Re: SecurID Agent-Server through proxy firewall

[Mark Plesser <plesser () ms com>]

See below

Martin Bishop wrote:
> Hi everyone!
>
> A customer of mine is planning to launch a public web server for
> online electronic commerce. The system is already built and already in
> use internally for three months now so it has been adequately tested
> before external users start using it. Users are all authenticated with
> SecurID tokens, which is implemented with a SecurID Agent running on
> the web server. The web server and ACE servers are at the moment in
> the same (internal) subnet without even a router between them and all
> works fine.
>
> Now, as we go public, we will move the web server from internal
> network to a DMZ (if you will -:). We have already decided to use an
> application gateway firewall and that the web server will reside on
> its third network interface. If you are using a fixed-width font, you
> might see the following (fairly simplified) picture:
>
>                       +-------------+
>                       ! Application !
> Internet  ------------+ Gateway     +----- Internal network
> (e-commerce users)    ! Firewall    !      (with ACE servers)
>                       +------+------+
>                              !
>                              !
>                              !
>                       +------+------+
>                       !             !
>                       ! Web server  !
>                       ! (ACE agent) !
>                       +-------------+
>
> While testing, we successfully managed to move the web server to the
> desired location (3rd interface), but we are having serious problems
> with SecurID authentication that we can't seem to solve.
> The problem is that, the _first_ SecurID authentication works fine but
> all subsequent authentication attempts fail. If we want it to work
> again, we have to remove the "securid" file from the web server
> (actually from the ACE agent) and uncheck "Secret Already Sent" (or
> something similar) on the ACE server. When we do this, the next
> authentication attempt will succeed, but again the subsequent ones
> will fail.

You probably configured the client in the ACE server DB to have the
Name/IP of the internal firewall interface. In your case, upon the first
successfull authentication, the ACE recognizes the valid PASSCODE and
decides to send the secret to the client ("securid" file). The client
happily writes it down. The problem is, the hash that is used to create
the secret has the real IP address of the ACE server in it. 

So, on all subsequent authentication attempts, the ACE server actually
accepts the valid passcode, and returns ACM_OK code, but the client
(Agent) doesn't trust (refuses to decode) responses from an IP address
other than the one used to build the secret (ACE server's real IP). In
your case, the packets are coming in with the source IP of the firewall,
which is , of course, not an IP address built into the hash.

Whew... (can you tell that I went through this before?)

You euther need to build a IP tunnel just for UDP 5500 (or whatever port
you use) to your ACE server or use a transparent proxy.





> Another interesting thing is that all these subsequent authentication
> attempts that the ACE Agent sees as unsuccessful (and tells that to
> our web application) are described as SUCCESSFUL in ACE server logs.
> So it would be logical to conclude that somehow the response from ACE
> server is either changed (probably by the firewall generic proxy) or
> misinterpreted by the ACE Agent for some reason.
> Furthermore, due to the fact that ACE Agent and Server exchange the
> "secret" value along with the first authentication attempt it could be
> that this value (that is used for encrypting subsequent auth.
> requestst) is somehow corrupted.
>
> Unfortunately, we don't have enough insight into the SecurID
> Agent-Server communication protocol to figure out how to solve this
> problem but I'm sure that we're not the first ones who would want to
> set up a system like that. So if any of you know any answers, your
> suggestions will be highly appreciated. If you reply to the list,
> _please_ reply to me personally also.
>
> Thanks for your time and best regards,
>
> Marty Bishop
>
> _________________________________________________________
> DO YOU YAHOO!?
> Get your free @yahoo.com address at http://mail.yahoo.com

-- 
Mark Plesser
IT Security Engineering
Morgan Stanley Dean Witter & Co. 
750 7th Avenue, 9th Floor, New York, NY  10019
plesser () ms com                  (212) 762-1990