Remote Access Authentication Ellen Bonsall Payoff

Transcription

1 Remote Access Authentication Ellen Bonsall Payoff Complex distributed networks have made security a critical component of network architecture. Client/server technology is delivering sensitive data and mission-critical applications directly to the desktop. Without appropriate protection on both the Internet and enterprise sides of the network, an organization is vulnerable to even the simplest of attacks. To protect an organization's information assets, IS teams must establish security policies, procedures, and systems to support these assets. Introduction The computing world has evolved from a centralized environment consisting of single mainframes and multiple dumb terminals to today's distributed client/server networking environment. Given this global change in information systems (IS), networking industry experts around the world agree that the management of information systems particularly network security is an increasingly difficult task for today's executives. IS managers live with the fear that a great financial loss due to an unforeseen network security breach will be blamed solely on the IS team. Complex distributed networks have made security a critical component of network architecture. Client/server technology is delivering sensitive data and mission-critical applications directly to the desktop. Most of today's security products are designed to do one specific job, without regard to their roles in the larger security scheme. Without appropriate protection on both the Internet and enterprise sides of the network, an organization is vulnerable to even the simplest of attacks. To protect an organization's information assets, IS teams must establish security policies, procedures, and systems to support these assets. User and Client Authentication IS security professionals must combine the task of integrating worldwide authentication services across multiple networking platforms with that of securing information in the burgeoning distributed and mobile computing environment. User and client authentication must be the foundation of any viable network security plan. To compete in today's global economy, CEO, CIO, and IS professionals are seeking ways to seamlessly tie employees, business and technology partners, suppliers and customers together for information sharing while simultaneously protecting sensitive data. The market for remote access security and authentication products boils down to one fact: People want to know with whom they are dealing. However, as advancing technology makes complex distributed networks the norm, rather than the exception, it becomes increasingly difficult to guarantee that information will be protected from unauthorized users. It can be devastating for individuals and organizations when sensitive information falls into the wrong hands. IS professionals should track patterns of information crime, study the ways in which other organizations have dealt with network security breaches, and keep abreast of the latest products designed to protect information assets. The specter of unauthorized LAN remote access has caused many IS departments to consider an authentication complement for their network security schemes. Even with added protection, however, systems are vulnerable. IS security is not just about protecting electronic communications from Internet criminals. Moreover, a new range of access points in today's open systems has made it possible to hack into systems from sites located anywhere in the world. To establish easy-to-use, cost-effective safeguards, IS security

2 professionals must coordinate with CEOs, CIOs, IS staff, and users to address basic security fundamentals. Optimum solutions cannot be achieved without user cooperation and participation. Regardless of how fail-safe a system may appear, if users can disable it, or gain access to information without having to comply with established security standards, the safeguard is useless. Finally, many organizations put the cart before the horse by installing the latest security panacea (e.g., an internal or external firewall) without first establishing an overall security policy. It is essential to effective access and user authentication strategies to pinpoint exactly what is being protected and from whom. Defining the Security Process If an organization does not already have an official security policy that is endorsed at all levels of management, it is essential that the IS team gather the necessary parties and create one. Some departments may already have policies; the basic elements of these may be relevant to an organizational policy. The policy should be implemented as soon as possible and should, above all, mandate an enterprisewide user authentication solution that can be scaled to differing security requirements. The IS team should develop a code of conduct for employees, and should require that employees sign a compliance document once they have read and understood the code. To further ensure compliance, the team should plan to educate employees about the importance of security and the value of information to the organization. Employee awareness programs are useful for this purpose. Making Enterprise-Specific Security Choices A myriad solutions exist to combat today's security problems, some of which cost more than others both in time and monetary investment. Vendors of firewalls, routers, and communications servers are continually integrating the latest technology to make their security products more reliable. IS staff who are responsible for choosing and implementing such products should carefully compare products before purchasing and implementing them. The best security solutions for an organization are not necesarily those used by other organizations in the same industry. Primary in importance is that the IS team begins the process and establishes safeguards, with the assumption that products will require constant review and updating. Before addressing specific strategies for securing servers with either native options or third-party systems, IS staff should take special care to secure any server that can be accessed remotely, or that can be accessed from other remotely accessed servers on the wide area network. When evaluating security tools, it is useful to establish the goals of the organization's security system, including the user authentication facet of security. IS staff should establish exactly what the security and remote access authentication system will protect; who will be permitted access and, relatedly, who will be denied specific access. The more specific the outline of user access requirements is, the more comprehensive remote-access security will be. The success of these access objectives can be measured when the system is implemented, and the objectives can be changed as personnel, networks, and organizational goals change. IS staff should draw up written procedures that detail how and when the security systems will be audited. In addition, an independent, internal or external audit team should look over the systems at least quarterly, and the members should be fully aware of all of the security and access objectives of the organization. When the independent audit team submits a report, any noncompliance should be addressed by the IS team immediately.

3 Establishing Basic Controls A number of fundamental controls should be implemented in any organization to secure Internet and dial-up remote access. Management Controls. Technical personnel within the organization should be trained before they are permitted to cruise the Internet or to dial into the LAN through a remote connection. If the organization is connected to external networks, IS staff must understand the risks and manage these connections properly. In addition, a policy on the acceptable use of the Internet should be distributed to all employees. Internet access can negatively affect productivity, unless reasonable limits are set and enforced. IS staff should also establish and execute procedures for reporting and resolving detected breaches of remote access security. Procedures should include reporting breaches to management or to external organizations such as CERT. Monitoring programs that scan the system regularly for Trojan Horses, sniffers, and other undesirable programs and data are also fundemtal security tools. Inbound Traffic Controls. Inbound traffic controls include the implementation of network and node application restrictions through a firewall to limit access by remote connection to applications. Additional application controls should be installed, such as restrictions on certain types of transactions that a remote user may process. IS staff should maintain logs of all activity originating through remote access and review the logs for anomalies. Authorization and authentication of employees must be required to view or modify internal application data. Users requesting access through an external network or remote access must also be authenticated. Proxy logins should be prohibited; allowing one user to act for another invites unauthorized access. Outbound Traffic Controls. Systems security is often designed to protect an organization's networks from those who would attempt to break in. It is just as critical, however, that outbound traffic controls be established to monitor the information that leaves the organization. Implementing such controls can be very difficult, as the legal tangle of personal privacy and versus corporate liability demonstrates. At a minimum, IS staff should maintain logs of all external network activity originated by internal users and identify and communicate to users any risks or potential threats (e.g., viruses). File Transfer Controls. To ensure that records are transmitted and that data is received, IS staff should implement manual or automated controls to monitor file transfers. Executable code should be transmitted only by systems and applications designed to prevent unauthorized or inadvertent execution. It is usually difficult to protect against data-driven attacks, or attacks where something is mailed or copied to an internal host and then executed. All attempts at unsolicited distribution of executable files should be called to the attention of management. Executable files are a popular way to spread viruses. IS staff should control the use of the File transfer protocol (FTP) site through a proxy server. If this is not possible, another way of restricting incoming connections to the network must be explored.

4 Defining Remote Access: Establishing a Common Vocabulary Once an organizational policy has been written and fundamental controls implemented, remote access and athentication can be targeted. The security team must ensure that everyone in the organization shares a common, remote access vocabulary, so that all of the security provisions will be fully understood and complied with. In most organizations, IS departments struggle to maintain control of information in the midst of rapidly changing strategic business and communications issues. Healthcare systems are an effective example of this. Instead of having users dial into three or four different platforms and use different equipment for applications that might include claims entry, individual eligibility, and claim-status verification, an IS team could purchase an integrating access server to centralize remote connections. A single dial-in access connection would allow users to access multiple hosts across diverse platforms. Authentication Authentication should not be confused with identification or authorization. The IS team must agree on the definition of remote access user authentication and the tools associated with it before they make decisions about specific technologies or products. Identification. User identification is the process by which people identify themselves to the system as valid users. The logon process is an example of a simple user identification. Identification is not the same process as authentication, which establishes that the person logging on to the network is indeed that user. Authentication. The process of determining the true identity of a user or an object (e.g., a communications server) attempting to access a system. It is the confirmation of the claimed identity. Authorization. The process of determining what types of activities are permitted. In the context of authentication, once the system has authenticated a user, he or she may be authorized for various levels of access or different activities. Authentication token. A portable device (or software loaded directly on a PC) that is used for authenticatication. Authentication tokens use a variety of techniques, including challenge-response asynchronous, event-time-based synchronous, and timeonly-based synchronous technologies. Authentication tool. A software or hand-held hardware key or token used during the authentication process. Remote Access The generic term remote access is commonly applied to terminal emulation, file transfer and network management. Remote-access software (such as PCAnywhere) makes a PC drives or peripherals available to other computers. It can dial up another PC through a modem, query that computer's hard drive, and give commands to print or to transfer files. Basic remote access software does not give as high a level of power as remote-control products, which establish the PC as a node on the LAN. In using remote access software only, the access control measures provided by it are not robust enough to protect against unauthorized intrusion.

5 Remote Control Remote control is the taking over of a host system with a PC keyboard and mouse and viewing its screen from anywhere in the world. The user can run programs, edit and transfer files, read , or browse a distant database. The user can dial up with a modem or a node-to-node LAN connection and take complete charge of another computer's screen, keyboard, and mouse. The simplest remote-control scheme is a synchronous, one-to-one, dial-up connection between modems attached to two PCs. Whatever mode, or combination of modes, the user's network employs, user and client authentication are vital to protecting information assets. When a remote node connection is established, the PC is actually sitting on the LAN with which is has been connected. The PC or workstation is connected to the all of the remote's network services. The user has access to any services or information for which it has been authorized. Therefore, if the remote network does not have an authorization, identification, and authentication system in place, the user may roam at will. A limited, secure connection can be established first through the use of a remote control software package and the use of any security features native to the system's operating system or communications hardware. If levels of security are required that are not provided by native security, third-party authentication technology should be added. Six Components That Secure Remote Access Authenticating LAN dial-up users is a starting point in evaluating user authentication technology. A variety of reasons for controlling access to the LAN and to office network workstations exist, but not all of them are about protecting the organization. Protecting the privacy of personal information is a top priority for many companies or users. Most users create personal information on their computers. No one wants such personal information made public. By controlling access, business plans and proposals, pricing figures, payroll information, and other sensitive information can be kept from prying eyes. Controlling access also reduces the chances of virus infection and slows the spread of an infection, should one occur. Authenticating users preserves the integrity of information. By locking out unauthorized users, the chances that someone will make unwanted (or unintentional)changes to critical files are reduced. Six components are critical to secure remote access: Authorization. Authentication. Confidentiality. Auditing. Control. Nonrepudiation. Authorization The key to secure remote access is to understand and integrate the critical components without leaving anything out. Network managers must be able to authorize users (i.e., control who on the network may access which resources). Properly implemented, authorization systems prohibit the engineering department, for example, from reading the

6 CEO's business projections. Authorization systems should provide secure, single sign-on, which allows users to log onto a network once, to gain access to all the resources that they require (but none of the ones that they are unauthorized to have). In most cases, authorization systems are comprised of complex software packages with code that executes on specifically secured computers on the network. Some examples are: IBM's, Cygnus Support's, and CyberSAFE's Kerberos-based systems, and ICL Enterprises North America's Sesame-based system. However, such security is limited by the specific platforms on which they work. User Authentication Authentication is the process of verifying the identity of end users (and clients). It should be considered a basic building block of secure remote access. A critical component of any network architecture, user authentication employs passwords the most common method of authenticating users. Virtually all Network Operating System offer limited password protection, as do most communications servers and other applications that allow access to a network. The reusable (i.e., static) passwords that are employed are easy to use, but offer an extremely limited degree of security. User authentication takes place after entry into the system with common Ids and resuable passwords. Security is very lax. Reusable passwords have been shown over a lengthy period of time to be the least successful way to protect networks. Why are static, reusable passwords so easy to steal or guess? Several intrinsic weaknesses are found in reusable passwords. First, most people have a difficult time remembering passwords, especially if they must remember many different passwords that are unique to each network or application that they use. Typically, they give the passwords to co-workers or paste them in visible areas for easy reference, especially if the IS staff requires them to change the passwords on a regular basis. Second, if permitted to choose their own passwords, they often pick trivial ones that are easy to remember. These may include permutations of their names, their children's names, or personal information, such as date of birth. Trivial passwords are common words that are subject to dictionary attacks or simply educated guesses, which is not a very secure form of authentication. Third, static passwords are vulnerable, because it is possible to steal them electronically. This can be done either by unauthorized insiders or by outsiders (i.e., hackers) through a password sniffer or similar program designed to monitor and record the names and passwords of authorized users as they log onto a network. Because of these basic weaknesses, reusable passwords seriously jeopardize overall communications security. It is too easy to impersonate authorized users by logging on with passwords that actually are legitimate to access restricted information. To solve this problem, network security experts are now choosing from a variety of authentication systems that generate one-time-use-only (i.e., dynamic)passwords for a greater degree of user authentication and, therefore, information security. Hand-held authentication devices (e.g., tokens) employ encryption and public or proprietary algorithms to calculate these one-time-use-only passwords (or responses) to random challenges issued by authentication servers residing on the network. More specifically, there are: stand-alone devices(i.e., hardware boxes) placed in front of a communications server or router to provide authentication prior to network entry; and software security servers(i.e., software running on a dedicated machine designed to operate directly on the network), for example, on a Windows NT or UNIX box. Server-based authentication software responds to requests originating from network access control points, such as firewalls, remote access servers, or O/S security software.

7 An Authentication Security Server. An authentication security server is not a communications server. In many cases, third-party vendors work with the manufacturers of firewalls, communications servers, and routers to integrate user authentication technology so that users may be authenticated before they pass through gateways to the LAN. Types of communications servers that integrate third-party user authentication technology include: Shiva's LANRover; Microsoft's NT Remote Access Service (RAS) Server; Attachmate's Remote LAN Node Server (RLN), a Cisco router operating as a communications server; Checkpoint's firewall; and Atlantic Systems Group's TurnStyle firewall. The entire authentication process is dependent on the use of tokens (either hardware or software) so that one-time-use passwords used for authentication can be generated on both ends of the authentication process and then compared before access is granted. (Passwords are generated on the user's end, by the token, and at the network server end, by the authentication server.) Authentication Tokens Some of the tokens that work with the previously mentioned authentication servers may be used to verify dial-up users, users already on LANs, or users seeking access to a LAN through the Internet. Different tokens have different capabilities. Some products even authenticate users connecting through fax machines or telephones. Tokens can be small, handheld, hardware devices, a connector-sized device that sits between a computer and a modem, or software that runs on the user's PC. Some have more complex features and are considered more secure than others. However, all challenge-response tokens serve the same purpose. They generate passwords that a user's PC transmits to an authentication server that resides at an access point on a network. Alternatively, they transmit them to authentication software residing on, for example, a Microsoft NT Remote Access Server. The authentication servers(or the software residing on a PC or workstation located directly on the network)verify that the users are who they say they are when they first identifiy themselves. Challenge-Response, Asynchronous Authentication In a secure, challenge-response, asynchronous authentication process, network managers typically configure the tokens themselves- -a definite benefit over factory-issued secret keys. No one except the network manager or administrator has access to the data base of user secret keys and other pertinent user information. A LAN dial-up remote access can provide an example on how this works. A user dials-up remotely, and before the network allows the user access, the call is intercepted by a master authentication device(or a software authentication server), which prompts the user for an ID. When the user is identified as one of the individuals allowed access to the network, the server issues a random, alpha-numeric challenge to begin the process of authenticating (i.e., determining that the user is who he or she says he or she is). That random challenge is used by both the token and the server to calculate a one-timeuse password based on a secret key value stored in both the token and the server. The process typically involves the use of an encryption algorithm. The reliability of the algorithm used in an organization's authentication solution should be carefully evaluated. Solutions that employ the challenge-response process, secret user keys, and encryption algorithms to generate passwords result in a very high level of authentication security. The one-time-use passwords are issued only once, can be used only once, and even if stolen or captured, can never be used again. The mathematics involved in the encryption process to calculate the passwords makes it essentially impossible to reuse them.

8 Synchronous-Only-Based Authentication Time-only, synchronous authentication is based on time clocks and secret keys that reside in two places: on the network (i.e., protected) side and on the user side (i.e., the side to be authenticated). On the network side, a time clock and data base of secret keys operate in either a dedicated, authentication hardware box or in a software authentication server. On the user side of the authentication equation, a clock, which is synchronized to the authentication server, and a secret key (corresponding to a secret key in the server) operate inside the token. Several implementations are possible of time-only, synchronous authentication. In one specific, time-synchronous scheme, a proprietary algorithm continually executes in the token to generate access codes based on the time clock and the token's secret key. In this case, the time is the variable. A new access code is generated by the token approximately once a minute. The token is always activated. When the user dials into the authentication server, the server issues a prompt to the user for an access code. The user simply attaches his or her secret Personal Identification Number (PIN) to the code currently displayed on his or her token at the moment access is required, and then the user transmits the combined PIN and code (which become the one-time password ). This code is transmitted over telephone lines to the authentication server. The server uses the PIN to identify the user to compare the transmitted access code with its own current version for that user. In a different implementation of time-synchronous authentication, the user enters his or her secret PIN to activate the token, which then generates a true, one-time-use password based on the token time clock and a secret key value stored inside the token. This system is more secure, because the password generated does not include the PIN when it is transmitted over public telephone lines or networks. PINs should always remain secret to be considered a viable part of the two-factor authentication process. Two-factor refers to something secret that only the user knows (i.e., his or her PIN) and something held in the user's possession (i.e., his or her token). For secret information to remain secret, it should not be transmitted in any way that allows unauthorized individuals to hack the information and use it at a later date. If someone captures a PIN as it is being transmitted over public telephone lines, it would be relatively easy to steal the token and use it to gain unauthorized access. It does not matter if the access code is considered a one-time use password: if a thief has the PIN and the token, he or she has what is needed for unauthorized access to confidential information. Window of Time Time-only synchronous authentication systems are based on making available a window of time within which the password match must occur. The time clocks in the server and the token must remain in sync because the time is the variable on which the calculation depends. If the clocks are too far off, the user is denied access. At this point, the technologies differ. When the token becomes out of sync with the server, there must be an efficient, cost-effective, user-transparent way to resynchronize the token. The user would be frustrated if he or she had to return his or her token for reprogramming before the information being requested is accessed. Centralized and remote token resetting capabilities should be considered, as well as the conditions under which tokens must be replaced. Replacing tokens or having to return them to a system administrator for resetting can be time-consuming and expensive. Authentication tokens should be unlocked remotely, preferably with some pre-arranged signal or code that only the user and the network administrator know. Finally, the time on the token clocks gradually drifts, resulting in a lack of synchronization. If there are no provisions for unlocking or resetting, or for automatic switching of modes of operation (e.g., from synchronous to asynchronous) to back up the synchronous token, the authentication server, by necessity, will have to provide a larger

9 window of time during which a user can be authenticated. Otherwise, too many tokens would go out of sync too often. The larger the window of time, the greater the security risk that someone will intercept passwords or PINs (if they are part of the transmission). Synchronous, Event-Plus-Time Authentication In event-plus-time synchronous authentication, the token also uses an algorithm and a secret key to generate passwords. However, it is based on two dynamic variables, instead of one, which increases the level of password security. The two variables are: an event counter (i.e., the primary variable), and a time clock (i.e, the secondary variable). In one particular implementation of synchronous, event-plus-time authentication, there is also a third variable--a unique secret key that is calculated each time a password is generated by the token. This key becomes the secret key used to generate the succeeding password, the next time the user activates the token. The first variable, event, refers to the number of times a password has been generated by the token. The second variable, time, refers to the clock counter in the token. The third variable- -the new, unique key generated each time a password is issued- -makes these event-time-synchronous passwords the strongest on the market. For all synchronization authentication systems, questions should be asked about overall system management and token secret parameter programming. For example, network administrators should be able to maintain control not only of locking-unlocking procedures, but also of the user data base, the setting of security parameters, and token programming. To comply with internationally recognized computer security standards, there should always be a barrier between the factory, which produces the tokens, and the customer, who operates those tokens. Specifically, secret parameters should be set by the customer, not by the vendor. Tokens that are programmed at the factory (or by the vendor)should be viewed with caution. It is possible that such products may result in people outside the organization having access to secret key values, user data bases, and other basic token operations. These functions form the basis of secure user authentication. Such operations should remain under the auspices of the network administrators at all times. A final point to consider with synchronous authentication systems is system management. Managing sites with a large number of users can become a daunting task under certain conditions. Questions should be asked about how the technology is going to handle distributed or centralized authentication system and token management, and how many servers will be necessary for the variety of access points or geographical locations that be must secured. The answers to these should be compared with other solutions. In the case of some technologies, cost-effective, efficient authentication system management can be impossible to achieve, and it may be necessary to purchase a larger number of authentication servers with one technology than with another. The cost of the overall user authentication system should be considered, not just the cost of the tokens, whether they hardware or software. Finally, when considering the cost of tokens, the frequency of replacement should be considered. Conclusion This article has discussed several methods of authenticating users: time-based-only synchronous authentication; event-plus-time-based synchronous authentication; and challenge-response asynchronous authentication. Each offers a different level of security and reliability when it comes to user authentication. The choice depends on the organization's overall security policy and the depth of user authentication required. The technology of the different types of user authentication tokens should be carefully compared. The authentication technology requirements may be quite simple if security requirements are limited. On the other hand, an organization may require more reliable

10 technology, such as two-factor, challenge-response asynchronous, or event-plus-timebased synchronous authentication. In an Internet atmosphere headed toward universal standards, the scalability and reliability of authentication systems based on technology that is not standards-based, or authentication based on a time clock only, should be considered highly suspect. Author Biographies Ellen Bonsall Ellen Bonsall is the Marketing Director, U.S. Operations for ActivCard, Inc., San Francisco, CA.