensing and security I couldn't tell you. Our dialup consists of dialing to what essentially is a world-wide ISP, then firing up a Nortel VPN client. The Nortel client is apparently pretty tightly integrated with SecurID - I'm assuming it uses the "native" SecurID API for authentication. I remember in the old days, when we used Shivas[1] for remote access we had the same problem. The Shivas were limited to using Tacacs to talk to SecurID. Tacacs didn't have provisions for querying the user for more information (next token, new PIN, etc), so these features didn't work. Then Shiva added Tacacs+, which DID allow for querying the user, and life was good. You will need to look at what protocol your authentication mechanism is using to talk to SecurID and see if you can come up with something that supports querying the user. [1] Anyone remember Shiva? I'm constantly amazed at how a company could literally own the remote access market, then manage to lose everything in such a short period of time. -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:23 PM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security Ken / Roger, I know it's OT, but I have a quick question for you two. We don't have a VPN option here, but we have ~50 users using the tokens for dial-in. Occasionally, their tokens will get out of sync and of course, lock them out after three successive tries. As Ken indicated, if the user is two codes ahead or behind, it will put your token in "Next-Token" mode and is supposed to prompt you onscreen. However, our users never see the Next-Token notification on their end. Why? Is it because they are using Win9x/ME on their end or is it because of something on the server end? Server is NT 4 SP6a in an NT4 domain. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 11:54 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security It really is a cool system. We're currently using it for VPN access and front ending OWA, and we're playing with it and some Cisco Aironet wireless devices - requiring SecurID authentication before you get onto the wireless network. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Ken Cornetet [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 2:21 PM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > I've not examined the system for several years (I'm just a happy user > now, not and admin), but at least at one time SecurID would accept the > current code (of course),one code behind or one ahead for a total > window of 3 minutes as Roger notes. > > If the gadget's clock had drifted to more than one minute off, and you > were TWO codes ahead or behind, the system would additionally prompt > for the NEXT code displayed to make sure you were you, and it would > update the stored time offset for your gadget. Pretty slick system. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 10:01 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > Actually, you've got the system down correctly. > > However, the slack time is +/- 1 minute, so you really get 3 minutes > per code. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 19, 2003 10:29 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and security > > > > > > Forgive me for arguing, but I believe the time alloted for guessing > > that third factor is even less than indicated below. Of course, > > by token, I am > > referring to what RSA calls a "keyfob." Is that what you are > > referring to > > as well? > > > > Here is what I understand to be the process, from reading the > > manuals we > > have: > > 1. Upon issuance to the user, you synch the token/keyfob > > with the the RSA > > server DB. > > 2. A 6-digit code displays for 1 minute on the token. > > 3. If used for authentication within that 1 minute period, it is > > "time-stamped" as to when you entered the Passcode (PIN + > > code) and has an > > additional 1 minute latency period. Meaning that if you > > dial-up and enter > > your passcode, 30-seconds into the code, you have 1:30 to > > connect to the > > dial-up server and be authenticated. > > 4. If you enter the same code after the display has rolled > > over however, > > that code is no longer valid, as the timestamp when you > > entered it will no > > longer match with the timestamp on the server for when that > > code was valid. > > > > So the short version is that if you enter the code while it's > > displaying on the token, it's good for 1 minute with a 1 minute > > latency period. If you > > don't enter the number while it's viewable, then you've > > missed your window > > of opportunity, because it was only good for one minute. Oh > > and BTW...if > > you are trying to guess the code and miss it three times, > > regardless of > > length of time between guesses, it will lock your token until > > an admin can > > reset it. > > > > That's how I understand the process. > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 19, 2003 5:44 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and security > > > > > > It doesn't stop key logging per se, but it renders it ineffective. > > > > The SecurID tokens use a three factor[1] authentication system, in > > which the third piece is a 6 digit, one time use code. That code is > > good for exactly 3 > > minutes, and once used cannot be used again. > > > > Therefore, logging the authentication process is useless, as you'll > > only get 2 of the 3 factors, and for the third factor, you have a 1 > > in 1,000,000 > > chance, reset every three minutes, to guess that last part. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > [1] They call it 2 factor, but you need a username, a PIN, and the > > securID token number to log in - that's either 3 or 11, depending on > > how much of a > > geek you are. > > > > :::: snip :::: > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] *********************************************************************************************** The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies. Sony email is for business use only. This email and any response may be monitored by Sony United Kingdom Limited. (04) *********************************************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
