Defender 5.11 - Administration Guide

Getting started

• Features and benefits
• What you can do with Defender
• Deploying Defender
• Communication ports
• Upgrading Defender
• Licensing

Features and benefits

Defender is a cost-effective solution that enhances security in your organization by authenticating users who access valuable network resources. Only those users who successfully authenticate via Defender are granted access to the secured resource.

Defender uses your current identity store within Microsoft Active Directory to enable two-factor authentication, taking advantage of its inherent scalability and security, and eliminating the costs and time involved to set up and maintain proprietary databases. Defender’s Web-based administration and user self-service ease the implementation of two-factor authentication for both administrators and users. Defender also provides a comprehensive audit trail that enables compliance and forensics.

Key features of Defender are as follows:

• Centralized administration and tight integration with Active Directory  Defender is designed to base all administration and identity management on an organization's existing investment in Active Directory. This saves your time and resources, because to deploy and use Defender you can take advantage of the corporate directory already in place. Defender provides an administration and configuration interface called the Defender Administration Console. This console is implemented as an extension to Microsoft’s Active Directory Users and Computers tool known to any Active Directory administrator.
• Authentication by means of the RADIUS protocol  Defender allows authentication by means of the RADIUS protocol for environments that include RADIUS users or RADIUS-protected access devices. Defender includes the facility for Vendor Specific Attributes (VSAs) to be specified in the RADIUS payload. For more information on VSAs, refer to the RADIUS RFCs posted on www.ietf.org. At the time of writing, the RFCs were available at datatracker.ietf.org/doc/search/?name=radius&rfcs=on&sort=.
• Secure access to VPN  You can use Defender to authenticate users who connect to your organization’s resources by using a virtual private network (VPN). Only those users who successfully authenticate via Defender are allowed to connect through VPN. For more information about this feature, see “Securing VPN access” in the Defender Administration Guide.
• Secure access to Web sites  With Defender, you can authenticate users who access Web sites hosted on Microsoft Internet Information Services (IIS) in your organization. For more information, see “Securing Web sites” in the Defender Administration Guide.
• Secure Windows-based computers  You can use Defender to authenticate the users of computers running the Windows operating system. To sign in to a secured computer, the user needs to authenticate via Defender by supplying the correct passcode on the Windows sign-in screen. For more information, see “Securing Windows-based computers” in the Defender Administration Guide.
• Secure access to PAM-enabled services in UNIX  You can use Defender to authenticate the users of popular UNIX services that support Pluggable Authentication Modules (PAMs), such as login, telnet, ftp, and ssh. For more information, see “Securing PAM-enabled services” in the Defender Administration Guide.
• Data encryption  Defender supports AES, DES, and Triple DES encryption standards.
• A wide range of supported security tokens  One of the authentication methods supported by Defender is security token. Defender provides native software and hardware security tokens and supports a variety of tokens produced by third-party vendors, such as Google Authenticator, Authy, GrIDsure, DIGIPASS, VIP credentials, and YubiKey. You can also deploy and use with Defender any hardware tokens that comply with the Initiative for Open Authentication (OATH) standard. For more information, see “Configuring security tokens” in the Defender Administration Guide.
• Role-based management portal  This feature allows you to administer Defender from a Web browser. On the Defender Management Portal, you can manage software and hardware tokens and Defender users in your organization, view authentication reports and Defender logs, troubleshoot Defender authentication issues, and assign specific Defender roles to Active Directory groups of your choice. A portal role defines the Defender Management Portal functionality that is available to the user and the tasks the user can perform through the Defender Management Portal. For more information, see “Defender Management Portal (Web interface)” in the Defender Administration Guide.
• User self-service  You can simplify the administration of your Defender environment by deploying and configuring a self-service Web site called the Defender Self-Service Portal. On this portal, users can request and receive new software tokens, download and activate token software, and register existing hardware tokens without the need to contact a system administrator. The actions and tokens available to the users through the self-service portal are controlled by a number of settings you can configure to suit your needs. For more information, see “Defender Management Portal (Web interface)” in the Defender Administration Guide.
• Delegation  Defender provides a scalable approach to the administration of access rights, enabling you to delegate specific Defender roles, tasks, or functions to the users or groups you want. The Defender administration interface provides a wizard you can use to search for and select one or multiple user accounts, and then choose which Defender roles or tasks you want to delegate to those accounts.

  Besides delegating roles or tasks, you can also delegate specific Defender functions. For example, you can appoint selected user accounts as service accounts for the Defender Security Servers or Defender Self-Service Portal or grant full control over particular Defender objects, such as Access Nodes, Defender Security Servers, licenses, RADIUS payloads, or security tokens. For more information, see “Delegating Defender roles, tasks, and functions” in the Defender Administration Guide.

• Automation of administrative tasks  Defender Management Shell, built on Microsoft Windows PowerShell technology, provides a command-line interface that enables the automation of Defender administrative tasks. With the Defender Management Shell, you can perform token-related tasks, for example, assign tokens to users, assign PINs, or check for expired tokens. For more information, see “Automating administrative tasks” in the Defender Administration Guide.
• Integration with Active Roles  Defender Integration Pack for Active Roles supplied in the Defender distribution package allows you to extend the functionality of the Active Roles Web Interface and Active Roles console. For example, with this Integration Pack installed, you can use the Active Roles user interface to perform Defender-related tasks: assign, remove, test, recover, and program security tokens and set Defender IDs and Defender passwords. Also you can enable the automatic deletion of tokens for deprovisioned users and use the Active Roles console to administer Defender objects and delegate Defender roles or tasks to the users you want. For more information, see “Integration with Active Roles” in the Defender Administration Guide.

What you can do with Defender

This section provides an overview of the most common Defender usage scenarios and the Defender components required for each scenario. For instructions on how to configure Defender for a particular scenario, see the Defender Administration Guide.

In this section:

• Authenticating VPN users
• Authenticating Web site users
• Authenticating users of Windows-based computers

Authenticating VPN users

The following diagram illustrates a scenario where Defender authenticates the users who access an organization’s network via a virtual private network (VPN):

In this scenario, the VPN server is configured to redirect the user to the Defender Security Server, which prompts the user to submit a passcode. The user needs to generate a passcode by using a security token provided by Defender administrator. The Defender Security Server validates the passcode entered by the user, and if the passcode is correct allows the user to establish a VPN connection.

The next diagram illustrates a scenario where Defender is configured to authenticate the users who establish a VPN connection via the Routing and Remote Access service (RRAS).

In this scenario, a component called the Defender EAP Agent must be installed both on the VPN client computer and VPN server. Extensible Authentication Protocol (EAP) is a general protocol for authentication that also supports multiple authentication methods, such as Kerberos, token cards, one-time passwords, certificates, public key authentication, and smart cards.

Defender uses the EAP protocol to integrate its two-factor authentication into the existing user authentication process. The Defender EAP Agent supports Microsoft Remote Access clients and servers for both dial-up and VPN (PPTP and L2TP/IPSec).

If VPN users in your environment authenticate using the Defender Soft Token for Windows, you can simplify the authentication experience for these users by deploying the Defender VPN Integrator component on their workstations.

To do so, you need to install the Defender VPN Integrator on the computer where the Soft Token for Windows is installed. When the user initiates a VPN connection, VPN Integrator communicates between the Soft Token for Windows and the third-party VPN client to ensure that the secure, one-time password authentication process is handled automatically. The entire operation is seamless and very fast—only the passphrase for the Defender Soft Token for Windows is required from the user.