REVIEW

Desperate Times Call For Desperate Measures

by David Willis

The rules of engagement are changing in the network security war. The enemyis no longer restricted to a few access points around the perimeter of yournetwork. Now he's hiding in the trees, well armed, ready to pick off yourcorporate data. It's easier than ever to get into your network. Remote

access features are part of the desktop OS. Internet access is everywhere.Often security gets overlooked in the mad rush to make information cheaplyavailable.

Stripped of all of the security jargon, protecting a network is about preventingunauthorized or incorrect use of a system, and determining accountabilityif this occurs. Without strong user identification, not simply device identificati on,you don't have real security. Your audit trails are worthless if you can'tconfirm the identity of the person behind the keyboard.

Token-based security products help you identify a user through two-factorauthentication: Something the user has (a token card) and something theuser knows (a PIN, as well as the usual array of system passwords). Whentied closely to good host and operating system audit trails, you can holdpeople accountable for their actions. In addition to clearly identifyingthe user, these devices produce a one-time password that will foil sessionreplay attempts, which is verified through a server that knows how to calculatea valid entry.

Security is more than authentication and auditing alone, so these productsaren't the total security solution. They don't provide any sort of dataconfidentiality throu gh encryption. They also don't extend into the authorizationarea. They rely on hosts and server operating systems to determine whatyou can do once you're in.

The Wi nner Is Security Dynamics Technologies ACE/Server 2.0 takesthe Editor's Choice award as the most solid, comprehensive authenticationsystem available. It is supported by a huge number of perimeter devices,and it is the only product tested that authenticates users to NetWare servers.Enigma Logic SafeWord AS deserves Honorable Mention as the more flexiblesecurity platform, allowing you to choose the type of authenticators thatmatch your security needs.

Security Dynamics ACE/Server 2.0 With SecurID

Security Dynamics has a good thing going. It has the least intrusive approachfrom a user's perspective, and a solid, well-integrated suite of tools forthe administrator. Unlike the other products, it offers authentication toa NetWare server, instead of just protecting a network access point. Tokensand servers must be purchased exclusively from Security Dynamics, providingthe least "open" security (h ow's that for a contradiction of terms).

The SecurID system takes a unique approach to determine a session key. Thetoken issues a new password every minute, and the authentication serveruses the current time to determine acceptable entries. We found the SecurityDynamics approach to be superior from the user's perspective, taking only10 seconds, and without requiring us to move our hands from the computerkeyboard to provide input into a separate device.

Unlike the other tokens we tested, the SecurID device has a seed value burnedinto it at the factory. Having the seed hidden in the card eases the burdenof programming tokens, as well as hiding the actual values that an unscrupulousadministrator might use. However, some organizations may object to not owningthis information themselves.

How It Works Its ACE/Server run s on a Unix host, where the mastersecurity database is kept. ACE/Clients run on servers, hosts and accessdevices, where they hook into the platform security and comm unicate to theACE/Server via a DES-encrypted channel over TCP/IP. As with all of the systemswe tested, the end client workstations don't have to run any special securitysoftware.

We were disappointed to find that tighter NetWare NOS integration does notoccur, which required special versions of ATTACH and LOGIN to be used foraccess by users on the authenticated list. Even worse, SDI's replacementutilities, SDATTACH and SDLOGIN, can't be renamed to provide transparentaccess. If your applications are also smart enough to make direct NetWareAPI calls, access will always be denied.

When users log into a protected network, they are prompted for a passcode,which is a concatenation of the code currently displayed on the device anda PIN value (typically assigned by the user). This value is sent in theclear across the communications channel. If the code matches a range ofallowable values, the user is authorized to enter the network or host. Becausean exact time match ca n't be guaranteed due to clock dr ift, a window ofthree to five minutes may exist where the system is vulnerable to replayattacks. This is the major vulnerability with time-based authentication.

Most administration and auditing functions are executed via the sdadminprogram, a Motif- or character-based application. It is easy to import newcard records, assign user access to clients and generate audit reports.Because the SecurID database is kept in the Progress DBMS, it's easy tojoin data from the authentication logs to operating system audit trailsto match individuals to activity. Read access to the data is easily obtained,but write capabilities are more restricted than SafeWord/AS.

Security Dynamics supports a wide variety of popular network perimeter devices.It is the only card vendor with direct support via Oracle Secure NetworkServices. Even though it is essentially a proprietary set of products, thethird-party support for the SecurID system is phenomenal.

Testing, Testing We tested the ACE/Server 2.0.106 on a SPARCstation10 running SunOS v5.4. After installing the Progress database, we ran thesdsetup application to set basic server parameters. sdsetup also importstoken (.asc) files-encrypted files that contain the security card serialnumbers and seed values.

After installing the ACE/Server, Telnet and FTP access required SecurIDauthentication. Upon entering a user ID and password, a third prompt for"PASSCODE:" appeared. When we entered our PIN and the current6-digit value from our SecurID card, we were in as normal.

The ACE/Client for NetWare v1.0 easily installed on our 3.12 server usingthe configuration file (sdconf.rec) created during the master ACE/Serverinstallation. Information on users and MAC addresses to be challenged isentered via a Windows 3.1 utility.

Enigma Logic SafeWord AS and DES Gold

SafeWord AS is the most open and extensible solution we tested. You're freeto use a variety of manufacturer's tokens. The DES Gold cards used in ourtest could operate in either challenge/response or synchronous mode. Andbecause you can choose the device and authentication mechanism yourself,you're in charge of the level of security.

When using counter synchronous mode, passwords are issued sequentially froma table. The user doesn't type anything except a PIN into the unit, whichsaves time compared with Digital Pathway's challenge/response approach.We estimate that using counter synchronous tokens are more secure than withSecurID, while remaining about as easy to use. PINs are never entered intothe computer's keyboard, so they don't go across the wire either. Additionally,Enigma Logic provides a lot of flexibility in token assignment and configuration.

SafeWord supports many remote access devices that use security protoc olstandards. It knows about all TACACS variants and is the only product wetested th at supports the RADIUS protocol. Source codes and/or APIs to portto other client platforms are readily available. The user database may bemanaged via a commercial database by using an import/export function. Thisis much less flexible than ACE/Server's direct database access for auditfunctions, but more flexible if you're using an outside database engineto manage the user and token database.

The SafeWord AS Server usually resides on a Unix host. A NetWare serveroption is available, but generally is used to protect access through Novell'sNetWare Connect. Agents can reside on other Unix hosts, a VAX or an accessserver. Agents and servers communicate over an encrypted channel using TCP/IPor IPX.

We installed SafeWord/AS for SunOS on a Sun SPARCstation 10. The idutilapplication establishes valid users and matches them to a given card. Aftercreating a basic configuration file, we loaded the sasd daemon process,thereby starting the server.

We tested access with an ELI DES Gold card. Firs t we programmed the cardvia its keypad, choosing s ynchronous mode, assigning it a PIN and a DESkey. We then entered the key value into the user's database record in idutil,and we were ready to go. When using synchronous mode, the token always hasa password ready after the user enters a PIN into the card. The user caneven skip a few passwords and the server will automatically catch up-tothe point where the probability of breaking security is greater than onein a million (about 16 passwords ahead of the last entered value).

Digital Pathways Defender Security Server with SecureNet Keys

Buried deep under layers of irrelevant software, there may be some goodsecurity technology here. We just couldn't find it. Digital Pathways iswell known for its secure remote access servers, the Defender 5000 series.It has attempted to adapt the security components to a general perimeterprotection mechanism, but the transition is not complet e. We wouldn't recommendthis product unless you're using a Defender re mote access server.

The Defender Security Ser ver resides on a NetWare server, where it supportsa challenge-and-response mechanism to authenticate users. When a user attemptsaccess, the server issues a random challenge value. That value is enteredinto the SecureNet Key, which responds with the session password. Greatsecurity, but at a price: All of this number punching makes it cumbersometo use and adds at least 30 seconds to each authentication.

The SecureNet Keys are programmed by the administrator, who assigns theDES encryption key. Users typically assign their own PIN to the device.Agents running on a protected access point (NT RAS, NetWare Connect, TACACS+router or DPI's own access servers) request authentication via a TCP/IPor an IPX/SPX connection using a DES encrypted channel.

Most management functions are provided from WinDMS, a Windows 3.1 networkclient utility that acts as the security server monitor. While the productappears to have a lot flexibility, it's practically u nusable without spendingserious time with it. We found cr yptic, undocumented configuration parameters.We found icons that installed themselves into Program Manager that werenot meant to be executed. There were many inappropriate references to theDefender products in the programs and documentation. We ended up on thephone with DPI's tech support staff for way too much time.

Once running, the server functioned correctly when tested through an NTRAS server. Random eight-digit challenges issued by the host were keyedinto the SecureNet Key device, which gave us another eight-digit numberto key back into the computer. Once authenticated through the access server,we were free to access any host on our lab networks. In contrast, SafeWord/ASprotects Unix and VMS login, and SecurID protects Unix and NetWare at thehost access level.

DPI provides DMS Reports, a tool that does a good job of reporting on authenticationhistory. However, it's hard t o join this data with operating system auditlogs and matc h activity to authorizations. From the WinDMS application,we assigned server and agent configuration parameters, created users, assignedusers to cards and programmed a DES seed value into the cards using a seriallyattached cable.

David Willis can be reached at dwillis@nwc.com.

Getting Soft On Token-Based Security

Because hand-held devices are costly to maintain and cumbersome to use,many token vendors are implementing token generators in software. Afterthe user supplies his or her PIN, the software responds to the host's challengeautomatically. This approach simplifies things from the user's perspective,but compromises security.

First, making the transaction automatic reduces the user's PIN to beinga fixed password, invalidating two-factor authentication and the one-timepassword approach. If we have the user's computer and PIN, we easily assumethe user's identity. With hand-held or hardware tokens, you must have thedevice, the user's PIN and a computer with ne twork access to get in.

Second, PINs can be easily captur ed via software layers hiding in Windowsand DOS. This is true in all but the most tightly controlled installations.With most hardware tokens, the PIN never hits a computer keyboard. Lastly,if a hacker has the software, he or she can pick apart the underlying algorithm.Hardware devices are nearly impos-sible to reverse engineer.

The bottom line is that software-based tokens may be attractive, but theycan't provide the security of a hand-held device. If security is a primeconcern for your organization, hardware-based solutions are tougher to crack.

February 27, 1996