Adversaries are innovative in crafting their attacks and the holy grail is harvesting credentials. Compromised credentials and insecure authentication schemes bypass many if not all security controls.
Once credentials are shared or stolen, identity-based controls in which organizations invest are severely undermined. Gateways, proxies and monitoring—which form the basis for Authentication, Authorization, and Auditing (AAA)—depend on identity and access to be locked down. The threat is so prevalent that Verizon’s latest DBIR dedicated a section in the report specifically to compromised credentials.
Phishing, keylogging and insecure passwords affect millions of people whose passwords are subsequently bartered online.
In the past, simple controls against simple attacks have been implemented, such as the account lock out against authentication brute forcing. Interestingly this is an effective denial-of-service vector as well. More creative attacks include a reverse-style brute force – using static password while iterating across a user list. Advanced attacks include phishing, cross-site scripting and hacks on websites with unencrypted or insecure password databases.
The criticality of mitigating unauthorized access cannot be overstated. The security industry has responded with multifactor authentication (MFA) – adding a dynamic passcode alongside the static.
There are a lot of great MFA solutions on the market and using Citrix NetScaler, we integrate with many of them whether it is based on a PIN, SMS, Bluetooth, or anything else.
Citrix has been a trusted solution to securely deliver apps and data and defenders have implemented MFA in creative ways to mitigate common attacks e.g. requiring that end users enter the passcode (the PIN) first to mitigate against scripted attacks. NetScaler has been providing multifactor authentication (MFA) to all applications – Windows, web, mobile, and desktops. These include applications, such as administrative consoles, that natively don’t support. Admin consoles are especially sensitive are since there is so much more privilege associated with admin credentials. The next evolution in authentication is nFactor, which allows tighter, policy-based integration.
In his blog post, Alexander Maslo (Sr. Sales Engineer) introduced nFactor authentication with AAA-TM virtual servers and client certificates. The latest version of NetScaler has deeper integration with nFactor and can now be used with NetScaler Gateway and Unified Gateway. With nFactor you can configure an unlimited number of authentication factors. You are no longer limited to just two factors and you can get creative on how to chain them. Configuration will depend on the security policy and many times, user adoption and training are considerations to look at.
Let’s explore some ways of chaining authentication and several use cases.
- Endpoint Analysis: Perform Endpoint Analysis (EPA) and use the scan results to select additional authentication. If the endpoint is untrusted, then consider two factor plus a certificate. If it’s trusted and passes the compliance check – perhaps two factor is sufficient.
- Certificate: Public or private signed client certificates. Use user certificate as first factor where the user name is extracted, user group information is extracted without doing authentication and Active Directory password is prompted.
- Chaining: Chain multiple factors together using the results of the prior factor. If a certificate is provided, then prompt for user name, password and PIN. If there is no certificate, prompt for username, PIN and password.
- Order: As in the above example, change the order of password and passcode entry, letting you check RADIUS before LDAP.
- Client IP: Check the client IP and configure a window for how long the same user must connect the same IP.
- Authentication fallback: Proceed to an authentication factor that must be executed when authentication fails.
For a comprehensive look at setting up nFactor policies, schemas and additional use cases, please take a look at the following blog posts and articles.
- How to set up Captcha: http://support.citrix.com/article/CTX216091
- How to set up client certificate: http://support.citrix.com/article/CTX201742
- Carl Stalhood’s (CTP and Principal Converged Infrastructure Architect) excellent and comprehensive blog post: http://www.carlstalhood.com/nFactor-authentication-for-netscaler-gateway-11-1/