NMAS fell short in the areas of logging--neither we nor Novell could get Novell Advanced Audit Service (NAAS) installed--and of policy implementation, which was more limited than SafeWord's. Yes, with SecureLogin we could create application-based authentication, but that's kludgy because you first need extremely tight desktop-configuration control, then an effective strategy.
NMAS Enterprise Edition installs as an eDirectory and a Client32 component (the Standard Edition ships with eDirectory but lacks third-party method support). NMAS adds several components to the security container, such as Login Methods, which define the products and processes that are available for client login, and Post Login Methods, which define services that occur after login, such as a desktop-locking mechanism. Novell provides the programming interface for vendors to write authentication code for NMAS. In fact, if you have an issue with a third-party method, Novell support will point you to that vendor. We had some trouble getting our Ace/Server working with NMAS, and Novell's support fingered RSA. Turns out we didn't copy the correct sdconf.rec file into eDirectory.
We used SafLink's SafModule biometric software, a SecuGen Corp. fingerprint reader and an Iridian Technologies retina scanner. SafLink provides Novell with the device drivers and NMAS methods. Adding the methods was a simple matter of installation on eDirectory and Client32 and the creation of Login Sequences. A Login Sequence defines the actions a user must take to authenticate to eDirectory. The sequences can contain a single sequence, or multiple sequences can be combined with a simple Boolean AND or OR, but not both. For example, we created a high-security method and required an Enhanced Password (forcing a complex password) AND a fingerprint scan AND a SecureID token. Satisfactory authentication requires each method be successful. The methods are presented to the user in the order defined. Because complex Boolean logic cannot be used, the policy definition is limited compared with BioNetrix's. The Login Methods also can define a Login Grade, which can be used for access control in eDirectory.
Next, we assigned Login Methods to users in eDirectory, thus limiting them to specific methods. When users start Client32, they can choose a Login Method from their approved sets or, if they leave the method dialog blank, their default methods will be chosen.
SecureLogin is a client component that can require application-level authentication via scripting. Novell provides several predefined scripts, and custom scripts can be developed in-house and distributed to users via eDirectory. A script defines the actions a user needs to perform prior to running an application. For example, we used a predefined script to force an additional user authentication to a Windows NT shared directory. As an administrator, we modified the script and made it global in eDirectory. When users log in, the script is downloaded to SecureLogin.
Although there are many compelling facets to Novell's solution, we ran into a number of severe problems as well. We couldn't get any logging data from eDirectory. When we tried to install NAAS on eDirectory via remote Console One and on the NetWare server, we were unable to initialize the NAAS database. Novell engineers told us they encountered the same problem in their labs, and now that it has been replicated, they have escalated the fix.
We also found the NMAS Client32 components somewhat unreliable when new client methods were installed. The NMAS installation would become corrupted, requiring a reinstallation of the NMAS client.
Novell Modular Authentication Service (NMAS) 2.0 Enterprise Edition, $49 per user. Novell, (800) 453-1267, (801) 861-7000. http://www.novell.com
BioNetrix Systems Corp. BioNetrix Authentication Suite 4.1
The BioNetrix Authentication Suite is by far the easiest-to-use product we tested. The only footprint is the GINA replacement for Windows. BAS authenticates users and then performs authentication impersonation to end systems on their behalf. As with Secure Computing's PremierAccess, we were able to set up relatively complex policies in BAS, but we couldn't set policies based on time or IP address. For straightforward authentication management in a Windows world, and because the company says it will support single sign-on in the product's next revision, BAS might be a good choice. Unfortunately, support for non-Windows-based operating systems requires professional services, and you need to beware of what we consider a serious flaw: If a user is unknown to BAS, it will not take any action. BAS will inform the GINA agent to authenticate the user through the requested means--this really drove down its Policy Implementation marks. If a user is in the Active Directory, for example, and not in BAS, when that user attempts to log in, BAS will fail to look up the user and will pass him or her back to AD for authentication. That's right: a password policy that doesn't require adherence to a policy. So much for authentication management! BioNetrix claims that this is access control, not authentication. Our claim is that if you are enforcing a policy that all users must authenticate to BAS, it should be enforced. At the very least, the administrator should be able to define what happens with a user who is unknown to BAS.
In addition, no modules are required to be installed on back-end servers, such as Windows NT Primary Domain Controllers, Active Directories or NDS. BioNetrix told us this was driven entirely by its customers' desire not to have agent software running on end production applications and servers. While that means one fewer piece of software that can muck up production systems, it also means that directory synchronization and replication are not possible. We could import users from NT/AD and NDS, but we couldn't export or keep accounts synchronized. So now you have one more user database to deal with.
Users are imported or added to realms. A realm defines an application and the associated users. Because a user can be associated with multiple realms, BAS also has identities, which combine users from multiple realms under one object. Users also can be placed into groups so that their policies can be managed en masse. Similar to NMAS, authentication methods are added to both BAS and the GINA replacement. Polices allow both simple and complex Boolean construction as well as support for contingent polices based on biometric thresholds, which are unique to BioNetrix. Biometric thresholds define the quality of the biometric that is presented for authentication. Consider it a measure of precision when comparing the biometric data used to enroll the user with the biometric data used to authenticate a user. The more exact the match between the two, the higher the threshold. For example, a threshold of 9 means that the placement of the finger on a fingerprint reader needs to be fairly precise, increasing the odds of false negatives. Conversely, a threshold of 1 means the fingerprint placement need not be as precise, but the chances of a false positive are higher.
Logging is straightforward, and authentication accounting is extremely easy to use. Successful and failed authentications are colored green and red, respectively, and when we drilled down into a failed authentication we were able to see exactly what method failed and its threshold. For anything but biometrics, the threshold is meaningless, but for biometrics, a threshold can mean the difference between a successful and an unsuccessful authentication. For example, if we placed our fingerprint precisely on the SecuGen reader, we could get a threshold of 9 every time. If, however, we placed it askew, the threshold would be lower. But knowing what method failed and why means we could examine our authentication policies and begin to reduce the number of failed authentications.
The biggest caveats we have with BioNetrix are its limited client support (Windows only) and the ability of users to authenticate if they are unknown to BAS. If you're running an all Windows shop, the first issue is irrelevant. The second problem can be solved via operational procedures, but even with the best intentions, mistakes are made. We would prefer a system that protects against such mistakes.
BioNetrix Authentication Suite 4.1, starts at $50 per used based on functionality and configuration. BioNetrix Systems Corp., (800) 397-7561, (703) 734-6553. http://www.bionetrix.com
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Mike has also worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.
REPORTS
ANALYTICS
Follow 
