Smart Card Deployment in the Data Center: Best Practices for Integrating Smart Card Authentication in a Secure KVM Environment



Similar documents
APC Enterprise KVM Switches

Server Room Solutions: How small to midsize IT businesses can make their IT budgets appear larger than they are

Common Access Card Application

Out-of-Band Management: the Integrated Approach to Remote IT Infrastructure Management

AMX MULTI-USER, MULTI-PLATFORM SWITCHING FOR REAL-TIME DATA CENTER AND TEST LAB ENVIRONMENTS

QuickSpecs. HP IP Console Switch with Virtual Media Overview

The Leading KVM Switch Solutions Provider, ATEN. 40-Port KVM Over the NET - 1 local / 4 remote user access

8/16-Port IP KVM Switch IKVM-8010 / IKVM Quick Installation Guide

The Distributed Enterprise: Access and Management of Remote Office IT Infrastructure

Ways to Use USB in Embedded Systems

Selecting the Right NAS File Server

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

DS Series Solutions Integrated Solutions for Secure, Centralized Data Center Management

HP Server Console Switch with Virtual Media Overview

Power Management. Raritan Description.

Server Remote Control

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Interface Adapters PS/2 Interface Adapter 1 pack B21 PS/2 Interface Adapter 8 pack B21 USB Interface Adapter 1 pack B21

The ABCs of KVMs: How Remote KVM Switches Put You in Control of Your Data Center

The Leading KVM Switch Solutions Provider, ATEN

The Convergence of IT Security and Physical Access Control

STRONGER AUTHENTICATION for CA SiteMinder

The Convergence of IT Security and Physical Access Control

QuickSpecs. Models HP Server Console G2 Switch. HP Server Console Switch G2 with Virtual Media & CAC. Overview

CRESCENDO SERIES Smart Cards. Smart Card Solutions

NEC Virtual PC Center (VPCC) Product and Technology Overview

Secure, Remote Access for IT Infrastructure Management

Dominion KX II-101-V2

Contactless Solutions

CAT5 KVM Extender User Manual

Cat 5 High-Density KVM Over the NET

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Power Distribution Units (PDUs): Power monitoring and environmental monitoring to improve uptime and capacity planning

4 User 16 Port Cat5 Matrix IP KVM Switch. StarTech ID: SV1654DX4I

OmniLink i-series Smart Solutions for Retail

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

CN8000. Features. KVM on the NET

Installing Lenel OnGuard Management Solutions Software on an Intransa VideoAppliance TM

DigitalPersona Pro Enterprise

Prima TU 8-IP/TU 16-IP

IPMI overview. Power. I/O expansion. Peripheral UPS logging RAID. power control. recovery. inventory. Hugo CERN-FIO-DS

AxTraxNG Access Control Management Software

QuickSpecs. Models HP Server Console Switches

Endpoint Virtualization for Healthcare Providers

Why Use ThinManager to Manage Thin Clients? White Paper. For more information, please visit:

FabulaTech Products Advanced Communications Solutions

KN1108v/KN1116v. KVM Over the NET. Enterprise Solutions

CN8600 DVI KVM over IP

How do I secure and manage an out-of-band connection to network devices?

USB etoken and USB Flash Features Support

ADDING STRONGER AUTHENTICATION for VPN Access Control

Xcalibur Global 1.2

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Power, Monitor, Measure, Access, Manage and Control Your Entire IT Infrastructure

Mobile Application Testing

Enabling Fast and Secure Clinician Workflows with One-Touch Desktop Roaming W H I T E P A P E R

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Windows Embedded Security and Surveillance Solutions

Exploring the Remote Access Configuration Utility

Flexible and Flawless Get a hold of every critical moment instantly without compromise

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

DynaGuard 200 Series. Compact and Versatile MPEG-4. Ver. 1.1

Windows MultiPoint Server 2011 Deployment Guide. Document Version 1.0 March 2011

HP ProLiant Lights-Out 100c Remote Management Cards Overview

WISE-4000 Series. WISE IoT Wireless I/O Modules

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

X Series Application Note 43:

CMS suite. Control room management software. Barco's CMS software is an advanced control room management suite which

32 Port Multi-user Cat5 Matrix IP KVM Switch. StarTech ID: SV3253DXI

Rack Power Distribution. Worldwide

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Power, Monitor, Measure, Access, Manage and Control Your Entire IT Infrastructure

Data Center Power Distribution and Capacity Planning:

New SurePOS 700 Front Service Cover features offer secure, reliable front access to the system unit

VERGENCE TM : TECHNICAL DATA SHEET

innova tions KVM Brief

QuickSpecs. Models. HP ProLiant Lights-Out 100c Remote Management Cards Overview

CN8000. KVM on the NET. Simply Better Connections

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Using AnywhereUSB to Connect USB Devices

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Digital Cable Tuner Setup for Windows Media Center in Windows Vista. A Step-by-Step Guide for Professional Technicians

8 Port USB + PS/2 Digital KVM Switch with OSD. StarTech ID: SV841HDI

QuickSpecs. HP IP Console Switches. Overview

White Paper: Managing Security on Mobile Phones

Transcription:

Smart Card Deployment in the Data Center: Best Practices for Integrating Smart Card Authentication in a Secure KVM Environment 2009, Raritan Inc.

Executive Summary While many organizations have employed smart card identification to enhance their physical security infrastructure, KVM (Keyboard, Video & Mouse) system users in particular can benefit greatly from the two-factor authentication that a smart card inherently provides to the logical realm (access to software and application systems on servers). However, whereas a physical security system that incorporates smart cards is straightforward to implement, logical security using PKI-based authentication (Public Key Infrastructure) incurs very specific practical obstacles during implementation in a data center, network operating center, lab or any facility that relies on a KVM system for efficient operation. While smart card readers themselves are inexpensive, 1-to-1 mapping of card readers to server hardware neutralizes many of the efficiencies that a high-density server environment with few user touchpoints provides. IT managers thus face a difficult decision: greater security or greater convenience. A similar problem has been faced previously. Before the modern server boom, most computer rooms employed a keyboard and monitor for each server a 1-to-1 mapping. But KVM switching technology later eliminated this inefficient deployment, allowing one set of keyboard, monitor and mouse peripherals to be deployed to many servers at once. By extending its peripheral set to include smart card readers, modern KVM switches with smart card capabilities can allow data center managers to enjoy the best of both worlds: greater security and greater convenience. The objective of this document is to provide insight into smart card support within a KVM system, enabling servers with PKI authentication to be deployed without sacrificing efficiency and convenience. We explore several points to consider when adding or deploying this functionality. Note that this white paper provides perspective on the implementation of smart card readers for the purpose of accessing servers and PC's via a KVM switch, not the use of smart cards to log into the KVM system itself. Introduction The use of integrated PKI and smart card authentication infrastructure for strengthening user identification credentials is growing worldwide. Driving the demand is an increased need for greater physical security along with the requirement for stronger authentication of individuals accessing networks, often referred to as logical access control. For logical access, smart cards provide additional security to organizations that require multifactor authentication without hampering user convenience. Managing employee credentials for physical access to facilities and logical access to IT infrastructure can be burdensome and expensive even simple tasks such as password resets and reminders can incur nontrivial costs in a large organization. Smart cards provide a form of identification that can be used to secure both physical and logical access while combining other business benefits. Thus, many organizations have employed secure, portable and multipurpose employee badges to enable an efficient and cost-effective identity management system. A sound understanding of the business processes and goals within an enterprise is a key to the most successful implementations of smart cards. Page 2

Global Smart Card Shipments by Sector (millions of units) 2008 Global Shipment November 2008 Forecast 2009 Global Forecast Sectors Memory Microprocessor Memory Microprocessor Telecom 380 3200 300 3600 Financial services / Retail / Loyalty 30 610 30 700 Government / Healthcare 250 140 170 160 Transport 160 30 160 30 Pay TV 100 100 Other (including corporate security) 80 65 80 70 Total 900 4145 740 4660 Aggregate Total 5045 5400 Source: www.eurosmart.com A pioneer in the adoption of smart card infrastructure is the United States Department of Defense (DoD), which has 3.8 million smart card users as a result of its Common Access Card (CAC) program 1, an initiative motivated by HSPD-12. This presidential mandate intends to achieve improved physical and logical security of Federal defense employees and contractors worldwide by requiring extensive implementation of smart cards in the DoD, including extensive smart card-based authentication to information systems. Practical Challenges Raised During Physical Implementation Within organizations that have deployed smart cards for server access, administrators face a unique challenge. In a data center setting, attaching individual smart card readers (or keyboards with integrated readers) to each and every server is impractical. A traditional KVM switch does not help this problem. Directly-attached smart card readers require users to be physically located at the server when authenticating, essentially defeating the purpose of a KVM switch and resulting in a big step backwards in efficiency and productivity. Thus, a large number of organizations are now beginning to implement convenient smart card authentication infrastructure in their data centers by enabling the technology through a new generation of KVM switching solutions. These new KVM solutions do not simply integrate card readers as an additional peripheral at the KVM workstation. They also adapt their core functionality to support with secure smart card use. When seeking a smart card-enabled KVM system, choose not only a solution that fulfills the basic requirement of supporting PKI authentication to multiple servers from a single location, but also one that makes the necessary KVM feature adjustments to enable seamless use of the reader. Finally, it should adhere to industry standards to ensure that security needs are met. In the next section, we explore the practical implications of these requirements. 1 Smart Card Alliance: Smart Card Alliance Annual Government Conference Opens with Strong Department of Defense Network Security Case Study, April 12, 2007 Page 3

Components of a Smart Card-Enabled KVM Solution To implement smart card authentication, an authentication server, middleware and driver must be installed on target servers to communicate with smart card readers. Also a KVM infrastructure must be in place. (See Diagram 1) On the server side, special middleware deployed on each target server communicates with the card reader and the authentication infrastructure that s in place. The middleware is essentially a go-between that utilizes various specifications (such as PC/SC and x.509) and supports PKI certificates enabling the use of smart cards for a wide variety of desktop, network security and productivity applications. Additionally, a driver compatible with the card reader must be running on each target server. Compatible drivers are typically provided as a standard component of the server s operating system. Reader manufacturers also provide drivers as a download on their respective web sites. Authentication Server Server Server Server Server PKI Middleware PKI Middleware PKI Middleware PKI Middleware Driver Driver Driver Driver KVM Switch Remote Client Workstations With an integrated or external smart card reader IP LAN/WAN KVM User Stations With an integrated or external smart card reader KVM-over-IP Solution Analog KVM Solution (Diagram 1) Page 4

KVM-over-IP Solution Small dongles, called CIMs, attach to each server s I/O interfaces and emulate a keyboard, mouse, VGA monitor and smart card reader. Servers then behave as if these peripherals are directly attached to their I/O ports. (See Diagram 2) Digital (KVM-over-IP) switch(es). Each dongle is connected to the KVM switch using standard Cat5 or Cat6 cables. The digital KVM switches then provide users secure, anytime/anywhere BIOS-level access. For larger deployments, the Centralized Management System provides centralized access across multiple digital KVM switches, giving the user a single IP address to access hundreds or thousands of servers. Remote client software is used by the end user to connect to the remote servers over the IP LAN/WAN infrastructure, through the digital KVM switch. Smart card readers can be integrated in the user s workstation or plugged in via the USB port. Analog access in the data center is provided via the local port of the digital KVM switch. In this case, the smart card reader is connected through a USB port of the KVM switch itself. Be sure that the reader meets the ISO 7816, USB CCID and PC/SC standards. KVM-over-IP switch Windows Linux Sun UNIX Legacy Blade Servers IP LAN/WAN Authentication Server Local Access USB Smart USB Smart CommandCenter Secure Gateway Notebook PC with Built-in Smart Remote Access over IP Integrated Keyboard Smart (Diagram 2) Page 5

Analog KVM Solution An analog KVM solution that enables smart card authentication consists of the following components: Small dongles that attach to each server s I/O interfaces and emulate a keyboard, mouse, VGA monitor and smart card reader. Servers then behave as if these peripherals were physically attached to their I/O ports. (See Diagram 3) Central, matrix KVM switch(es). Each dongle is connected to the KVM switch using standard Cat5 or Cat6 cables. The matrix KVM switch infrastructure provides a single, logical system allowing multiple users to switch between hundreds of servers. User access workstation (user station). Each station is connected to the KVM switch with a Cat5/6 cable, and thus has access to all connected servers. These user stations provide a straightforward system-authentication and server-selection interface for each operator. A smart card reader, integrated or connected to each user station via USB. Note that USB "smart sticks" are also becoming more and more popular. A KVM platform that supports external readers should also support USB smart sticks. Be sure that the reader meets the PC/SC specification, which builds upon existing industry smart card standards and complements them with low-level device interfaces and APIs. Analog KVM Switch Internal Network User Station with Smart Local User Authentication Server Smart Card (Diagram 3) Page 6

Solution Best Practices To deploy a truly secure solution, while maintaining optimal convenience and efficiency, IT managers should be sure to seek the following attributes: 1. The integration with the smart card reader should be transparent to host computers. Smart card readers, their middleware and the authentication server that manages user credentials each strictly follow industry specifications. For example, reader and server middleware utilize PC/SC as a communication protocol, and generally support x.509 certificates. As a result, today s smart card readers are essentially plugand-play. The goal of a smart card-enabled KVM switching solution is to provide the exact same plug-and-play reader capabilities to racks and rows of servers, while only requiring a single smart card reader per user. 2. The smart card reader should not add complexity to the KVM solution. Adding smart card capabilities to your KVM solution should be inherently simple. The primary purpose of a smart card reader is to quickly provide information stored on a user's card to the server, and a KVM system provides a direct out-of-band connection between users and the servers to do so. No other infrastructure should be necessary. The reader, although it may be located in the next room or the next continent, should interface with the target server exactly as if directly connected to one of its I/O ports. 3. The solution should protect security by providing read-only access to card data. Generally speaking, a smart card is simply a specialized form of digital media: data can be both read from the card as well as written to the card. But for the purposes of user authentication, only data reads are appropriate. Thus, to maximize security, a KVM system should only allow read-only access to the smart card, and disable data writes. 4. The solution must not store or cache smart card data. A KVM system could be a major security risk if it performs data caching of any kind. It's critical that the KVM system does not store or cache the card data. It should only transmit data to a single server at a time upon request, and only from a card that is physically present in the reader. By implication, the following behavior should occur: If configured to do so, the card reader (and thus the KVM system) should support the automatic loss of authentication to the server upon removal of the card. To the middleware, switching away from a server should essentially be considered the same behavior as removing the smart card. And because the card data is not being stored or cached, users will automatically be required to reauthenticate when switching between servers. As a result, the card can conveniently remain in the reader during the user's session. The PKI middleware will ask for the card information again. Because there is no storage of the card information and reauthentication is required when navigating from server to server, the solution is very secure. This helps guard against unauthorized access by other KVM users who may connect to the same channel. In fact, if a user returns to a previously-accessed server, authentication should again be required. Because the analog KVM system is out of band, unwarranted sniffing of the card s data via the corporate network is eliminated. Digital KVM systems employ 128 and 256-bit encryption, which ensures that smart card data is secure. Page 7

5. The solution should automatically enter private mode. A common feature of most KVM platforms is to allow multiple users to simultaneously access a particular server. When smart cards are in use, the solution should automatically enter into private mode, allowing only one user at a time to access servers connected to the KVM switch. 6. The solution should adapt its core features for a favorable user experience. Some standard KVM features will need to be modified or disabled to avoid interference with the functionality of the card reader. For example, many KVM systems provide a scan feature, which automatically searches for the next available channel. Use of automatic scan with a card reader is inconvenient and the system should deactivate this feature whenever a smart card is in use. Summary When implementing a KVM-over-IP or an analog KVM solution, enabling users to employ smart cards for the purpose of accessing servers should not be a daunting task. But it can be especially difficult to deploy if the KVM platform does not seamlessly integrate such support. At the same time, implementing an efficient KVM system with smart card features should not compromise security in any way. An ideal solution, therefore, supports the use of smart cards and integrates card readers that operate exactly as if directly connected to the target servers. As a result, it should deliver the same inherent security features. When these attributes are met, security officers will be pleased by the broader deployment of highly-secure smart card capabilities in the data center, NOC and other facilities while server administrators can adhere to security policies without losing the convenience and efficiency that a centralized KVM solution provides. About Raritan Raritan is a leading provider of secure IT infrastructure management solutions. We offer IT and facility directors, managers and administrators the control they need to increase power management efficiency, improve data center productivity and enhance branch office operations. In over 50,000 locations worldwide, our integrated in-band and out-of-band products help companies monitor and manage their energy, servers and other IT devices. Our intelligent PDUs, combined with energy management software and environmental sensors, offer remote power control and monitoring at the rack and device level, empowering data center owners with information to improve uptime and capacity planning, while efficiently utilizing energy to save power and money. And our access solutions, including KVM, serial and centralized management devices, offer unprecedented control of servers to maintain mission-critical environments. Raritan's OEM division provides embedded hardware and firmware for server and client management, including intelligent power management, KVM over IP, IPMI and other industry standards-based management applications. 2009 Raritan Inc. All rights reserved. Raritan is a registered trademarks of Raritan, Inc. All other marks are trademarks or registered trademarks of their respective manufacturers. C1014 R1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information