One way to thwart social engineers and reduce other risks associated with passwords is to implement some form of two-factor authentication. If users are required to not only type in a password or PIN but also provide something additional - whether a card, token, fingerprint, iris scan or other factor - simply obtaining a password won't be enough to get the cracker or social engineer into the network.
There are two basic categories of "second factors" that you can implement: devices users carry with them, or biometric characteristics. In this article, we'll look at how to implement a particular form of the first category, SecurID cards and tokens from RSA.
Advantages of authentication devices
Authentication devices, or authenticators, come in several forms:
- Credit card-sized "smart cards" on which a user's digital credentials are stored.
- Hardware tokens resembling "thumb drives" that can be carried on a keychain and plugs into a computer via its USB port.
- Software tokens (digital credentials) that can be stored on a portable device such as a smart phone, Blackberry or handheld computer/PDA.
Each has advantages and disadvantages. Smart cards can be carried in a wallet, but with the number of ID cards, credit cards, insurance cards, ATM cards, and membership cards that some of us need to carry these days, our wallets may be filled to overflowing. Tokens are easy to carry in a pocket or on a keychain, but may also be more easily lost and for many of us, our key rings are just as full as our wallets. For those who already carry smart phones or PDAs, the most convenient solution may be to store authentication credentials on the device - but failure of the portable device (or even a dead battery) could render those users unable to log onto the network.
Cost factors may also vary. To use smart card authentication, you'll need to install smart card readers on the systems where users log on, as well as purchasing the cards themselves. Tokens may be more cost effective because they connect directly to the USB port; however, older systems may not have USB ports, or you may wish to disable USB for security reasons, to prevent users from attaching other USB devices. Smart phones and PDA devices, of course, are much more costly than cards and readers or tokens, but if the users already carry them anyway, this can be the most cost effective (as well as the most convenient) way to deploy two-factor authentication.
RSA SecurID: How it Works
Well-known security company RSA (named after the popular Rivest Shamir Adleman public key encryption algorithm on which it held the patents) provides SecurID authenticators in all three form factors. Here's how it works:
- The SecurID authenticator has a unique key (symmetric or "secret" key).
- The key is combined with an algorithm that generates a code. A new code is generated every 60 seconds.
- The user combines the code with his Personal Identification Number (PIN), which only he knows, to log on.
Components of the SecurID system include:
- The authenticators
- Authentication Manager software that is installed on a server or appliance and includes the database, administration and reporting tools
- Authentication Agent software that's embedded into remote access servers, firewalls, VPNs, Web servers, and other resources you want to protect, to intercept access requests and redirect them to the Authentication Manager
- RSA Card Manager software can be used to provision smart cards individually or in batches and large volumes, and supports self-service requests so users can unlock cards, renew certificates and request temporary credentials if cards are lost
According to RSA, there are over two hundred products such as firewalls, VPN gateways, wireless access points, remote access servers and Web servers that support SecurID "out of the box." Small-to-medium sized companies can buy a SecurID appliance with the Authentication Manager software preloaded that supports from 10 to 250 users. Authentication agents are available for:
- Microsoft Windows
- Internet Information Services (IIS)
- Apache web server
- Sun Java
- Novell Modular Authentication Service (NMAS)
SecurID in the Enterprise
At the enterprise level, single sign-on is a big issue because users often much manage and remember multiple passwords. This creates frustration and can become a security issue as users resort to writing down passwords in order to remember them all.
RSA's Sign-On Manager is identity management software that provides for single sign-on so that enterprise users can access multiple applications without having to log on again, and integrates with SecurID smart cards and tokens. It also includes technology that allows users to reset their Windows logon passwords. Sign-On Manager can run on Windows 2000 and XP clients and the server component runs on Windows Server 2003 with SP1. The server requires a connection to Active Directory/ADAM, Novell eDirectory, or Sun Java System Directory Server.
Implementing SecurID with ISA Server 2004
ISA Server 2004 supports native SecurID application programming interfaces, and you can install the RSA Authentication Agent software to add support for RSA EAP authentication. You need to have ISA Service Pack 1 installed.
Steps for implementing SecurID to protect a web site published through the ISA Server include the following:
- You need to add an agent host record to the RSA Authentication Manager to identify the ISA Server in the Authentication Manager database. This allows the ISA server to communicate with the Authentication Manager software. Configure the ISA server as a Net OS Agent and include the following information in the agent host record: host name, IP addresses for all NICs, RADIUS secret if you're using RADIUS authentication.
- Configure the ISA Server 2004 web listeners. This consists of the following sub-steps:
- First verify that the ISA Server and the Authentication Manager server or appliance can communicate, using the RSA Test Authentication Utility in the Tools folder on the ISA Server installation CD. Copy the utility to the ISA Server Program folder.
- Copy the sdconf.rec file from the Authentication Manager server to the System32 folder on the ISA Server.
- Run the sdtest.exe tool by entering the following at the command prompt: %Path to ISA installation directory%\sdtest.exe
- In the ISA Server MMC, enable the SecurID web filter by following these sub-steps:
- Under the node for your ISA Server, right click Firewall Policy and select Edit System Policy.
- In the System Policy Editor's left Configuration Groups pane, under the Authentication Services folder, click RSA SecurID, and check the Enable checkbox on the General tab. Click OK to save the change.
- Don't forget to click the Apply button on the ISA dashboard to apply the change to the firewall configuration. You'll also need to restart the ISA Server computer.
- Configure a web publishing rule for RSA SecurID authentication by performing these sub-steps:
- In the ISA MMC, click Firewall Policy and on the Task List pane, click Create New Server Publishing Rule.
- Type a name for the rule.
- On the Select Rule Action page, click the Allow option button.
- On the Select Web Site to Publish page, type the computer name or IP address and the folder you want to publish.
- On the Select Public Domain Name page, type the public domain name or IP address for the Web site you're publishing.
- Select a web listener to host the web traffic by following these sub-steps:
- On the Select Web Listener page, click the Edit button.
- Click the Networks tab, and check the boxes for the networks to which you want the Web listener to bind.
- Click the Preferences tab, and click the Authentication button.
- On the Authentication page, check the SecurID checkbox from the list of authentication methods. Check the box that says Ask Unauthenticated Users for Identification. Click OK to apply the changes.
- In the web publishing rule wizard, SecurID should now show up in the Listener Properties list.
- Add "All Users" to the rule's user sets, so the firewall will apply the rule to all users who try to access this web resource.
- Click Finish to save the new rule and again, remember to click the Apply button on the dashboard to save the new rule to the firewall configuration.
You can use RSA's SecurID technology to reduce the risk of network security breaches that result from password cracking and social engineering by requiring two-factor authentication for Windows logon, access to Web resources through the firewall, VPN logon, etc. With its well established reputation and widespread interoperability, RSA smart card or token authentication offers one of the best options for implementing multi-factor authentication on your network.