SecurID and admin firewalls at U Toronto / 1993-2015 - a rough timeline

Windows 3.11, Mac System 7 : 1993

1993-Nov : first AMS firewall is built on an idle Sun 3/280 (Filter)

uses open source FireWall ToolKit (FWTK) from Trusted Information Systems (TIS)
early SAPgui had required a modification of FWTK:
- substitute the firewall's address for the user's address so the server will talk to the firewall instead of trying to connect to the user's client outside the firewall.
- byte-by-byte analysis of SAPgui traffic was made possible by the early SAPgui client for X11 on Sparc workstations.

1994 :

new admin firewall layout designed by Tom Molnar.
SecurID chosen for two-factor authentication.
SecurID management/server installed on an IBM AIX server.

1994-Sep : IBM-RS6000s and Cisco-4000s.

dedicated hardware purchased for firewalling.
- Poort and Wachthond were desktop IBM RS6000's running AIX.
- Gaat and Ingang were Cisco 4000 routers (10 Mbps).

1994-Oct : R3verify

new SAPgui required new authentication method (R3verify):
- a call-back client/server scheme with SMTP-like plaintext dialog.
- user runs the "listener" alongside the SAPqui client. firewall connects to the user's listener. user authenticates via the listener connection.
- Windows+Mac "listener" written by Mark Acfield in VisualBasic.

1994-Nov : SecurID added to Filter, Poort.

FWTK software recompiled to include support for SecurID.
SecurID supplied source code for the API.

1994-Dec : Gaat gets X.25 link to SAP Inc.

SAP Inc supports their products remotely by connecting to AMS over the X.25 link.

Netscape Navigator : 1994

Windows 95, SSH, Rogers WAVE : 1995

Mac OS 8, google.com : 1997

Windows 98, Apple iMac : 1998

1998-Aug : Splash (Rogers WAVE - Internet over tv-cable)

provide SSH access for users accessing AMS from home via Rogers WAVE.
included mods to SSH to permit SecurID authentication.
included mods to SSH to consult Poort for access control.

1999-Feb : Filter (Sun3) powered down.

Mac OS 9, OpenSSH : 1999

2000-Mar : local mods to FWTK to add date+time-based access windows.

2000-May : generic Intel systems purchased to upgrade all hardware.

original Poort (IBM RS6000 desktop) replaced with a pair of systems in a live/hot-spare configuration.
Splash hardware also updated. TIS-Gauntlet sofware replaced with locally-modified FWTK.

2000-Dec : CAN firewall pair (fan + tan)

AMS was planning to use Windows-based software. It had been decided to keep AMS Windows servers isolated from the AIX servers. The CAN firewall pair was built to isolate those Windows servers.

Windows XP, Mac OS X, Apple iPod : 2001

2002-Feb : Splash configured with IPsec.

SAP Inc retires the X.25 link.
Splash configured with IPsec to allow SAP Inc to continue remote software support.

OS X Safari : 2003

Mozilla Firefox : 2004

YouTube : 2005

2005-Mar : Splash with OpenVPN.

OpenVPN tunnels added as alternative to SSH.
VPNs are tied to Poort for authentication and dynamic access windows.

2006-Oct : RAG firewall pair (dish + mop)

UT saves on software licensing for SecurID on MVS.
customized proxy TN3270 access to MVS.
- locate and extract username and SecurID passcode from TN3270 data stream.
- authenticate username to SecurID.
- [REX script] generate a passticket.
- replace SecurID passcode with REX passticket on-the-fly
- forward modified TN3270 data to MVS.

Windows Vista, SSH-2 : 2006

2007-Jan : new SecurID server pair (rascal + sneaky)

SecurID management servers moved to RedHat systems.

Apple iPhone : 2007

Google Chrome : 2008

2009-Sep : VMware ESX/ESXi launched at EIS.

Windows 7 : 2009

Oracle buys SUN : 2010

Mac OS X 10.7 : 2011

Windows 8 : 2012

2013-fall : eToken (replacement for SecurID) rolls out.

2013-Nov : RAG firewall moved to VMware ESXi.

hardware for dish + mop retired.

Windows 10 : 2015

2015-Sep : Poort/Splash/CAN/Gaat/SecurID hardware retired.

generic Intel hardware lasted three times longer than expected.