Vasco Enterprise Security Suite 3.0
Hands On Review
Vasco Data Security’s Vasco Enterprise Security Suite 3.0, nicknamed VACMan, is a token-based security solution that offers secure authentication for network-based and remote-access clients.
VACMan is composed of both client and server portions. The VACMan Server 3.0 provides the necessary authentication services for VACMan clients, including clients for Windows 95 Logon, Windows NT Logon, Windows 95 Dial-up Networking, Windows NT Remote Access Service and logon services for Unix clients.
VACMan can ship with any of a number of token-based authentication methods, including Vasco’s Access II technology. For this review, we used a DigiPass 300 token, a small hand-held device that can provide one-time-only authentication, signature authentication and challenge-response authentication.
Installation was a bit cumbersome. VACMan did not include native support for the DigiPass 300 token. A number of additional steps were necessary to make the DigiPass 300 token work with VacMan.
To get the DigiPass 300 token to work with the VACMan 3.0 server, we had to install the included 3.02 update of VACMan server, which provides support for the DigiPass 300’s Authenticard technology.
We had more trouble configuring the VACMan Server Administrator, the graphical tool that allows one to specify users and user privileges. When initially logging into the VACMan Administrator, one logs in as "SuperManager" and is presented with a nine-digit token challenge. Unfortunately, the DigiPass 300 isn’t compatible with the Vasco Access Key II technology supported by the VACMan Server Administrator. We were temporarily flummoxed. Luckily Vasco included a VirtualAccess Key II -- a graphical representation of Access Key II with a software encryption engine -- on the supplied CD-ROM, and that solved our problem.
Once inside the VACMan Server Administrator, you can create users and adjust the properties according to the terms of several predefined security templates. As in the NT environment, there are predefined groups for classifying users, including Normal, Manager and SuperManager. Before managing any users, however, we had to install support for the DigiPass 300 by importing the necessary tokens.
After configuring users in the VACMan Server Administrator, we installed the VACMan Windows NT Logon client on a Windows NT Workstation with our domain. The configuration phase is simple: Specify the IP address of the VACMan Server and configure the client using the VACMan Client Administrator. The process needs to be repeated for every machine in the domain.
When configuring the VACMan Server component, one can choose a simple one-time password token or a more sophisticated challenge-response token.
Under the one-time password method, the DigiPass 300 generates a password from its internal encryption engine, and administrators have to enter the six-digit response in the response field of the login screen. The response that the DigiPass 300 generates is time-limited, so if a hacker manages to retrieve a functional login, password and response combination, you’re still safe.
After appropriately configuring the VACMan Server Administrator for Challenge/Response authentication by selecting the proper token configuration, we tested the DigiPass 300 and VACMan Server/Client combination in this application.
At the Windows NT login screen, the VACMan Windows NT Client Logon displays a four-digit challenge. We started the DigiPass 300, entered the unlocking PIN number, and then specified DigiPass 300’s Challenge/Response token authentication application. We entered the four digit number in the field provided on the DigiPass 300, and a seven digit response was computed by means of DigiPass 300’s internal encryption engine.
The DigiPass 300 and VACMan Server/Client combination worked flawlessly. The DigiPass 300 performed its assigned task without any problems and the overall authentication process to the VACMan Server was lightning quick. Because a different token response is generated every time a user logs in, regardless of whether one is using one-time only password or Challenge/Response authentication, the chances of someone retrieving a workable response are infinitesimally small.
Although Vasco cautions that DigiPass 300 doesn’t enjoy true interoperability with its VACMan Server 3.0 and VACMan Client components, we didn’t experience any problems, save the slightly confusing setup. In fact, the VACMan Server and Client components integrate almost seamlessly with Windows NT. And for IT managers wrestling with the need for additional security due to remote access workers, VACMan’s Windows NT RAS and Windows 95 Dial-up Networking clients provide an additional measure of security.
Vasco Enterprise Security Suite 3.0
Vasco Data Security Inc.
Oakbridge Terrace, Ill.
(800) 238-2726
www.vasco.com
Price: $5,495 for 500-user license; includes all clients
+ Seamless integration of VACMan Server 3.0 and VACMan Client components with Windows NT.
+ Quick authentication performance.
- Non-native integration of DigiPass 300 token with VACMan causes slightly confusing setup and configuration process.