DIGIPASS Authentication for SonicWall SSL-VPN

Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS, IDENTIKEY, IDENTIFIER & AXSGUARD are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2011 VASCO Data Security. All rights reserved. 2011 VASCO Data Security. All rights reserved. Page 2 of 55

Table of Contents DIGIPASS Authentication for SonicWall SSL-VPN... 1 Disclaimer... 2 Table of Contents... 3 1 Reader... 5 2 Overview... 6 3 Problem Description... 7 4 Solution... 8 4.1 Benefits... 8 4.2 How does two-factor authentication work?... 8 4.3 Supported Platforms... 8 5 Technical Concept... 9 5.1 General overview... 9 5.2 SonicWALL SSL-VPN prerequisites... 9 5.3 IDENTIKEY Server Prerequisites... 9 5.4 Overview of SonicWALL RADIUS Authentication with IK...10 5.5 Overview of actions...10 6 Configuration of the SonicWALL SSL-VPN... 11 6.1 Login to the SSL-VPN & check version...11 6.2 Set the time on SSL-VPN...13 6.3 DNS Settings...14 6.4 Configure a default route for the SSL-VPN...15 6.5 Add NetExtender Client Address Range...16 6.6 Add NetExtender Client Routes...17 6.7 Create a Portal Domain...18 6.8 Add a local user for the Domain...19 2011 VASCO Data Security. All rights reserved. Page 3 of 55

6.9 Edit the user s policy...20 7 Configure the NSA 2400... 21 7.1 Login...21 7.2 Configure PRO4060 Interface and Zone...22 7.3 Create an Address...26 7.4 Create inbound allow rule for https & NAT Policy...27 7.5 Allow rule from DMZ to LAN for IDENTIKEY Server...30 8 IDENTIKEY Server... 31 8.1 Policy configuration...31 8.2 Register Client...35 8.3 Configure User...35 8.3.1 Create New User...35 8.3.2 Import DIGIPASS...37 8.3.3 Assign DIGIPASS...38 8.4 Install Active Directory...40 8.4.1 Create Users...40 8.4.2 Import DIGIPASS...43 8.4.3 Assign Digipasses for Users...46 9 Two-factor authentication SSL-VPN test and conclusion... 53 10 About VASCO Data Security... 55 2011 VASCO Data Security. All rights reserved. Page 4 of 55

1 Reader This Document is a guideline for configuring the partner product with IDENTIKEY SERVER or Axsguard IDENTIFIER. For details about the setup and configuration of IDENTIEKEY SERVER and Axsguard IDENTIFIER, we refer to the Installation and administration manuals of these products. Axsguard IDENTIFIER is the appliance based solution, running IDENTIKEY SERVER by default. Within this document, VASCO Data Security, provides the reader guidelines for configuring the partner product with this specific configuration in combination with VASCO Server and Digipass. Any change in the concept might require a change in the configuration of the VASCO Server products. The product name`identikey SERVER`will be used throughout the document keeping in mind that this document applies as well to the Axsguard IDENTIFIER. 2011 VASCO Data Security. All rights reserved. Page 5 of 55

2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY Server to work with a SonicWALL device. Authentication is arranged on one central place where it can be used in a regular VPN or SSL/VPN connection. SonicWALL is a strong leader in secure, easy to configure and affordable SSL-VPN clientless remote access and provides users additional Unified Threat Management security when combined with SonicWALL s firewall/vpn appliances. This addresses all companies going from the SMB (Small & Medium Businesses) to the Enterprise space. VASCO Data Security delivers reliable authentication through the use of One Time Password technology. VASCO IDENTIKEY Server combined with SonicWALL SSL-VPN and SonicWALL firewall VPN appliances creates an open-market approach delivered through VASCO DIGIPASS Technology. VASCO IDENTIKEY Server allows users to utilize the VASCO DIGIPASS concept that uses One Time Passwords that are assigned for time segments that provide easy and secure SSL-VPN remote access. The One Time Password within the authentication request is verified on the VASCO IDENTIKEY Server. After verification, a RADIUS access-accept message is sent to the SonicWALL SSL-VPN server for authentication. Digipass integration works in the same way with other SonicWall solutions : 2011 VASCO Data Security. All rights reserved. Page 6 of 55

3 Problem Description The basic working of the SonicWALL is based on authentication to an existing media (LDAP, RADIUS, local authentication ). To use the IDENTIKEY Server with SonicWALL, the external authentication settings need to be changed or added manually. Since static passwords are generally known as non-secure and easy to compromise, One Time Passwords were introduced to the remote access market to secure corporate LAN or central resources. A method to track and manage incoming users via the SonicWALL SSL-VPN and firewall/vpn devices also needed to be introduced. Two-factor authentication is a method that requires two independent means of information to establish identity and privileges. Two-factor authentication is stronger and more rigorous than traditional password authentications, which only require one factor, such as the user s password. The following pages present how to solve these issues with configuration the SonicWALL SSL-VPN and NSA 2400, and the VASCO IDENTIKEY Server / Axsguard IDENTIFIER. 2011 VASCO Data Security. All rights reserved. Page 7 of 55

4 Solution After configuring IDENTIKEY Server and the SonicWALL devices in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen, guessed, reused or shared. The SonicWALL appliance gives you the ability of a combined SSL/VPN platform, it s possible to access your network from a web portal page and/or to create a SSL tunnel. 4.1 Benefits Two-factor authentication offers the following benefits in combination with SonicWALL SSL-VPN: Enhances security by requiring two independent variables of information for authentication. Reduces the security risks associated with one-factor passwords. Minimizes the time administrators spend training and supporting users by providing a strong authentication process that is simple, intuitive, and automated. 4.2 How does two-factor authentication work? Two-factor authentication requires the use of a third-party authentication service. The authentication service consists of two components: An authentication server that the administrator uses to configure user names and assign tokens, and manage authentication-related tasks. With two-factor authentication, users must enter a valid One Time Password to gain access. A One Time Password consists of the following: The user s personal identification number (PIN). A One Time Password issued. Users receive the temporary token codes from their VASCO DIGIPASS. The DIGIPASS displays a new One Time Password every 32 seconds. When VASCO IDENTIKEY Server authenticates the user, it verifies that the One Time Password timestamp is valid in the current timeframe. If the PIN is correct and the One Time Password is current, the user is authenticated. Because user authentication requires these two factors, the VASCO DIGIPASS solution offers stronger security than traditional single-factor authentication. 4.3 Supported Platforms IDENTIKEY Server. This document describes version 3.2. SonicWALL SSL-VPN SRA1200/4200 and SRA VA platforms running firmware version 5.0 or higher. This document describes firmware version 5.0.0.0-14SV of SSL-VPN. SonicWALL NSA 2400 running SonicOS Enhanced 5.x. This document describes SonicOS Enhanced version 5.7.0.0 2011 VASCO Data Security. All rights reserved. Page 8 of 55

5 Technical Concept 5.1 General overview The concept is very easy: the IDENTIKEY Server (IK) is installed as a back-end authentication service for the SonicWALL SSL-VPN. This means that the IK receives all authentication requests from the SonicWALL SSL- VPN. The One Time Password (OTP) within the authentication request will be verified on the IK. After IK verification, a RADIUS access-accept message is sent to the SonicWALL SSL- VPN for the Authentication part. Figure 1: General Overview / Network Diagram 5.2 SonicWALL SSL-VPN prerequisites Please make sure you have a working setup of the SonicWALL. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY SERVER. 5.3 IDENTIKEY Server Prerequisites In this guide we assume you already have IDENTIKEY Server installed and working. If this is not the case, make sure you get it working before installing any other features. 2011 VASCO Data Security. All rights reserved. Page 9 of 55

5.4 Overview of SonicWALL RADIUS Authentication with IK The following is a description on the RADIUS authentication sequence WITHOUT DIGIPASS assigned: A remote user initiates a connection to the SonicWALL NSA. The SonicWALL NSA is configured that all https (SSL-VPN) traffic is forwarded to the SonicWALL SSL-VPN. The SonicWALL SSL-VPN gathers the remote user s ID and password, and then submits a RADIUS authentication request to the IDENTIKEY Server. IDENTIKEY Server performs the verification and answers to the SonicWALL SSL-VPN with an access-accept or access-reject message. SonicWALL SSL-VPN then provides access to the authenticated user s individual Portal on the SonicWALL SSL-VPN where the protected resources can be accessed via a simple bookmark click or via IPSec-alike NetExtender access. The following is a description on the RADIUS authentication sequence WITH DIGIPASS Assigned: A remote user initiates a connection to the SonicWALL NSA. The SonicWALL NSA is configured that all https (SSL-VPN) traffic is forwarded to the SonicWALL SSL-VPN. The SonicWALL SSL-VPN gathers the remote user s ID and one time password generated by the DIGIPASS, and then submits a RADIUS authentication request to the IDENTIKEY Server. IDENTIKEY Server performs the OTP verification and answers to the SonicWALL SSL-VPN with an access-accept or access-reject message. SonicWALL SSL-VPN then provides access to the authenticated user s individual Portal on the SonicWALL SSL-VPN where the protected resources can be accessed via a simple bookmark click or via IPSec-alike NetExtender access. 5.5 Overview of actions In the next chapters we will show you how to configure each device and server in the right way to enable the 2-factor authentication with IDENTIKEY Server. SonicWALL SSL-VPN configuration SSL-VPN appliance Chapter 6 SonicWALL NSA2400 configuration Firewall appliance Chapter 7 IDENTIKEY Server configuration IDENTIKEY Server Chapter 8 Sample of a logon Logon Chapter 9 2011 VASCO Data Security. All rights reserved. Page 10 of 55

6 Configuration of the SonicWALL SSL-VPN 6.1 Login to the SSL-VPN & check version 1. Browse to the default IP address of the SSL-VPN SRA 1200 or 4200 the X0 interface: https://192.168.200.1 2. Login with the default values: User Name: admin and Password: password Note: If you enter http://192.168.200.1 it will automatically redirect to https. 3. Check in the System > Status page that the current Firmware Version is at least 5.0: Figure 2: Checking the Firmware version If it is not 5.0 or higher, register the SonicWALL SSL-VPN appliance at https://www.mysonicwall.com and download the latest firmware version with a valid SonicWALL support entitlement. 2011 VASCO Data Security. All rights reserved. Page 11 of 55

Navigate to Network > Interfaces for the correct IP address of the SSL-VPN s X0 interface. According to the Network Diagram on page 3, this can be left to the default IP address 192.168.200.1: Figure 3: Checking the IP-address for the Network Interface 2011 VASCO Data Security. All rights reserved. Page 12 of 55

6.2 Set the time on SSL-VPN Since the two-factor authentication depends on time synchronization, it is important that the internal clocks for the SSL-VPN appliance and the VASCO IdentiKey are set correctly. Navigate to System > Time on the SSL-VPN appliance to select the correct Time Zone: Figure 4: Time Setting on the appliance 2011 VASCO Data Security. All rights reserved. Page 13 of 55

6.4 Configure a default route for the SSL-VPN According to the Network Diagram on page 3, the default route for the SSL-VPN is the NSA 2400 s X2 interfaces that corresponds with the DMZ Zone. This IP address is set to 192.168.200.250 and needs to be configured as the Default Route for the SSL-VPN. Navigate to Network > Routes and set the correct Default Route on the SSL-VPN X0 interface: Figure 6: Configuring a default route 2011 VASCO Data Security. All rights reserved. Page 15 of 55

6.5 Add NetExtender Client Address Range NOTE: Navigate to NetExtender > Client Addresses to set the NetExtender Client Address Range If using NetExtender Clients, such as = IPSec like SSL-VPN tunnels: Figure 7: Setting the NetExtender Client Address Range In this example, the Client Address Range Begin and End can be left default as Client Addresses will be assigned in the same subnet 192.168.200.0/24 of the SSL-VPN X0 interface. Exclude the SonicWALL SSL-VPN X0 interface and the SonicWALL NSA s X2 interface IP address, according to the Network Diagram on page 3. NOTE: All the above IP settings and configurations shown in this document screen shot will vary as per your network topology 2011 VASCO Data Security. All rights reserved. Page 16 of 55

6.6 Add NetExtender Client Routes 1. Navigate to NetExtender > Client Routes. 2. Click the Add button to select the correct Client Routes for the authenticated remote users accessing the private networks via the SSL-VPN connection: Figure 8: Adding the correct Client Routes According to the Network Diagram on page 8, this corresponds with the subnet connected to the X0 (LAN) interface of the SonicWALL NSA. 2011 VASCO Data Security. All rights reserved. Page 17 of 55

6.7 Create a Portal Domain Navigate to Portal > Domains and select Radius as the Authentication Type from the Drop-down menu: Figure 9: Adding a portal domain Enter the Domain Name. This is the Domain Name users will use in order to log into the SonicWALL SSL-VPN appliance portal. The Radius server address is the IP address of the Vasco IDENTIKEY Server. The Radius server port needs to match the Radius port of the Vasco IDENTIKEY Server, as well as the Secret password that is used for Radius authentication between these two elements. In this example only a Primary Radius server is used. 2011 VASCO Data Security. All rights reserved. Page 18 of 55

6.8 Add a local user for the Domain Navigate to Users > Local Users to enter a user to the VASCO domain. Figure 1: Adding a user to the domain (1) Assign this user to the Radius Domain. Enter the Username. NOTE: Passwords will be generated through the Radius Server. Make sure you duplicate the same usernames from the Radius Server (Vasco Demo in this example). This is not really required to add an external user account manually. When you use external user (in this example vasco user) this user profile automatically added on Users > Local Users page. 2011 VASCO Data Security. All rights reserved. Page 19 of 55

6.9 Edit the user s policy Navigate to Users > Local Users and click the Configure button: Figure 11: Changing the policy for the user We now configured the authentication to go the IDENTIKEY Server. You still need to configure the IDENTIKEY Server in order to have the same back-end as your application was using before. If the users were checked on Active Directory, RADIUS or any other back-end authentication service, you will need to setup IDENTIKEY Server with the same back-end authentication. 2011 VASCO Data Security. All rights reserved. Page 20 of 55

7 Configure the NSA 2400 7.1 Login 1. Browse to the default IP address of the SonicWALL NSA on the LAN interface labeled X0 on http://192.168.168.168 and login with the following default values: User Name: admin Password: password (please change afterwards) Figure 2: System Administration Window NOTE: It is advised that you register the SonicWALL NSA appliance on https://www.mysonicwall.com where you can download the latest firmware version with a valid SonicWALL support entitlement. 2011 VASCO Data Security. All rights reserved. Page 21 of 55

7.2 Configure PRO4060 Interface and Zone Navigate to Network > Interfaces according to the Network Diagram on page 3 to configure the correct IP addresses and Zones: Figure 3: Configuring IP-addresses and zones (1) Click the Configure button for the X2 interface and enter the IP address 192.168.200.250 as follows: Figure 4: Configuring IP-addresses and zones (2) 2011 VASCO Data Security. All rights reserved. Page 22 of 55

Click the Configure button for the X1 interface (fixed tied to the WAN zone) and enter the IP address 10.10.10.10 as follows: Figure 5: Configuring IP-addresses and zones (3) Now the X0 interface is configured (fixed tied to the LAN zone) with the IP address 10.120.1.250 as follows: 2011 VASCO Data Security. All rights reserved. Page 23 of 55

Figure 6: Configuring IP-addresses and zones (4) NOTE: As the IP address for accessing the GUI of the NSA 2400 on the X0 interface is changed, the IP address of the computer accessing the GUI needs to be reconfigured in the same IP subnet as the X0 Interface. 2011 VASCO Data Security. All rights reserved. Page 24 of 55

7.3 Create an Address Click the Add button and Navigate to Network > Address Objects: Figure 8: Creating the Address Objects (1) Repeat for an SSL-VPN SRA 4200 object in the DMZ zone. The IP address matches the Network Diagram on page 3: Figure 9: Creating the Address Objects (2) 2011 VASCO Data Security. All rights reserved. Page 26 of 55

7.4 Create inbound allow rule for https & NAT Policy In this chapter we will create an inbound Allow rule to permit all https traffic on WAN to the SSL-VPN SRA 4200 object in the DMZ zone. Select Firewall > Access Rules in the Matrix from WAN to DMZ: Figure 10: Checking Access Rules Step 1: Create an Allow access rule for https on the WAN primary IP address object of the SonicWALL NSA by clicking the Add button: Figure 11: Creating Allow rule (1) The Allow rule for https should look as follows: 2011 VASCO Data Security. All rights reserved. Page 27 of 55

Figure 12: Creating Allow rule (2) Click OK and the following Access Rules will appear in the list from WAN to DMZ: Figure 13: Creating Allow rule (3) 2011 VASCO Data Security. All rights reserved. Page 28 of 55

7.5 Allow rule from DMZ to LAN for IDENTIKEY Server Create an access rule from the DMZ zone to the LAN zone for access to the VASCO IdentiKey object. Navigate to Firewall > Access Rule and indicate in the Matrix the Access Rules from DMZ to LAN. Figure 15: Creating an Access Rule NOTE: If access from DMZ to LAN is needed towards more Destinations other than the VASCO IdentiKey, add them here accordingly. 2011 VASCO Data Security. All rights reserved. Page 30 of 55

8 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account. 8.1 Policy configuration Follow these steps to add a new policy: 1. Login to Vasco Identikey Web Administration window 2. Click Policies tab and select Create. Figure 16: Policy configuration (1) NOTE: There are policies available by default, and you can also create new policies to suit your needs. Fill in a policy name and choose the option most suitable in your situation. If you want the policy to inherit a setting from another policy, choose the inherit option. If you want to copy an existing policy, choose the copy option, and if you want to make a new policy, choose the create option. 2011 VASCO Data Security. All rights reserved. Page 31 of 55

Figure 17: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. NOTE: Configure the policy properties to use the appropriate back-end server. This may be the same authentication service as previously used in the SonicWALL VPN/SSL box. The example below shows the SonicWALL policy: Local Auth.: Back-End Auth.: Dynamic User Registration: Password Autolearn: Stored Password Proxy: Windows Group Check: Default (DIGIPASS/Password) Default (None) Default (No) Default (No) Default (No) Default (No Check) After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message. 2011 VASCO Data Security. All rights reserved. Page 32 of 55

8.2 Register Client Now create a new component by right-clicking the Components and choose New Component. Figure 19: Client configuration (1) Select RADIUS Client for Client Type. Enter the IP address of the SonicWALL SSL/VPN box. In the policy ID field you should find your new policy. Fill in the Shared Secret you entered for the RADIUS server properties on the SonicWALL SSL/VPN box. Click Create. 8.3 Configure User 8.3.1 Create New User Click the Users tab and select Create. 2011 VASCO Data Security. All rights reserved. Page 35 of 55

Figure 20: User configuration (1) Fill in the username and password fields. Click the Create button to choose the domain and Organizational Unit: Figure 21: User configuration (2) The user will show in the list of users in the Vasco Identikey Web Administration MMC: 2011 VASCO Data Security. All rights reserved. Page 36 of 55

Figure 23: DIGIPASS configuration (1) Browse for the *.DPX file, enter the Transport Key and click UPLOAD Figure 24: DIGIPASS configuration (2) A confirmation message pops up when the DIGIPASS is imported successfully: 8.3.3 Assign DIGIPASS There are two ways to assign a DIGIPASS to a user. Search for a DIGIPASS and assign it to a user or search for a user and assign it to a DIGIPASS. 1. Select user and Click on Assign DIGIPASS button: 2011 VASCO Data Security. All rights reserved. Page 38 of 55

NOTE: If the User ID is left blank, press the Find button and a list of all the available users in the same domain will appear. If no users appear, make sure the domains of the DIGIPASS and the user match. Figure 27: Assign DIGIPASS (3) When a user is assigned to a DIGIPASS a confirmation message will pop up: 8.4 Install Active Directory NOTE: These set of steps are required when VASCO IDENTIKEY server is installed for Active Directory. 8.4.1 Create Users Create users by using an Active Directory back-end in the Active Directory Users and Computers MMC. Right-click a user and select Properties. This may happen automatically when the Dynamic User Registration (DUR) option in the policy settings is active. 2011 VASCO Data Security. All rights reserved. Page 40 of 55

Click the Apply button to see the Update History fields with the current date and time. This means the DIGIPASS account was created successfully. Figure 30: Active Directory configuration (3) 8.4.2 Import DIGIPASS Right-click on Users and make sure the Import Digipass option is in the MMC. 2011 VASCO Data Security. All rights reserved. Page 43 of 55

Figure 31: Active Directory configuration (4) Click on the Import Digipass option. Figure 32: Active Directory configuration (5) Browse for the *.DPX file and enter the Transport Key. 2011 VASCO Data Security. All rights reserved. Page 44 of 55

Figure 33: Active Directory configuration (6) Select Show Applications to view available applications: Figure 34: Active Directory configuration (7) When the DIGIPASSes are imported successfully, a confirmation message appears: 2011 VASCO Data Security. All rights reserved. Page 45 of 55

Click on the Next button on the Digipass Assignment Wizard Figure 38: Active Directory configuration (11) List of users will be displayed as selected in previous step Figure 50: Active Directory configuration (12) 2011 VASCO Data Security. All rights reserved. Page 48 of 55

Click on the Next button and click on Finish button to complete the wizard Figure 54: Active Directory configuration (16) When digipasses assigned successfully, a confirmation message shown on Digipass Assignment Wizard. 2011 VASCO Data Security. All rights reserved. Page 52 of 55

9 Two-factor authentication SSL-VPN test and conclusion To test the two-factor authentication SSL-VPN connectivity with VASCO IdentiKey, connect your PC on the WAN (X1) interface of the NSA 2400 according to Figure 1: Network Diagram. Point your browser to https://10.10.10.10. 1. Login to the Local Domain as an Administrator. 2. Enter Admin for the User Name and password for the Password. 3. Navigate to Portal > Domains and click Configure to test the RADIUS connectivity to VASCO IdentiKey. NOTE: If the RADIUS Authentication is successful, logout of the Administrator GUI and login to https://10.10.10.10 with the User Name you created: Figure 39: Test and conclusion (1) 2011 VASCO Data Security. All rights reserved. Page 53 of 55

NOTE: Use the FixedPassword+DIGIPASSPIN+DIGIPASSOTP password combination for access to the SSL-VPN Portal where you have access to your Bookmarks or NetExtender (IPSec and SSL-VPN) connectivity: Figure 40: Test and conclusion (2) Conclusion: SonicWALL SSL-VPN and firewall/vpn appliances together with DIGIPASS authentication solutions provide easy and secure clientless remote access to the user dependent internal network resources. 2011 VASCO Data Security. All rights reserved. Page 54 of 55

10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. 2011 VASCO Data Security. All rights reserved. Page 55 of 55