Skip to main content

SecureAuth Hosted Services - Security FAQ

Introduction

This document provides information about hosted services for SecureAuth IdP.

Information

SecureAuth Web Services (X509.multifactortrust3.com,cloud.gosecureauth.com, cloud.secureauth.com, trx.secureauth.com, us-cloud.secureauth.com, and us-trx.secureauth.com) are IIS Web Farms fronted by redundant firewalls, Intrusion Protection Services and load balancing devices. These IIS servers are extensively hardened and pen tested.

The SecureAuth Web service is based on Web Services Enhancement version 3.0 (a SOAP extension managed API) compatible with ASP.NET thus hosted on IIS.

Why does SecureAuth use Port 80 HTTP?

SecureAuth IdP uses WSE 3.0 / WCF message-level encryption over HTTP TCP 80. With WSE 3.0, the HTTP payload is encrypted while leaving the header information un-encrypted which is a more efficient way (low overhead) to support infrastructure (firewall and router) traversal. It is much more efficient and scalable than standard SSL/transport-level encryption.

SecureAuth also chose WSE 3.0 / WCF over standard SSL because WSE 3.0 / WCF provides the ability to encrypt with a different key (bilateral x509 authentication) for each customer, versus SSL which is universal across all clients.

Which ports are used and why?

SecureAuth IdP's web services listen on TCP port 80 and 443 since various services are provided which require one or both ports.

Additionally, for legacy proxy server support, SecureAuth has the option to disable WSE 3.0 / WCF and enable transport-level encryption, which is SSL over port 443.

Several IPs are required for SecureAuth's hosted services. How are these used?

The SecureAuth IdP hosted services are comprised of multiple web farms, geographically dispersed, that serve up different types of web services. Access to all web farm IP addresses is required for Cloud Services site redundancy. These services include X.509 certificate signing, SMS and Telephony one time password services, Push Notifications / Push-to-Accept (Mobile Login Requests), Threat Services, etc.

Notice

Reverse DNS returns the names of Tier 1 SSAE-16 Type II Datacenter's iNet clusters (cluster.multifactr.redplaid.com and ddf3bjq1.redplaid.com). These clusters provide the redundant Internet connection and fail-over services needed to meet our strict provider requirements.