OneSpan Authentication Server network security

  • Published on Sep 18, 2025
  • 2 minute(s) read
Prev Next

To protect the server environment the security of the network must be ensured. The following information provide an overview of the necessary steps to secure the network.

Firewall configuration

OneSpan Authentication Server uses several different TCP/UDP ports to communicate. If these are blocked by a firewall, some features will not work correctly.

Before installing OneSpan Authentication Server, ensure that these ports are open and not in use. The Installation Wizard will issue a warning and halt the configuration process if any of the required ports are unavailable. For a complete list of the used ports, refer to the OneSpan Authentication Server Administrator Reference.

We recommend using a software firewall on OneSpan Authentication Server and segmenting the OneSpan Authentication Server network with a hardware firewall.

Industry best practices: Network security

In addition to the practices outlined in the previous topics, we strongly recommend adhering to the following industry best practices for hardening the network infrastructure:

  • Always run anti-virus and anti-malware tools with the most current definition files.

  • Do not connect OneSpan Authentication Server directly to the internet.

  • Do not place OneSpan Authentication Server in a demilitarized zone (DMZ).

  • Do not host OneSpan Authentication Server on the same operating system instance with other software.

Limited access to OneSpan Authentication Server components

To further increase network security, limit the access to OneSpan Authentication Server components and elements to the necessary minimum—this includes but is not limited to:

  • Limiting access to OneSpan Authentication Server Administration Web Interface to system administrators and support staff.

  • Limiting access to SEAL and RADIUS to services using these protocols.

  • On Linux distributions, run OneSpan Authentication Server under its own service account and restrict access to its files to that service account. This service account cannot be changed after installation!

It is essential to restrict network traffic between OneSpan Authentication Server services and external systems. We strongly recommend using firewalls designed to prevent unnecessary network access to OneSpan Authentication Server.

Remote access to server system components should be limited by using the following approaches as a minimum:

  • Disable remote methods to access the operating system, for example telnet or FTP, that communicate over unsecured channels.

  • Disable any other remote access method for the operating system, for example SSH, unless absolutely required for maintenance. Disable immediately when maintenance is completed.

Network Time Protocol and OneSpan Authentication Server

The Network Time Protocol (NTP) is designed to synchronize the clocks of computers over a network. If multiple servers are specified, the NTP service will attempt to synchronize all servers. To provide redundancy, it is good practice to configure multiple servers. In general, best accuracy is obtained by using servers that have a low network latency. Ensure that users are prevented from changing the time on NTP servers that are used by OneSpan Authentication Server.