2FA for VPN, IPSec & SSL
Why you need 2FA for your VPN and remote access
VPN is a simple way for employees to access the resources and applications available on their office local network (LAN) and thus to work exactly as if they were at the office. A laptop, a VPN client or just a browser, a connection, a username and a password, that’s all. Really easy. The downside is that anyone finding (i.e guessing, hacking, eavesdropping, phishing…) a valid user password now also has access to the LAN and to all its resources. Initially, an attacker only has the same access rights as the user, but since he can impersonate that user, he will quickly figure how to get more rights. Ouch.
As a domain administrator or a security professional, you have two options: ask users to change their passwords very often and to use complex passwords such as d0*#g17!bk. Or use a frictionless 2FA solution adding a layer of security that defeats attackers, even if they know the user password. With 2FA, passwords can be much simpler, without risk. Guess which option users prefer, and which one you can realistically expect them to use.
Does inWebo MFA work for my VPN or remote access?
Yes. Over the years, our partners and our customers have implemented inWebo 2-factor solutions with most VPN (respectively, reverse proxies, firewalls, access gateways), IPSec and SSL, including Cisco ASA and AnyConnect, Juniper (now Pulse Secure), Meraki (now Cisco), Palo Alto Networks, F5 Big-IP, OPenVPN, CheckPoint, Barracuda Networks, SonicWall, Fortinet, and probably others we’re not even aware, since our radius and SAML 2.0 connectors work out-of-the-box.. Connection modes and authentication options vary since they depend on the gateway capabilities, but there’s never been a configuration that we didn’t support at all.
inWebo 2FA for VPN and remote access solutions
When connecting to the VPN with inWebo 2FA, the legitimate user needs to enter a one-time code received in a short-text, generated with the inWebo Authenticator App, or displayed in her browser. Alternatively, and more conveniently, the user can simply confirm the access request in the inWebo Authenticator App or even in the browser where the connection takes place (if an SSL VPN), thus making the whole process frictionless including for users who don’t have a work phone (see inWebo 2FA options for more details)
How to implement 2FA for VPN and remote access solutions
It’s quite straightforward:
- First, create an inWebo account for your organization (you can start below).
- Then, configure both this account and your VPN gateway to trust each other. A basic yet secure method that works for all VPN vendors & versions is to use the radius protocol and configure your VPN as a radius client using inWebo as a radius server (here’s a documentation for this). Alternatively, VPN gateways increasingly support SAML 2.0, therefore you can configure your VPN gateway as a SAML2.0 Relying Party (RP) and your inWebo account as a SAML 2.0 Identity Provider (IdP).
- Finally, adjust the authentication policies and user on-boarding rules from the inWebo administration console. Also, if the sign-in page of your SSL VPN can be customized, you can easily add the support of inWebo browser-based authentication method (this is explained here)
There’s no server or proxy to install and configure, therefore you will save 2 days for other projects. Also, please note that our pre-sales and support engineers are here to help if you face any difficulty.
Device certificates or inWebo MFA?
It’s up to you. However, here are the 2 main reasons why you should prefer the latter over the former:
- Deployment and management: since inWebo 2FA supports your VPN but is independent from it, you won’t need to implement a PKI or to deploy device certificates. In particular, you can grant a VPN access to contractors who come with their own device.
- Universal: inWebo MFA supports a lot more applications. Not only your VPN, but also SaaS applications (including Office 365, G Suite), remote access, SSO, CMS, Windows Logon…
It’s your turn. You may
- Sign up for free for a basic account (15 user licences) and start implement inWebo MFA for your VPN or remote access. You’ll be able to upgrade this account at any time to get more licences or options. Nothing to lose but an item on your to-do-list.
- Evaluate inWebo for free and without commitment for 30 days. This sounds like the procrastinator package but actually MFA is a serious topic and no one will blame you for taking your time to make sure that inWebo is the right fit. Note that we have project management, consulting, and integration partners trained in our solutions whom you can ask for an evaluation and a PoC.
- Request a customized demo. We’ll be happy to show and explain the basics of our solution and answer your questions.