SecurID and admin firewalls at U Toronto
- a rough timeline: 1993-2015
Windows 3.11, Mac System 7 : 1993
1993-Nov : first AMS firewall is built on an idle Sun 3/280 (Filter)
- uses open source FireWall ToolKit (FWTK) from Trusted Information Systems (TIS)
- early SAPgui had required a modification of FWTK:
- substitute the firewall's address for the user's address
so the server will talk to the firewall instead of trying to connect
to the user's client outside the firewall.
- byte-by-byte analysis of SAPgui traffic was made possible
by the early SAPgui client for X11 on Sparc workstations.
- new admin firewall layout designed by Tom Molnar.
- SecurID chosen for two-factor authentication.
- SecurID management/server installed on an IBM AIX server.
1994-Sep : IBM-RS6000s and Cisco-4000s.
- dedicated hardware purchased for firewalling.
- Poort and Wachthond were desktop IBM RS6000's running AIX.
- Gaat and Ingang were Cisco 4000 routers (10 Mbps).
1994-Oct : R3verify
- new SAPgui required new authentication method (R3verify):
- a call-back client/server scheme with SMTP-like plaintext dialog.
- user runs the "listener" alongside the SAPqui client.
firewall connects to the user's listener.
user authenticates via the listener connection.
- Windows+Mac "listener" written by Mark Acfield in VisualBasic.
1994-Nov : SecurID added to Filter, Poort.
- FWTK software recompiled to include support for SecurID.
- SecurID supplied source code for the API.
1994-Dec : Gaat gets X.25 link to SAP Inc.
- SAP Inc supports their products remotely by connecting to AMS
over the X.25 link.
Netscape Navigator : 1994
Windows 95, SSH, Rogers WAVE : 1995
Mac OS 8, google.com : 1997
Windows 98, Apple iMac : 1998
1998-Aug : Splash (Rogers WAVE - Internet over tv-cable)
- provide SSH access for users accessing AMS from home via Rogers WAVE.
- included mods to SSH to permit SecurID authentication.
- included mods to SSH to consult Poort for access control.
1999-Feb : Filter (Sun3) powered down.
Mac OS 9, OpenSSH : 1999
2000-Mar : local mods to FWTK to add date+time-based access windows.
2000-May : generic Intel systems purchased to upgrade all hardware.
- original Poort (IBM RS6000 desktop) replaced with a pair of systems
in a live/hot-spare configuration.
- Splash hardware also updated. TIS-Gauntlet sofware replaced with locally-modified FWTK.
2000-Dec : CAN firewall pair (fan + tan)
AMS was planning to use Windows-based software. It had been
decided to keep AMS Windows servers isolated from the AIX servers.
The CAN firewall pair was built to isolate those Windows servers.
Windows XP, Mac OS X, Apple iPod : 2001
2002-Feb : Splash configured with IPsec.
- SAP Inc retires the X.25 link.
- Splash configured with IPsec to allow SAP Inc to continue remote software support.
OS X Safari : 2003
Mozilla Firefox : 2004
YouTube : 2005
2005-Mar : Splash with OpenVPN.
- OpenVPN tunnels added as alternative to SSH.
- VPNs are tied to Poort for authentication and dynamic access windows.
2006-Oct : RAG firewall pair (dish + mop)
- UT saves on software licensing for SecurID on MVS.
- customized proxy TN3270 access to MVS.
- locate and extract username and SecurID passcode from TN3270 data stream.
- authenticate username to SecurID.
- [REX script] generate a passticket.
- replace SecurID passcode with REX passticket on-the-fly
- forward modified TN3270 data to MVS.
Windows Vista, SSH-2 : 2006
2007-Jan : new SecurID server pair (rascal + sneaky)
- SecurID management servers moved to RedHat systems.
Apple iPhone : 2007
Google Chrome : 2008
2009-Sep : VMware ESX/ESXi launched at EIS.
Windows 7 : 2009
Oracle buys SUN : 2010
Mac OS X 10.7 : 2011
Windows 8 : 2012
2013-fall : eToken (replacement for SecurID) rolls out.
2013-Nov : RAG firewall moved to VMware ESXi.
- hardware for dish + mop retired.
Windows 10 : 2015
2015-Sep : Poort/Splash/CAN/Gaat/SecurID hardware retired.
- generic Intel hardware lasted three times longer than expected.