About Multi-Factor Network Authentication
Multi-factor network authentication is the most secure way to control access to services on cloud servers. For example, administrators can by default lock down all administrative ports, which will dynamically open only for authenticated users, limited to the IP address from which they authenticated. These ports automatically close after a defined period, returning them to an inaccessible state.
Multi-factor network authentication helps to eliminate the worry of attackers continually scanning your servers for open ports and attempting brute-force logins to those services. When multi-factor network authentication is enabled, the protected ports will be invisible to attackers when they scan your network. This makes it much harder for attackers to find a way in because they can't even see your open ports.
When a server administrator authenticates to the multi-factor network authentication gateway, the administrative ports on that administrator's server are open only for a limited amount of time, and only from the administrator's current IP address. Potentially malicious users attempting to access the server at the same time are denied.
By using multi-factor network authentication to provide secure access to your cloud servers, you are able to:
- Hide your sensitive applications from the world
- Enable secure access by remote employees no matter how mobile they are
- Combine the strength of two-factor authentication with the convenience of software or hardware tokens
- Avoid the need for additional client software or infrastructure
- Work seamlessly across multiple elastic public, hybrid, and private cloud environments
- Fulfill compliance requirements for multiple security standards (PCI, HIPAA, FISMA, and others)
- Be up and running in less than 10 minutes
How it Works
Multi-factor network authentication implements its strong two-factor authentication by requiring both Halo login credentials and a second factor, involving a one-time password either transmitted by SMS text message or generated by a hardware device.
- For transmission by SMS, Halo generates a one-time password and sends it to the GhostPorts user's mobile phone in a text message.
- For a hardware device, CloudPassage supports the YubiKey® from Yubico. A YubiKey is a one-time-password generator packaged as a USB input device. YubiKey values are unique across all of Halo, so each YubiKey can be assigned to only one user at a time.
In the Halo portal, the multi-factor network authentication gateway is called GhostPorts. Once a Halo site administrator has enabled GhostPorts access for a user, authentication is a simple process. The GhostPorts user logs into the Halo portal and authenticates to GhostPorts, using either YubiKey or SMS code. In response, Halo temporarily opens the required ports on the required servers for access from that user's machine. The user then connects to the server outside of Halo—for example through SSH or RDP.
To enable this targeted access, you set up firewall policies for server groups that include rules for GhostPorts users. The rules determine the specific services and ports to be opened for each GhostPorts user's access.
Each time the user authenticates to GhostPorts, Halo communicates the user's source IP address to the firewalls of the servers in the target server group. The GhostPorts user now has access for a specific amount of time and only from that specific IP address. Once that time expires, Halo closes the open ports and further access is denied.