Done Increased Security for LDAP authentication from Outside

Discussion in 'Feature Requests' started by David, Oct 8, 2016.

  1. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    802
    Likes Received:
    31
    I would like a way to increase security for our Local (LDAP) users. Basically, we do not want those users accessing the Liquid Files appliance from any public networks; only our inside network. I know you have a IP range restriction for administrative access but it would be nice to have this same functionality for Local users. The other option or feature request would be to force Local users to use two factor authentication when outside the corporate network. This would increase security for those particular instances. When they are on the inside network, two factor is not needed. Our fear is that something like a keylogger virus could capture their LDAP credentials if they are accessing Liquid Files on a non-corporate controlled network or PC. It seems the product has the fundamental pieces in place (Strong Auth, Restricted Access by Subnet) to accomplish this but a little more granular control would be ideal. Great product so far and thanks for your help!
     
  2. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    802
    Likes Received:
    31
    Comments
    [​IMG]
    Johan Allard
    LiquidFiles
    I find the LDAP request quite curious. Do you not allow your users any access to corporate reasources outside of your local network? No email, including Smartphones or Webmail access?

    November 11, 2012, 08:12
    [​IMG]
    Michael Sotirake
    The only way to do what you are suggesting is to not integrate or authenticate user using LDAP or implement 2 factor authentication and enforce your LDAP users to use that to authenticate.

    April 12, 2013, 02:40
    [​IMG]
    Matt Fields
    Yes, we force employees to use 2 factor when coming from the outside for all services. We use a different 2 factor technology than the one built into Liquidfiles, and it isn't ideal to employees to have 2 different 2 factor products.

    We really don't have a need for our employees to access Liquidfiles from the outside so allowing "Local" users to login only from specific subnets (inside network) would be ideal. That way 2 factor is not necessary because Local users will only be accessing it from the inside.

    April 12, 2013, 02:58
    [​IMG]
    Johan Allard
    LiquidFiles
    The next major release of LiquidFiles will include a "restrict access from" so that you can limit certain groups of users to only be able to login from certain ip addresses or networks.

    April 12, 2013, 11:00
    [​IMG]
    Matt Fields
    You rock Johan!

    From a security standpoint when evaluating authentication criteria, be sure to evaluate the subnet prior to bouncing credentials off active directory. This will help prevent DOS against AD itself.

    April 13, 2013, 08:50
    [​IMG]
    Johan Allard
    LiquidFiles
    Before authentication, we don't know who is authenticating and we can't have different rules for different users (or groups of users) so the only thing at we could do would be to limit access to the system itself - much better achieved with an external firewall. So no, this check happens after authentication. In terms of DOS protection, the standard DOS protection that you configure in Admin -> Settings still apply so default to block access for 15 minutes after 5 failed attempts within 5 minutes.
    April 13, 2013, 15:38
    [​IMG]
    Matt Fields
    Johan,

    I would think you can performed the check as follows:

    1. Evaluate if user domain is Local, Remote, etc.....

    2. Evaluate access by Group/Subnet.

    3. If Subnet/Group match, validate password. If not, don't attempt to bounce against LDAP or local authenticator.

    Johan, my fear is that if we are using LDAP that someone could write a script to cycle through our LiquidFiles/LDAP usernames lock out our LDAP accounts. If subnet is evaluated prior to password authentication, this should solve the issue.

    April 16, 2013, 00:49
    [​IMG]
    Johan Allard
    LiquidFiles
    Yes, that's effectively how it's implemented.

    April 18, 2013, 17:31
    [​IMG]
    Mark Williams
    Johan,

    This is quite a key feature for us. If we purchase Liquid Files will we be able to get a version with this update in?

    Thanks

    Mark

    April 24, 2013, 06:40
    [​IMG]
    Johan Allard
    LiquidFiles
    This feature will be available in the next major release, due out in a couple of weeks.

    April 24, 2013, 06:59
    [​IMG]
    Johan Allard
    LiquidFiles
    This feature was added in version 2.3.

    May 15, 2013, 07:36
     

Share This Page