In a 1994 survey by Infosecurity News, a trade magazine about information systems security, 34 percent (169) of respondents estimated that if organisations' computerised data were lost, tampered with, erased or stolen, the loss would amount to more than $5 million. An additional 25 percent (125) of respondents said the loss would be between $1-5 million. Worldwide losses due to network security breaches are estimated from $800 million (US Congressional Study) to $5 billion (the Yankee Group).
This paper will describe a technology that is designed to protect against unauthorised access to systems, services and resources. This technology is most commonly known as token-based authentication. It can also be referred to as two-factor or advanced authentication. I will review the weaknesses inherent in traditional static passwords. I will then describe the basic capabilities of token-based authentication. Finally, I will describe an authentication architecture that be deployed across the entire enterprise securing internal (LAN or WAN) access as well as remote access via telephone lines, ISDN or the Internet.
Firstly, however, let's take a high-level view of enterprise security. What are the industry trends that impact network security? What are the major concerns of the top management? How do these concerns filter down security policy and network configurations?
Since the late 1980s, specialised inter-networking products have made it easier for organisations to connect their disparate LANs within a facility and between geographically dispersed sites. Organisations are also increasingly integrating their LANs with their minicomputers and mainframes thus enabling users to communicate, exchange information and share computing resources within and between organisations. Many of these organisations are seeking to develop client/server implementations of their enterprise applications to more fully exploit their distributed networks. These new enterprise-wide networks require a comprehensive set of network products that can integrate a large number of users and heterogeneous computing resources into a consistent, manageable and secure computing environment.
The increase in the number and type of network access points has presented a huge challenge to network managers. While on the one hand, today's enterprises require sophisticated network technology to remain competitive, the new technologies create myriad security threats as unauthorised users find ways to access the network. Companies are vulnerable not only to unauthorised access by suppliers, customers and other third parties, but also to abuse by employees within their own organisations.
Computer Security is not a goal, it is a means toward a goal: Information Security.
- Cheswick & Bellovin (1994)
The highest level concern of the enterprise regarding network security is the ability to audit network activity. The internal network is a valuable - and vulnerable - enterprise resource. Senior Management has a need and, indeed, an obligation to know who the users are, what they are doing, where they are doing it and when they are doing it. Other concerns of management are privacy and integrity of corporate data, and control of user privileges - for employees as well as non-employees such as customers or suppliers.
While a wide range of tools is available for network security, these rely heavily upon the development of sound enterprise security policies, followed by proper implementation, ongoing enforcement, and periodic review. Security policies begin with rules and regulations to control behaviour within the organisation irrespective of the network. What facilities or information should people have access to? If the organisation is so large that employees do not know each other, how do people prove who they are when requesting a service from someone they never met? These sorts of policies can be extended to network access and usage. They are then enforced through controls inherent to network security products. However, management needs to further address who controls the tools (the security administrators) and how they are monitored through a system of checks and balances.
specific users. User Identification and Authentication products are for authenticating the identity of authorised users. The effectiveness of each succeeding class of security products is either dependent on or enhanced by the availability and effectiveness of one or more of the preceding classes. For example, without proper authentication of the identity of a user, it is difficult to control access to encryption keys or to effectively audit user activity. Some analysts extend the hierarchy to show a further dependence on physical security. All bets are off if the computer criminal wheels away the corporate database server in the middle of the night.
(i) something secret the user knows, such as a word, phrase, personal identification number (PIN), code or fact;
(ii) something physical the user possesses, such as key, smart card, badge or other form of discrete 'token', which is resistant to counterfeiting; and
(iii) something unique to the user, commonly referred to as a 'biometric'. Traditional authentication is any scheme based solely upon the first factor. Advanced authentication incorporates at least two factors.
The most common method of user identification and authentication, something secret the user knows, is employed in static password systems. These systems require a user to input a secret word phrase or PIN selected by the user or chosen for the user by the system or application. Most operating system suppliers provide static password security. However, static passwords are often shared between users and can be guessed, stolen or observed. As a result, they can be compromised without user awareness.
Biometric systems measure something unique to the user such as a fingerprint, signature, retinal pattern or voiceprint to authenticate the identity of users. The disadvantages of biometric technology include cost, lack of portability, statistical limitations resulting in false acceptance of unauthorised users or rejection of authorised users, and vulnerability to observation or electronic eavesdropping and replay. As a result, biometric systems have not yet found a place in mainstream computer network security.
Examples of methods of user identification and authentication involving something physical the users possess include token-based systems, such as smart cards, super-smart cards and challenge/response calculators. Smart card systems include a small plastic card, similar in appearance to a credit card, and a separate card reader or other hardware device. The separate card reader greatly increases the cost per user and limits the use of smart cards to devices with an attached reader. Time-synchronised super-smart cards are approximately the same size as smart cards but contain an internal power source and display. Challenge/response systems include a hand-held token, typically the size of a small calculator, with a keypad. To access a system using challenge/response technology, a user activates the token using a PIN and then enters into the token a series of codes that are 'challenged' by the system. Challenge/response products have a number of limitations, including numerous user steps, the longer time required to authenticate the identity of a user, and the size and complexity of the token.
Time-synchronised tokens combine two methods of user identification - something secret the user knows (a PIN) and something the user possesses (the token). To gain access to a protected resource, a user enters his or her PIN and a token code. The token code is a constantly changing number automatically computed and displayed on the liquid crystal display ('LCD') of the user's security token. The PIN and the token code together form the user's 'PASSCODE'. With a valid PASSCODE, the authorised user is identified and authenticated by the access control products and granted access to appropriate information resources.
Digital ID's are also emerging as a means of electronic authentication. Is a digital ID something you know or something you have? Normally a digital ID is issued by a certificate authority and passed to the user via electronic media. It includes several elements including a private key that can be copied and transmitted but it must be held confidential by the user. Hence, a digital ID can be considered something secret that the user knows. Processing a document with a digital ID affixes a digital signature. VeriSign, a leading supplier of digital signatures, describes their use as follows:
...a digital signature is an unforgeable piece of data asserting that a named person wrote or otherwise agreed to the document to which the signature is attached.
(VeriSign Inc. 1996)
For the purpose of user authentication, digital ID's can only be considered a single factor. This is true regardless of key-length or the proven strength of the associated cryptographic algorithm. Digital ID's can become a second factor only as technology is applied to embed the ID on a card or other token device. The token can then be considered something that you have. The degree to which the token is non-counterfeitable (that is, cannot be copied) will determine it's strength as a second factor.
The Internet. The Internet is upon us and has emerged as an absolute paradise for hackers. By definition, the Internet is an un-trusted network, while your internal network is normally considered a trusted network. By establishing a connection to the Internet, you may compromise the trust of your internal network. How does a network become compromised? Intruders may pose as trusted users, or pretend that their computers are trusted network nodes. In most cases, any Internet user can use Telnet to log on to any computer on the Net, provided he knows (or can guess) an ID and password. Network firewalls are emerging to address these issues through packet filtering, hiding internal addresses and executing proxies for network services. However, firewalls, in their basic configuration, authenticate users only with a static password (Cheswick & Bellovin 1994) .
Dial-up Access. Users have demanded (and generally have been granted) the ability to dial into the network from home, the hotel, the customer site and the branch office. Typically, a company establishes a remote access capability by attaching modems to a key system or installing a remote access server. In cases where management has been resistant to offer remote access, users have circumvented the MIS department by simply installing a modem and remote control software (such as PC Anywhere) on their desktop PCs. While there are normally great business advantages in having remote access, there are significant security issues to be addressed as well. A single modem on the network may expose the entire enterprise to data loss, service interruption, or outright loss of assets due to security breaches. Hackers, working alone or with the assistance of insiders, have various techniques to crack defences (including dial-back systems) and navigate through the network.
ISDN. ISDN or Integrated Services Digital Network is available now in Singapore and many other countries. ISDN is a simply an extremely high-speed public dial-up line that allows for multimedia and other types of transmission that are not possible over normal telephone lines. For remote access security purposes, the risk that ISDN communication servers pose to the network is similar to analog communication servers. Static passwords will not be adequate.
Leased Lines and X.25. Network connection to any kind of dedicated line normally poses less risk than connection to a public telephone line. However, while you may believe that your local area network is secure, once you connect it to another network, you are only as secure as the other network. What procedures are in place to secure the other network? Does the other network have dial-up access or an Internet connection? Will the other network administrator advise you before allowing remote access to his/her network? Network connection to any kind of public line or service raises the same issues as remote dial-up and Internet access.
Host systems. Host systems are typically the legacy mainframe systems that are still used for corporate databases and some major applications. Typically these are IBM 370 or VAX/VMS systems. Sensitive data that may reside on host systems includes financial results, medical records, personnel files, research and development projects, marketing plans and other business information. Traditionally, these systems have been protected by static passwords and simply by isolation, since they were not connected to networks. Today's business environment, however, requires immediate access to data. As a result, these systems are more likely to be connected to the network and a greater number of internal users are in a position to seek access.
Servers. Servers are shared resources on computer networks that store data, files and applications. Some servers also execute applications. The servers can contain the sensitive information that is contained on host systems. The most common corporate servers are Novell, UNIX, OS/2 and, more recently, Windows NT. Servers normally employ only static passwords for protection.
Workstations. Workstations are typically UNIX systems with a high-resolution display that is dedicated to a single user. However, workstations are most powerful when operated on a network. As is the case with servers, workstations also may contain sensitive information that can be readily accessed by users on a network protected only by static passwords.
PCs. Highly sensitive information may be stored on personal computers which typically employ no security system whatsoever, not even passwords. However, since PCs are not multi-user devices they normally do not have to be protected as network resources. Shutting off the PC and locking the door to the office is an extremely effective security practice. However, this is not always possible. An emerging trend is dial-up remote access to one's own office PC using remote control software such as PC Anywhere or Reach Out. This practice can put both the PC and the network at risk.
Single Sign-On and Kerberos. Since a single user can be authorised to use many systems on a network, a new capability has emerged called Single Sign-On (SSO). This capability is popular with users since a single password and a single logon procedure authorises access to all systems in the network. The obvious risk of this approach is that, in the event that an unauthorised user steals or observes a password, all systems relevant to that password may be compromised. SSO systems in their simplest forms employ static passwords and can be enhanced with two-factor authentication. Kerberos, developed by MIT's project Athena (the X-Windows group), is a public domain network authentication system that has similarities to the commercial SSO systems. Kerberos is also concerned with privilege. Tickets with expiration times are issued for users and the services they wish to access. While Kerberos sessions and transactions employ strong authentication, a user may initially identify oneself to Kerberos with only a static password (Cheswick & Bellovin 1994 , Jaspan 1995) .
Authentication Server. The authentication server software centrally authenticates a user's identity, allowing only authorised users access to protected network resources. User access to network resources via a gateway, remote dialup or direct connection is centrally managed and administered. Operating on a wide variety of UNIX-based platforms, the authentication server establishes a protective perimeter around selected network-based resources. Used in conjunction with the hand-held token security token, the authentication server provides highly secure access control for any number of authorised users and network resources. The server maintains an audit trail of all authorised and unauthorised attempts to gain access. In addition, the server has functions designed to intercept attempted system abuse and automatically take action if the system suspects that a token is lost or stolen or a PIN is compromised.
Authentication Client. Network nodes or clients are protected by the, and at the discretion of, the security administrator. Each protected node executes Authentication client code. Authentication client code acts as an interface between network nodes and the authentication server and operates on many UNIX workstations, third party communication products, servers, and application products. Also available is an authentication client Application Programming Interface (API). The API is well-suited for those custom applications that require strict access controls and accountability.
Security Token. Each Security token contains a proprietary algorithm and is programmed with a secret, randomly generated seed number that is unique to the user. The algorithm uses two inputs, the seed number and Greenwich Mean Time, to produce a sequence of token codes at set intervals (typically every 60 seconds). The authentication server uses the same seed number and Greenwich Mean Time to generate a PASSCODE corresponding to the user's PASSCODE. If the PASSCODE generated by the system and the PASSCODE entered by the user match, then system access is authorised. If not, system entry is blocked.
The Security tokens contain LCD displays and can be supplied in a number of configurations. Both the standard token and the keypad token are credit-card sized super smart cards. The keypad token permits direct entry of a user's PIN into the card. This reduces the risk of electronic eavesdropping by enabling a user to transmit an embedded combination of the user's PIN and token code. Another token form factor is the key fob which is more durable and compact and can be attached to a key chain. Additional forms under development include a PCMCIA modem token and a software token to be installed on a PC. Security tokens can be programmed to operate for any period of time, from one to four years, as specified by the purchaser. The software token is targetted for applications with security requirements that fall somewhere between hardware tokens and static passwords. This is due to the inherent security limitations of PCs.
Third Party Support. Since all of the systems and devices on the network can operate as authentication clients, some programming development effort is required to establish this capability. The authentication client code can be enabled on a range of UNIX and other systems through the API. For network devices, normally the manufacturer has to embed the authentication client code in the firmware. Hence, the usefulness of this authentication architecture is determined largely by the extent and the quality of the relationships between the manufacturer and the third party suppliers. To meet this challenge, a number of relationships have been forged that address a wide range of network systems and devices.
Control all Access Points to the Network. Access points to the network include routers, firewalls, communication servers (dial-up and ISDN), and modems on any connected system. All of these systems and devices can be enabled as authentication clients. If you are connected to the Internet or any other un-trusted network, an Internet firewall should be considered as the first line of defence. Any user accessing firewall services or proxies can be authenticated by enabling the firewall as an authentication client.
Protect Sensitive Resources. You need to protect key applications and databases. You need to protect the administrative accounts on network devices, particularly the routers. Systems and devices on the network can be protected as authentication clients. Applications and data can be protected through the authentication client API. This controls access at the system, application or transaction level. SSO and Kerberos implementations can also become part of the authentication architecture by enabling the relevant server an authentication client. Even logon to individual PCs can be protected by employing and enabling third party products designed for this purpose.
As network security technologies are evaluated, the enterprise should establish their own selection criteria based upon current requirements while planning for future trends and technologies. Factors that you will want to consider include the following:
Consideration of these factors will help to ensure acquisition of the best solution today while protecting against obsolescence by future products and technologies.
Return to Conference Proceedings