Aladdin eToken Solutions for

Cisco Integrated Services RoutersCisco VPN Client

Cisco Identity-Based Networking

Aladdin Knowledge SystemsNovember 2005

Agenda

Aladdin Overview Solutions Overview eToken Solutions:

− Snapshot: About eToken

− Aladdin eToken & Cisco ISR

− Token Management System (TMS)

− Cisco ECT & eToken Solution

− eToken Password Management

− Aladdin eToken & Cisco VPN

− Online Demo of ISR provisioning and secure VPN access

Aladdin Knowledge Systems (NASDAQ: ALDN) is a global provider of software protection and network security solutions since 1985.

With a distribution network of more than 50 partners in over five continents, Aladdin provides unmatched service and support to its customers.

Identifies who users are

Comprehensive solution for software vendors’ protection and licensing needs

Hardware or software-based

Portable device for two-factor authentication, password and digital identity management

Robust enterprise management

Gateway-based anti-virus protection & content security

Web browsing security with anti-spyware & application filtering

Proactive email security with spam management

Aladdin Product Lines

Software Digital Rights Management

Enterprise Security

Controls what users can do Ensures safe access to content

Overview of Aladdin-Cisco eToken Offerings

Cisco Integrated Services Routers (ISR) eToken-based ISR secure provisioning eToken-based portable credential storage for

site-to-site VPN

Enterprise Class Teleworker (ECT)

Cisco VPN eToken-based Strong Authentication for VPN

client

Online Demo Online demo for Cisco ISR and VPN

Aladdin eToken &

Cisco ISR

eToken ISR Solutions

Two main functionalities of eToken with Cisco ISR:1. Secure configuration storage and distribution with eToken

− Provisions ISR config into eToken, sends Token to location− Router loads ISR config off the eToken when turned on, or

merges configuration when eToken is plugged into router− Supports boot-strap or secondary configuration

2. Portable Credential storage for VPN RSA Key Pairs with eToken

− Provides off-platform storage, generation of VPN Credentials− Loads encryption keys when eToken plugged in, and removes

when eToken removed

Yet another important feature:− Router brings up IPSEC VPN tunnel until eToken is removed,

then tunnel comes down (after configurable timeout)

Note: Support provided only for eToken PRO

Secure Configuration Storage and Distribution with eToken

1. Orders router and eToken

2. Provisioning Center receives eToken and loads configuration file

3. Sets custom PIN on eToken

VMS+TMS

1. Router is shipped directly to customer site

2. eToken can be shipped to the customer location separately

1. Installation technician plugs in eToken

2. Enters CLI to boot router from eToken config, including PIN

1

2

3

Portable Credential Storage for VPN RSA Key Pairs with eToken

Portable Credentials− Stores router VPN credentials on the eToken

− When inserted, the router passes the PIN to unlock the eToken and retrieves the credentials

− Router brings up IPSEC tunnel until eToken is removed, then tunnel comes down (after configurable timeout)

IPInternet

Head End

Values to Cisco Channel Substantial cost savings:

− Routers are shipped to customers blank, as there is no need for physical router configuration

Easy eToken configuration: − Utilizes smooth integration of Token Management System

(TMS) and Cisco VMS

Automation and Batch processing of eToken/router configuration:− TMS is able to enroll batch/bulk of tokens; no need to

manually deal with each config file

Easy technical support:− Configuration can be reloaded to the router, no need to

send technicians

Web service:− Re-provisioning or change in configuration can be done over

the web using eToken TMS (i.e., no need to send technician AGAIN to fix config problems)

Values to Cisco Customers

Security:− Router configuration is securely stored on the eToken

Security:− eToken stores the router’s root certificate (RSA keys)

Ease:− Customer is free to purchase routers from any Cisco store

Delivery:− Timely implementation, support and updates

Self service:− Ability to provision and re-provision router over the web

What Is Aladdin Token Management System (TMS)?

A system for deploying, managing and

using security tokens in an Enterprise

TMS offers a LINK between:

- Users- Organizational rules- Security device(s)- Security application(s)

Token Management System (TMS) & Cisco ISR TMS uses special Cisco ISR connector to provision eToken

with ISR configuration TMS can provision tokens as web service using web browser or

in a standalone mode ISR configuration may be generated with any tool such as

Cisco Security Manager (VMS)TMS

Cisco ISR TMS Connector

Token Management System (TMS)

Provisioning the eTokens

#2: Using CLI− Create configuration

file− Enroll with CA− Reset PIN − Unlock eToken− Copy configuration

to eToken− Copy VPN

credentials to eToken

GUI will replace CLI Refer to Cisco video

for details on router config.

#1: Using TMS(TMS=Token Management System)

− Create configuration file in text editor

− Reset User PIN and Admin PIN

− Manage tokens across the organization by SN

− Copy configuration and credential files to eToken

Router Provisioning Processes: Old vs. eToken-Based

Buys/receives blank router from channel Receives personalized eToken from channel Plugs router to network Plugs eToken into router Router goes live

Installs VMS and TMS Transfers bootstrap batch file to eToken Ships eToken to customer Ships blank router to customer

eToken Process

Plugs router into network Router goes live

OR: >>>>>>> Technician arrives and configures router on site.

Installs VMS Receives router from distributor Configures router manually Ships router to customer OR >>>>>>>

Old Process

UserChannel Flow:

What is ECT?

Cisco Enterprise Class Teleworker (ECT) solution provides an end-to-end integrated security and management solution for Remote Access (Business Ready Teleworker) and;Site-to-Site Access (Business Ready Branch)

Key benefits of the ECT solution include: Layered and integrated Security for router, network, device, user

and applications (voice, video, and wireless). DMVPN, the ECT baseline architecture, seamlessly integrates

security, dynamic routing, and the dynamically meshed VPN deployment.

Zero Touch Deployment reduces the complexity of support and the loss of corporate control.

Security Features safeguard the corporate network and prevent unguarded entrances to the network.

Quality of Service provides application availability and guaranteed bandwidth for key applications and users.

ECT & eToken Solution The Need

CPE Provisioning & Security Enhance and simplify the Zero Touch Deployment (ZTD)

mechanisms Secure the CPE credential provisioning Secure the spoke-to-spoke VPN tunnel Push security policies changes by administration Support CPE Re-provisioning or Replacement CPE Image management

Password Management Password management for enterprise applications

Strong Authentication for Network Access Secure VPN access Secure network logon (Network logon; 802.1x & NAC)

ECT & eToken Solution The Solution

eToken and TMS provide a framework for CPE provisioning & Security;Maintenance & support;Password management and; Network/VPN access

Two tokens are suggested in the framework:

eToken for CEP: • Secure and easy provisioning • Secure VPN tunnel• Support capabilities

eToken for End user:• Passwords management (web & win app)• Strong authentication for remote login to corporate infrastructure• Strong authentication for network logon (LAN), 802.1x & Cisco

IBNS (LAN card), and NAC (granular LAN access)

ECT & eToken Solution The Solution

Teleworkers

Corporate

eToken

Internet

Roaming User

Router/FW/VPN

Roaming UserISR eToken

User eToken

Corporate User

Application Servers

Router

ISR configuration, RSA VPN keys, Re-provisioning,

Support

Password Management, VPN Client,Web Access

Network Access (Logon),NAC,

802.1x

TMS

Service Provider

TMS / TMS Web

eTokenPassword Management

eToken Password Management Solution

Password Management Administrator or service provider uses eToken Simple Sign-On

(SSO) and eToken Web Sign-On (WSO) to push corporate applications’ credentials on eToken

eToken stores all necessary logon information including username, passwords, PIN numbers, etc

WSO/SSO fills out automatically the respective web page or logon window credentials.

Great end-user benefit – can cash its personal credentials too

Secure and automatic access

Aladdin eToken &

Cisco VPN Client

eToken & Cisco VPN

eToken supports all prevalent Cisco VPN access modes with various authentication methods:

Cisco VPN access modes:− SSL VPN− IPSec VPN− Wireless VPN

Authentication methods:− PKI− OTP

The solution combines every possible pair

Note: Support provided for all eTokens. Aladdin promotes eToken NG-OTP

Access Scenarios

VPN Remote Access over IPSec

VPN Remote Access over SSL

WiFi Remote Access over the Web

Solution Components Cisco:

− VPN Concentrator− Cisco VPN Client − Cisco PIX− Cisco ACS RADIUS− Cisco ISR− Cisco ASA− Cisco Aironet Access

Point

Aladdin:− eToken NG/Pro− eToken CSP− TMS (Token Management

System) – Unified backend!

Certificate Authority:

− MS

− VeriSign

− Other…

Benefits and Differentiators

Value to Customers− Integrated end-to-end solution

− Remote access based on two-factor authentication providing top notch security

− Flexibility in access methods and authentication methods

− Shorter implementation/deployment cycle

− Best TCO and ROI

Differentiators− The only integrated solution, from only 2 vendors,

that encompasses all remote access needs

− Can be provided either as an on-site installation, or as a managed service

Benefits and Differentiators

Value to Cisco Channel− Better offering to customers

− Fits into channel’s offering based on Cisco gear

− Increased demand for access solutions

− Shorter sales cycle

− Up-sell opportunities with eToken TMS and other security applications

− Opportunity to sell more services (integration, maintenance, etc.)

Differentiators− The only integrated solution, from only 2 vendors,

that encompasses all remote access needs

− Can be provided either as an on-site installation, or as a managed service

Online Demo for Cisco ISR and VPN

Online Demo for Cisco ISR and VPN

Aladdin-Cisco Online Demo • Enables Cisco SE, Channel or Customer to register

and apply for eToken, enroll the eToken and run one of two demos:

•ISR demo: Enables upload of a given router configuration on board eToken

•VPN Demo: Enables experience of two live VPN access scenarios- SSL VPN + eToken OTP authentication- IPSec VPN + eToken certificate-based authentication (PKI)

Key Benefits:• Great demonstration tool to be used by SEs, channels and customers• It is real, and works with Aladdin/Cisco back-end, available 24x7• TMS web interface shows its most powerful feature – online

provisioning of (blank) tokens• Once a user receives its credentials, the demo can be run

repetitively, with no limits• Sponsored by Cisco which provides the back-end equipment (PIX,

ACS, and Concentrator)• Best practice would be to….. Try it yourself

https://ciscodemo.aladdin.com