Authentication and Remote AccessAn effective remote access deployment always includes both endpoint and network security components, including a wide range of safeguards. Virtual private networks (VPN) must authenticate end users, the system to which end users are connecting and the authentication information itself. The PositivePRO service provides the highest level of authentication security available on the market, with the flexibility to accommodate the specific security needs of each customer.

Remote access systems have become common in corporate America and are becoming a basic cost of doing business. New remote access alternatives have gained acceptance, including full client-based systems, browser-based remote access portals, and remote desktop control offerings. The increasing availability of remote access introduces new security implications.

In the past, corporate IT departments had the option of carefully controlling physical access to the network, as well as managing the software and hardware used by employees for network access. However, this approach doesn't work in the context of remote access. Physical security is now difficult or impossible to control, and the computers used for remote access are often completely beyond the reach of network administrators.

To address these concerns, the deployment of any remote access technology must include a detailed and comprehensive security plan. An effective remote access deployment always includes an endpoint security strategy, including anti-virus, anti-spyware, client-side firewall, and critical update components. Network-side security, including access restriction policies, firewalls, intrusion detection, and intrusion prevention, should also be deployed.

In addition to these considerations, however, a complete remote access security policy must address the often-overlooked area of authentication. Although authentication within the corporate environment is often straightforward, the anywhere, any-computer access paradigm that accompanies remote access deployments calls for closer consideration

Authentication is the act of determining, within a chosen level of certainty, the identity of the user requesting or providing access to resources. It encompasses authentication of the end-user and end-user equipment, authentication of the system to which end users connect, and even the security of the authentication information itself.

End-Computer Authentication

IT departments often have strict guidelines governing the computers and equipment used to access the corporate network. However, these guidelines are difficult, if not impossible, to enforce in a remote access system. In some cases, IT administrators want to require minimum standards of any computer used to access the network, even remotely. For example, it is often company policy that no computer at another company's office can be used for remote access, because end users may be surreptitiously monitored by the foreign corporation. To enforce these standards, sometimes end users are permitted to access the corporate network remotely only while using a company-supplied laptop or desktop computer. In these cases, computer authentication is essential.

Computer authentication can be implemented in a number of ways. One is to require the presence of a specific registry key or value on a Windows computer. However, since technical users may be able to seek out and set this registry entry, this solution does not ensure absolute security. On the other hand, it is easy to deploy, since the standard corporate operating system image typically already contains a distinctive registry entry, simplifying the roll-out of a remote access system.

More robust computer authentication systems generally involve characteristics of the hardware on which the operating system is running. These characteristics may include the serial numbers of various computer parts, MAC addresses, or even the number and configuration of hardware elements in the system. One of the more famous such systems is employed by Microsoft to enforce copy prevention in Windows XP and later operating systems.

The PositivePRO System fully supports both systems of computer authentication in its product line, and can assist corporate administrators in the development of a computer authentication policy if none exists.

System Authentication

Another critical component of authentication is the end user's ability to authenticate the system to which he or she is being connected. System authentication is critical for preventing a "man-in-the-middle" (MITM) attack. An MITM attack is possible whenever the attacker has access to the data stream between the client and the (intended) server. MITM attacks are not limited to break-ins to phone company facilities, WiFi users are vulnerable in both private and public locations. While WiFi encryption may be employed in home and corporate networks, "hotspot" networks at coffee shops, airports, etc., are almost never encrypted in any way and session hijacking is a real possibility.

If a successful MITM attack is mounted, the attacker gains possession of whatever information was presented by the end user to the system for authentication, potentially allowing the attacker to log into the system again at a later time. In addition, the attacker could capture information transmitted between client and server, leading to a leak of potentially sensitive corporate information. The vulnerability extends beyond just files and e-mails to include any network application being run by the client, including increasingly popular voiceover IP soft phones, instant messenger conversations, and more.

To prevent the MITM attack, the server must positively identify itself to the client. Often, this identification process is known only to the server and involves public key cryptography algorithms in which the server generates a private/public key pair and distributes the public key to client computers. Only the server has the private key that matches the client's public key, so clients can confirm the identity of the server.

Traditionally, a public key infrastructure (PKI) approach has been employed to provide system authentication. However, PKI is not without risks. Because PKI delegates the authentication responsibility to a well-known, trusted third party (known as a certificate authority or CA), an additional variable comes into play, administrators assume that the CA has positively identified that the organization is what it claims to be in its public key application.

Potentially more dangerous is an emerging new line of products that enable IT administrators to intercept any SSL transmissions made by corporate computers. By installing a locally generated CA key onto each company-owned computer, IT administrators gain complete access to any SSL transmissions made by the end user, with no warning to the user. Users without such a CA key will be prompted with a warning, but users typically simply click through technical-sounding dialog boxes such as a CA alert.

Instead of PKI, systems such as PositivePRO employ a public key cryptography algorithm in a way in that gives the company direct control over authentication. In Positive's case, the servers generate private RSA keys that are never released. The corresponding public keys are built directly into the client software. End-to-end security is guaranteed, if one assumes that the client software is itself trusted. In addition to providing for secure remote system authentication, Positive Networks staff can help organization policy-makers create a software distribution policy that helps to ensure the integrity of the client software.

User Authentication

Access to network resources is seldom completely uniform for all members of an organization. Even when uniform access for all users is the norm, IT administrators are frequently required to audit user access. In these contexts, IT administrators need to know, with a high degree of certainty, who is connecting to the network. User authentication addresses this need.

Standard Authentication

The traditional approach for authentication of a user to a system has been a simple username and password. In the PositivePRO system, this is referred to as standard authentication.

To use standard authentication, administrators define passwords for end users and distribute authentication credentials to them for use whenever end users are connecting to the system. The hashed passwords are stored in an authentication database on Positive Networks servers.

Although this system can be secure if properly implemented, IT administrators must be wary of pitfalls. First, it is an industry-accepted best practice for enduser passwords to remain unknown to corporate network administrators. This policy discourages administrators from impersonating other corporate users and reinforces the practice of keeping password personal and always private. However, as mentioned above, administrators must select initial login passwords for end users. Absent a pre-existing password, any random person could connect to the system for the first time and impersonate the legitimate user. One solution to this problem is the use of one-time, or temporary, passwords. Administrators choose (or, more commonly, generate) a password for the user that must be changed at first sign-on.

However, the solution creates another problem: how should the end user be informed of the new, temporary password? If an attacker intercepts the password before it is changed, the security of the system is completely invalidated. Positive Networks staff can work with administrators to define an organizational procedure for safe password distribution to end users.

Pass-through Authentication

Although standard authentication can be deployed in a secure fashion, it is not perfect. One issue is that end users are forced to remember yet another password. User password fatigue can lead to a decrease in the overall level of system security, either because users pick weak passwords to aid in remembering them or because a password is reused on more than one system, increasing the likelihood that it will be intercepted. In addition, multiple prompts for different authentication credentials constitute an inconvenience for end users and administrators. Password management policies must be mirrored between systems to maintain consistent security and to prevent extra support calls.

Pass-through authentication, in which the authentication information is passed from the PositivePRO system to a designated authentication server inside the corporate network, can solve these problems. PositivePRO integrates easily with most existing authentication infrastructures, including LDAP, RADIUS, Microsoft Active Directory, and even Windows file servers and legacy Windows domain controllers, using the NTLM protocol. With pass-through authentication, users simply supply their normal corporate network logon information when connecting. This system has the advantage of passing through the various password policies as well, including password aging, history, and so on.

Two-factor Authentication

Even well chosen passwords can be captured by attackers in numerous ways. Users sometimes write passwords down and lose the slip of paper, or leave it visibly posted on their computer, or perhaps share their authentication information with a friend or co-worker. The list goes on. What's worse, once an attacker has the user's authentication information, it can be used repeatedly until the original user changes the password.

Two-factor authentication is an effective way to combat these problems. The basic concept is the requirement of both "something you have" and "something you know". The most commonly deployed two-factor authentication scheme is RSA Security's SecurID, system2. SecurID employs a small key fob (or similar small device) displaying a cryptographically generated number that changes every 60 seconds. During authentication, the user must type in the current value displayed on the key fob, along with a PIN that the user chooses and memorizes. Using this system, if the end user loses the key fob, it is useless to the finder without the PIN, and if the user reveals the PIN to someone else, it remains useless without the key fob. In addition, because the key fob cannot be duplicated, administrators are guaranteed that only a single individual (the designated individual, we hope) is using the authentication credentials at a time.

The PositivePRO system supports most two-factor authentication schemes, including SecurID, SKey, and others. Positive Networks encourages the use of a two-factor authentication scheme for remote access, and Positive's engineers are available to help IT organizations deploy a two-factor system in conjunction with remote access.

Biometric Authentication

Although systems like SecurID are extremely secure, it is nonetheless possible that the token, together with the PIN, could be given (or taken) away. The best way to prevent theft or loss is to deploy a biometric authentication system.

Biometric authentication incorporates a specific physical trait, such as fingerprints, retinal scans, voiceprints or even typing patterns, of the individual requesting access to provide authentication. These traits cannot be given away or stolen, thus guaranteeing the identity of the user.

Biometric authentication can be inconvenient, difficult to deploy, and extremely expensive. However, it is the most robust method of authentication available today.

Authentication Policies

Authentication technology goes a long way toward making remote access secure, but it can be undermined by poor choices on the part of end users and poor organizational policies on the part of IT departments. Any authentication policy must address human factors.

Password Management

Password management policies have long been a part of most corporate network deployments. Policy decisions are similar in a remote access environment, where they are even more important since administrators have less control of the remote computing environment.

For standard password authentication, policies such as minimum length, maximum age, password history, various case and alphanumeric requirements, and so on, should be used to prevent users from picking obvious or recently used passwords. In general, users should pick difficult, non-word passwords, never share them, never reuse them, and change them often. Although sometimes difficult to enforce in practice, these practices are nevertheless the basis of a secure password policy.

Instead of passwords, some organizations are now using passphrases, which are much longer than traditional passwords. More information about the use of passphrases instead of passwords can be found in "The Great Debates: Pass Phrases vs. Passwords." The same considerations apply to the selection of PINs in two-factor authentication systems, although the choices may be more limited (e.g., fixed PIN length, limited character sets). The PositivePRO system supports a wide range of password restrictions for a passphrase policy and allows for nearly unlimited password length.

Auditing

The last line of defense against abuses of authentication is a strong auditing policy. The PositivePRO system provides detailed reporting of currently online users, session history, and even a user-supplied connection reason. Administrators should regularly review these reports, as well as internal resource auditing reports, to ensure that authentication policies aren't being abused.

Conclusion

Although often taken for granted, authentication is a central concern in a secure remote access system. Remote access is becoming an organizational imperative, and the trend of aggressive industry growth is unlikely to reverse itself soon. It falls to the IT department to implement a well-developed authentication plan and to implement it, both in technical systems and in organizational policies and procedures.