Administering Multi-Factor Network Authentication
Administering multi-factor network authentication for your cloud servers means creating and managing GhostPorts users with the appropriate privileges, and establishing appropriate firewall rules for the server groups that those users need to access. In summary, it is a two-step process:
1. Set up one or more GhostPorts users
- First, obtain the user's mobile phone number or purchase a YubiKey for the user.
- On the Site Administration page, create or edit a user: specify the authentication type, specify the user type, enable GhostPorts access, and activate the user.
For details, see Set Up a GhostPorts User, next.
2. Create a firewall rule to enable server access through GhostPorts
- Create or edit a Firewall policy for the server group that the GhostPorts user needs access to.
- In that policy, create a rule that grants that user (or all GhostPorts users) access to specific services and ports.
For details, see Create a Firewall Rule to Enable Server Access, below.
Note: When you disable GhostPorts access for a user who has been using a YubiKey for authentication, you can then re-assign that YubiKey to another GhostPorts user. See Disable a User's GhostPorts Access.
Set Up a GhostPorts User
To set up yourself or another person as a GhostPorts user, you must be a Halo NetSec or Halo Professional user with site-administrator privileges.
Before creating the user, do this:
- If the person is to use SMS authentication, obtain that user's valid mobile phone number. Text messaging must be enabled for that mobile account.
- If the person is to use hardware authentication, acquire a YubiKey. You can order the keys directly from Yubico.
Then log into the Halo portal to create the user:
- Under the Site Administrator menu ( ), choose Site Administration and then select the Users tab.
- Either click Invite User or select an existing user and click Edit for that user.
- Specify and set up the user's authentication method, as described below in Set Up Two-Factor Authentication.
For more details on administering users, see the Invite and Manage Halo Users section of the Halo Operations Guide.
Set Up Multi-Factor Authentication
Authentication to GhostPorts requires a one-time password either transmitted to the user by SMS or generated by the user with a hardware device (YubiKey). Follow these steps to configure the authentication type:
- Select the multi-factor authentication method desired for this user: SMS code and password or YubiKey and password, or both. For each one you select, the page expands to show new fields.
- Set up the authentication method:
If you selected SMS code and password--
- In the available field, enter the telephone number at which the user will receive the SMS authentication codes. It must be a valid mobile phone account with text messaging enabled.
- Click Save. The user receives an email invitation to use GhostPorts.
If you selected YubiKey and password--
- Place the YubiKey into a USB port on your computer, with the metal contacts and circle facing upward (). Place your cursor into the User YubiKey field. Initiate the YubiKey by lightly touching the top circle with the green centered light. The YubiKey key will enter its complete key value into the field.
- Click Save. You will notice a portion of the key value disappear. The first twelve characters of the key value will remain displayed in the key field. The user receives an email invitation to use GhostPorts.
- Click Save.
The user is now enabled for two-factor authentication. The next step is to enable access to GhostPorts.
Enable GhostPorts Access
There are two classes of access privilege that you may set when creating or editing a user: portal access or GhostPorts access. Select either or both checkboxes on the Invite User / Edit User page, as appropriate.
- Enable Halo Portal Access. This class of access is for users that need to use the security-monitoring features of the Halo portal. If you select this checkbox, you then must decide whether the user is a standard Halo user or a site administrator. See Invite and Manage Halo Users in the Halo Operations Guide if you need further explanation.
- Enable GhostPorts Access. This class of access is for users that need secure access to servers. You must select at least this checkbox to give the user GhostPorts access. Then click Invite or Save.
The user can now access GhostPorts to use multi-factor network authentication. The final task is to give the user access to specific services on specific servers, by adding rules to firewall policies.
Create a Firewall Rule to Enable Server Access
With your GhostPorts users now enabled, you can set firewall policies and rules that govern their network access to your cloud servers.
In the Halo portal, select Firewall Policies under the Policies menu. Select an existing firewall policy or add a new one.
In the Inbound Rules section, create a rule and set the values of the Interface (Linux only), Source, Service, Connection State (Linux only), and Action options, as the example in the following table shows:
Linux: Hardware interface used to access this server
Windows: rdp (tcp/3389)
Linux: ssh (tcp/22)
*Selecting this gives access under this firewall rule to all GhostPorts users.
Make sure that the firewall policy is assigned to the server group that includes the servers your GhostPorts user needs access to.
You will need to add a new rule to the appropriate firewall policy for each of your GhostPorts users, or you can add a single rule to cover all GhostPorts users if they all need exactly the same access.
See Workload Firewall Management Setup Guide for detailed information on creating and modifying Halo firewalls.
Disable a User's GhostPorts Access
You can disable GhostPorts access for any user by simply unchecking the Enable GhostPorts Access checkbox and clicking Save on the Edit User page.
If the user's authentication type was YubiKey, that YubiKey is now unlinked from the user and is ready to be assigned to and enabled for someone else.
Change GhostPorts Session Length
By default, multi-factor network authentication sessions expire after 4 hours unless the user manually closes GhostPorts before that time (see Manually Close GhostPorts). If you want to change that maximum session length, go to the Advanced Settings tab on the Site Administration page.
From the drop-down list under GhostPorts, select a time length from 1 hour to 24 hours. That expiration time will apply to all of your organization's GhostPorts sessions.