Strengths: Huge feature set, supports wide array of platforms, well documented
Weaknesses: Could possibly be overkill for smaller implementations; no syslog support we could find
Verdict: Good choice for full-featured authentication tool. Recommended
Multi-factor authentication is easy to do for workstation and server logins, but what about your web-based applications? With its DualShield product, Deepnet Security offers a solution that can add that extra layer of security to those applications - at a very reasonable price point.
For testing, we were presented with a series of install files and a SafeID Oath token. There are several ways to deploy DualShield - an administrator can combine all modules onto a single server, or break out the front- and backend components to different locations. In addition, multiple database types are supported that makes it extremely flexible. In the end, we chose to perform a basic install, placing all components on a single server and allowing the installer to configure a MySQL server and database instance for us.
Since we wanted to begin the testing by setting up basic two-factor authentication with a workstation, we also had to install the Windows login agent on the server and client software on the workstation. The client software installation was simple and straightforward, however the agent portion of the software requires, somewhat counter intuitively, that it be registered to the authentication server before installing it. We then set up a link to Active Directory as our identity source, set up a basic Windows logon procedure, and linked the Oath token to our test account.
The steps to configure the product appeared more complicated than they actually were, and by following the documentation we had our basic installation and configuration complete within an hour.
Although DualShield can secure Windows, Mac and even VMware View workstations, it offers much more than simple workstation authentication. The product supports a wide array of authentication methods, including: token-based one-time passwords; on-demand passwords; biometrics; device DNA; and PKI certificates. The software even supports sending an on-demand password via Twitter - which we find absolutely bizarre - but we suppose it's a further testament to the flexibility of this product. The single sign-on module is SAML 2.0 compliant, so cloud-based applications such as Google Apps or Salesforce are easily managed. IIS applications can be secured via the IIS agent module. VPN support is provided for Cisco, Check Point, Juniper Networks and F5 Networks concentrators, as well as any VPN supporting Radius, however it is divided between SSL VPNs and IPsec.
While SSL VPN access can be augmented with any authentication method DualShield supports, IPsec VPN access is limited to one-time password methods due to limitations in Radius. The self-service module allows administrators to enable their end-users to reset passwords, request replacement tokens or even request an emergency login code. DualShield also offers a decent logging system that allows administrators to monitor all events or a subset of events, and the organisation of it proved very useful during troubleshooting. Unfortunately, there is no syslog support that we could find, so any log viewing needs to be done on the product management console. A small sacrifice, considering everything else you get.
Documentation was extremely thorough. Deepnet has prepared implementation guides for a number of common products, including Cisco, F5 Networks, Juniper Networks, Outlook Web Access, VMware and others, along with more general guides for incorporating DualShield into custom IIS apps and SAML 2.0 compliant cloud services. The documentation was easy-to-follow, with plenty of screenshots, however there wasn't any bookmarking so we found ourselves scrolling around a lot.
Deepnet has broken its support offerings into three tiers: basic gets you eight-hours-a-day/five-days-a-week email and web support; standard includes the basic features, but adds phone and WebEx sessions; and premium expands the standard package support hours to 24/7. During evaluation periods, its eight-hours-a-day/five-days-a-week standard support package comes free.
The product licensing is based solely on a per user licence model - all modules and features are included. A five-user starter pack can be purchased for £495.