> Nortel Switched Firewall (NSF) SecurID Configuration Guide

Transcription

1 Nortel Security Solutions Feature Design Document > Nortel Switched Firewall (NSF) SecurID Configuration Guide Document Date: 30 April, 2007 Document Version: 1.0

2 Trademarks *Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. ACE/Agent, ACE/Server, RSA, RSA Security and SecurID are trademarks of RSA Security Inc. in the U.S. and/or other countries. All other trademarks mentioned herein are the property of Nortel networks. The asterisk before a name denotes a trademarked item. 2 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

3 Table of contents 1 Introduction What is SecurID Authentication? SecurID authentication for SSH login to NSF Design & implementation Code modifications Changes to SSH config files User interface changes/additions ACE tools from RSA Configuration Procedure Feature Limitations Troubleshooting Error messages on the ACE server Error messages from acetest REFERENCES Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

4 Change log Version What When Who 1.0 Initial version 04/30/07 Ranganath P S 4 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

5 1 Introduction This document describes a new feature added for supporting SecurID authentication for SSH login to the NSF firewalls. This document explains the SecurID support for all types of Nortel Switched Firewalls. But where ever necessary, separate description for 5100 series firewalls and 6000 series firewalls is given. 2 What is SecurID Authentication? RSA SecurID provides a two-level authentication system used for providing secure access to the network resources such as the NSF firewalls, virtual private networks (VPNs) etc. SecurID solution consists of 2 components, (1) ACE Server who authenticates and (2) RSA Authenticator or hardware token used by the client for authentication. The Authenticator has a unique symmetric key that is combined with a powerful algorithm to generate a new pass code every 60 seconds. Since the pass code is dynamic and unpredictable, it s very difficult to hack and provides a very high-level of security. Whenever the user tries to login to the system, its login details would first be sent to an ACE server which then verifies the information with its local database. If the user enters the correct data, he would be allowed to login. 3 SecurID authentication for SSH login to NSF From and release onwards, logging to the NSF CLI via SSH can be authenticated via the SecurID mechanism. In other words, whenever the user tries to login to the NSF CLI via the SSH, first the username would be prompted. After this, instead of a regular password, a pass code needs to be entered. An ACE Agent, which is running on the NSF, would then send the login credentials to an ACE Server. After the successful authentication from the ACE server, the user would be logged in. 4 Design & implementation ACE/Agent 5.0 for PAM (Pluggable Authentication module) is a Red Hat 7.3 Linux based ACE/Agent implementation from RSA. NSF uses this ACE/Agent which enables RSA SecurID authentication for SSH login. The Agent software is a collection of customized shared libraries and tools provided by RSA. It has a collection of API s which are similar to PAM API s, hence any application like the SSH using the PAM for authentication needs minimal or no code modifications. NSF merely uses the Agent software from RSA with no modifications and the scope of code changes are only limited to the user interface modifications. 5 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

6 Scopes of code modifications are only limited to Adding the ACE/Agent binaries to the NSF image Providing a new user interface for enable/disable SecurID authentication Modifications to SSH configuration file to support SecurID authentication 4.1 Code modifications Changes to SSH config files As per the current implementation, SSH uses the Linux PAM (Pluggable Authentication Module) library for authentication handling. For the new SecurID authentication scheme, the SSH s PAM configuration file has been modified to use the SecurID library instead. Pseudo code: /etc/pam.d/sshd auth required /lib/security/pam_securid.so reserve The above line indicates that /lib/security/pam_securid.so file needs to be used for authentication. reserve keyword is used for fall back mechanism which would be explained in the next section. To change the prompt type to accept pass code instead of a regular password, the SSH configuration file has been changed as below. Pseudo code: /etc/ssh/sshd_config ChallengeResponseAuthentication no #setting this parameter to no would disable key passwords User interface changes/additions This section covers the CLI support for configuring SecurID authentication for SSH feature. a) CLI for NSF 5100 series firewalls A new set of CLI commands are added for enabling/disabling SecurID authentication on NSF 5100 series firewalls. >> Main# /cfg/sys/adm/securid/ [SecurID Authentication Menu] ena - Enable SecurID Authentication dis - Disable SecurID Authentication interface - Set SecurID Interface Index download - Download SecurID config file [floppy/usb/tftp/ftp/scp/sftp] 6 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

7 /cfg/sys/adm/securid/ena This command is used to enable SecurID authentication. Enabling the SecurID and apply would perform all the necessary changes to the SSH configuration files. /cfg/sys/adm/securid/dis This command is used to disable SecurID authentication. Disabling and apply would revert all the changes to SSH configuration files. /cfg/sys/adm/securid/interface This command is used to add the Interface index number used for connecting the ACE Server. /cfg/sys/adm/securid/download This command is used for downloading the sdconf.rec file. Once we enable the SecurID authentication, the ACE/Agent would look for a configuration file sdconf.rec located at /config/ace path. This config file contains the server information like IP address, version, protocol & port number used for communication etc. This CLI command allows the user to download the sdconf.rec file via ftp/tftp/scp/sftp/usb/floppy and store in /config/ace path. b) CLI for NSF 6000 series firewalls A new set of CLI commands are added for enabling/disabling SecurID authentication on NSF 6000 series firewalls. >> Main# /cfg/sys/adm/securid/ [SecurID Authentication Menu] ena - Enable SecurID Authentication dis - Disable SecurID Authentication server - Set SecurID server configuration download - Download SecurID config file [floppy/usb/tftp/ftp/scp/sftp] /cfg/sys/adm/securid/ena This command is used to enable SecurID authentication. Enabling the SecurID and apply would perform all the necessary changes to the SSH configuration files. /cfg/sys/adm/securid/dis This command is used to disable SecurID authentication. Disabling and apply would revert all the changes to SSH configuration files. /cfg/sys/adm/securid/server This command is used to add the IP address of the ACE server. /cfg/sys/adm/securid/download This command is used for downloading the sdconf.rec file. Once we enable the SecurID authentication, the ACE/Agent would look for a configuration file sdconf.rec located at /config/ace path. This config file contains the server information like IP address, version, protocol & port number used for communication etc. 7 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

8 This CLI command allows the user to download the sdconf.rec file via ftp/tftp/scp/sftp/usb/floppy and store it in /config/ace directory of all the ISDs in the cluster ACE tools from RSA ACE/Agent 5.0 for PAM also contains two binary utilities used for troubleshooting and key generation. However, these commands are available only through root prompt. acestatus - This utility checks the status of each RSA ACE/Server on which the PAM Agent is registered as an Agent Host. Definitions for some of the parameters shown by acestatus are given below. For a full description, refer to ACE/Agent 5.0 for PAM documentation [1]. Configuration Version: The version of the sdconf.rec file that is in use. For RSA ACE/Server 5.0 or later, this number is 12. DES Enabled: If your configuration environment supports legacy protocols, YES is displayed. Client Retries: The number of times the PAM Agent sends authentication data to the RSA ACE/Server before a time-out occurs. Server Release: The version number of the RSA ACE/Server. Communication: The protocol version used by the RSA ACE/Server and the PAM Agent. Server Active Address: The IP address that the PAM Agent uses to communicate with the Server. This address could be the actual IP address of the Server you have selected, or it could also be an alias IP address assigned to the Server. acetest This utility is used to test the authentication using a token with a PIN that s already registered with the ACE server or to generate a new PIN. Use this utility to generate a new PIN before enabling SecurID authentication. Since the SSH version that s currently available with NSF doesn t support new PIN generation, use the acetest utility to generate the new PIN. However, please note that acestest can only be run from root prompt Configuration Procedure This section would only cover the configuration on the ACE/Agent side. For configuration on the ACE server, refer to RSA ACE server documentation. Before doing any SecurID specific configuration, make sure that you ve a proper NSF setup with all necessary interfaces configured and the NSF is able to reach the ACE server. 8 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

9 Step # 1 Configure a username and assign a group on the NSF CLI /cfg/sys/user/add. Password is not required. Note: This is required only if the user wants a new username other than the default admin/oper users. Note that, the same user name has to be created on the ACE server too. Step # 2 a) for 5100 series firewalls Configure the Interface index number used for connecting the ACE Server using /cfg/sys/adm/securid/interface command. Note: Make sure that ACE server is reachable via the particular interface index configured. Make sure that this particular network is added to the access list. b) for 6000 series firewalls Configure the IP address of the ACE server using /cfg/sys/adm/securid/server command. Note: Make sure that ACE server network is added to the access list and it is reachable. Step # 3 Enable SecurID authentication using /cfg/sys/adm/securid/ena command. Step # 4 Download the sdconf.rec file from the ACE server using /cfg/sys/adm/securid/download command. Step # 5 Enable SSH using /cfg/sys/adm/ssh/ena command. Run apply to save configuration. Step # 6 There are two methods to authenticate with the ACE server. User can use any one of this method to authenticate with the ACE server. a) Using token code Open an SSH connection to the Firewall. At the username prompt, the username created in step # 1 At the passcode prompt, enter the 8-digit code that s displayed on the PINPAD b) Using passcode The pass code is a combination of a code that's displayed on your hardware and a randomly generated PIN. Login as root, and run acetest (/sbin/isd/acetest on 5100 and /opt/pam/bin/acetest on 6000 firewall). This binary would help in communicating with the ACE server to generate a PIN When asked for a username, enter the username created in step # 1 9 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

10 At the passcode prompt, enter the 8-digit code that s displayed on your hardware token. It ll then ask whether you want to generate a 4-8 digit PIN or let the ACETEST generate a key automatically. Based on your input, either the ACETEST would generate a new PIN or user can create one. After generating the new PIN, enter the PIN on the PINPAD and press the small diamond button. It ll generate a new token code based on the PIN Enter the token code and if the ACE server accepts the new token code, acetest would return successfully Once the acetest is successful, users can login to the NSF via SSH. Create a new passcode At the password prompt, enter a new token code generated with the above new PIN. As the token code keeps changing every 60 seconds, always wait for 60 seconds before creating a new token code. Note: If the user tries to use the same token code, the ACE server would reject and after 3 successive login attempts, the token would be disabled and the users have to create a new PIN using acetest. 4.2 Feature Limitations 1. RSA ACE/Agent 5.0 for PAM library from RSA only supports SSH authentication in RedHat 7.3 platform. Hence the SecurID authentication scheme cannot be extended to Telnet and other system logins. 2. acetest has to be run only from root mode. There s no CLI for the same. 3. No fall back mechanism is provided for the SecurID authentication. Hence, if SecurID is enabled and for some reason the SSH login cannot be authenticated with the ACE server, the users cannot login to the box. 4.3 Troubleshooting Error messages on the ACE server Since all the authentication is handled by the ACE/Agent and ACE server, most of the troubleshooting involves changing the configuration on the ACE server. Running the log console on the ACE server would help in identifying the errors that would ve blocked the access. Token set to new PIN - Would mean that the user has to run acetest to generate a new PIN again. Token disabled - After 5 unsuccessful logins, the token would be disabled. Users have to then enable the token on the ACE server by editing token properties, resynchronize the token and run acetest to generate a new PIN. Node verification failed - Make sure that ACE Server has two agent hosts configured with the real IP s of the specific interface in the NSF, which is used to connect ACE Agent to the ACE Server. 10 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.

11 Passcode reuse attack When using token code method to authenticate ACE Server, if the user tries to use the same token code, the ACE server would reject. User has to wait for the change in the token code and use it Error messages from acetest AceInitialize failed Make sure that you ve the latest copy of sdconf.rec from the ACE server Cannot communicate with RSA ACE/Server Make sure that the network connectivity between the ACE/Server and NSF is proper and that the RSA ACE/Server service is running on the server system. Also check the DNS settings for hostname resolution. 5 REFERENCES 1. README on RSA ACE/Agent 5.0 for PAM 2. RSA ACE/Server documentation 11 Copyright 2007 Nortel Networks Inc. All rights reserved. Information in this document is subject to change without notice.