Deepnet Security DualShield
Strengths: Huge feature set, supports wide array of platforms, well documented.
Weaknesses: Could possibly be overkill for smaller implementations, no syslog support we could find.
Verdict: Good choice for full-featured authentication tool. Recommended.
Multifactor authentication is easy to do for workstation and server logins, but what about web-based applications? With its DualShield, Deepnet Security offers a product that can add that extra layer of security to those applications - at a reasonable price point.
For testing, we were presented with a series of install files and a SafeID OATH token. There are several ways to deploy DualShield: An administrator can combine all modules onto a single server, or break out the front- and backend components to different locations. In addition, multiple database types are supported, which makes the tool extremely flexible. In the end, we chose to perform a basic install, placing all components on a single server and allowing the installer to configure a MySQL server and database instance for us.
Since we wanted to begin testing by setting up basic two-factor authentication with a workstation, we also had to install the Windows Login agent on the server, and client software on the workstation. The client software installation was simple. However, the agent portion requires, counter-intuitively, that it be registered to the authentication server before installing it. We then set up a link to Active Directory as our identity source, set up a basic Windows logon procedure, linked the OATH token to our test account, and we were done. The steps to configure the solution appeared more complicated than they actually were, and by following the documentation we had our basic installation and configuration complete within an hour.
While SSL VPN access can be augmented with any authentication method DualShield supports, IPsec VPN access is limited to one-time password methods due to limitations in RADIUS. The Self Service module allows administrators to enable their end-users to reset passwords, request replacement tokens or even request an emergency login code. The product also offers a strong logging system, which allows administrators to monitor all events, and its organization proved useful during troubleshooting. Unfortunately, there is no syslog support that we could find, so any log viewing needs to be done on the product management console. A small sacrifice, considering everything else you get.
Documentation was thorough. Deepnet has prepared implementation guides for a number of common products, including Cisco, F5, Juniper, Outlook Web Access, VMware and others, along with more general guides for incorporating DualShield into custom IIS apps and SAML 2.0-compliant cloud services. The documentation was easy to follow with plenty of screen shots. However, there wasn't any bookmarking, so we found ourselves scrolling around a lot.
Deepnet has broken its support offerings into three tiers: Basic gets users eight-hours-a-day/five-days-a-week email and web assistance. Standard includes the basic features, but adds phone and WebEx sessions. Premium expands support to 24/7. During evaluation, the standard support package comes free.
The product licensing is based solely on a per user license model - all modules and features are included. For 1,000 users, the cost is around $32 per user, and a five-user starter pack can be purchased for $649.