RE: Hardware tokens for remote access authentication

["Woeltje, Don" <DWOELTJE () sebh org>]

My experience has been with RSA's SecureID (Security Dynamics ACEServer/SecureID, actually, back then; I still have one 
of those old copies, in the Security Dynamics box), Secure Computing's SafeWord PremierAccess, and (back then) Axent 
Technology's Defender (I don't know if Symantec, which bought up Axent, is stil even marketing that product).

Like you, I did not like the ACEServer management product; I found it to be problematic. The system is time 
synchronization based, so if it gets out of synch, you have problems (and I always seemed to have problems with it). 
And, as you already mentioned, the SecureID tokens are sealed units, so once the battery goes dead, you have to replace 
the entire unit. Not exactly condusive to a low TCO.

In my experience, unlike you, I've had a much higher token return rate (from personnel no longer requiring the tokens); 
closer to 85% to 90% (the reason being that if the token is not returned, the individual gets charged for replacement 
cost).

Something that you did not mention, which is pertinent for this persons situation, is that not all VPN solutions 
support the use of extended authentication and among those that do, not all are compatible with all the major 
token-based extended authentication systems. By far and away, the system that has the greatest amount of support is the 
ACEServer/SecureID solution. SecureID has the greatest market share and is supported by more firewalls and VPN 
solutions than any other authentication system. So, obviously, one important factor for Bill is what authentication 
system his existing VPN solution supports for extended authentication.

Unlike you, I, personally, like Secure Computing's PremierAccess solution. It is designed to work well with my firewall 
and VPN solution of choice, in all the time I've used it, it has never once given me problems, and it is available with 
a choice of four different styles of tokens. There are three hardware-based tokens and one software-based token. Among 
the hardware-based tokens you have a non-programmable/non-customizable "sealed unit" keyfob-style token (the SafeWord 
Silver token), a programmable/customizable "sealed unit" keyfob-style token (the SafeWord Gold 3000 token), and a 
programmable/customizable "non-sealed, battery-replaceable unit" credit card-size token (the Platinum token). I've used 
a combination of the Gold 3000 tokens and the Platinum tokens. The Gold 3000 tokens work well for people that might 
have PC's in multiple locations or carry a PC (a laptop) around with them. They can put the token on their keyring and 
it stands up to more abuse. The Platinum token works well for people that will only be accessing systems remotely from 
one PC; that way they can just leave their token at the PC instead of having to carry it around with them. And the 
Platinum tokens can have their batteries replaced and then be reprogrammed.

it takes me about 5 minutes to program a token, however, you can get them pre-programmed, and then all you have to do 
is to import the file that Secure Computing gives you. Or you can purchase their programming "wand" which significantly 
speeds up the programming process. But I prefer to program the tokens manually (which takes about 5 minutes per token).

Best of all, I don't have to be a programmer and "write my own code". If you have users that just don't want to be 
bothered with hardware-based tokens, you can use a software-based one (SofToken). I, personally, don't believe that a 
"cool factor" has any place in business; the solution should be effective, efficient, and as easy to use as is 
possible. Anything beyond that (such as "can I program my Palm Pilot to be a token") is unnecessary, but maybe I'm just 
old fashioned.


> -----Original Message-----
> From: Marcus J. Ranum [SMTP:mjr () ranum com]
> Sent: Thursday, July 08, 2004 10:13 AM> 
> To:   bill.kyle () jhu edu; firewall-wizards () honor icsalabs com
> Subject:      Re: [fw-wiz] Hardware tokens for remote access authentication
>
> Bill Kyle wrote:
> > I am looking for security staff real world experience with a deployment of 
> > ideally of several hundred users. I would like to know things to help me 
> > determine the total cost of ownership, e.g., token failure rate, user failure 
> > rate :) (needing pin reset), server issues, etc.
>
> I ran a bunch of Digital Pathways SNKs back in the day, and SecurIDs,
> too. Hopefully SecurID's management software has improved since 1994 -
> it must have because they're still in business. The old SNKs are gone,
> now, into the mists of time - I used my own server-side code (part of the
> firewall toolkit) so I can't comment on the management software.
>
> Management was consistently about 5 minutes to activate a device and 10
> to beat "train" the user how to log in with it. I suspect that most systems
> will hang around there. The failure rate was about 10%/year (rough guess)
> between accidental toilet immersion, folding, and battery death. I liked the
> SNK because the battery was replaceable whereas the SecurID unit needed
> to be thrown away every year or so (50%/year replacement). Re-keying was
> periodically necessary but generally not a big deal. Another factor very
> few people take into account is the "return rate" - how many people actually
> give their token back when they leave their job or graduate or whatever.
> I've found the return rate is about 50%.
>
> Given the cost per unit and the management headache, I'd like to encourage
> you to explore a different route I've recommended to a number of people. So
> far nobody has done it - I'm not sure WHY because it seems to me to be a
> very decent concept. ;)   Go to bizrate and find someone who is selling the
> old Palm Pilot organizers CHEAP. Buy cases of them for $50 apiece. Write
> a version of the SNK code (take it from fwtk!) or S/key or SDI's algorithm.
> If you think for about 1 minute you can figure out how to make your own time-based
> token; SDI's patents are on the skew adjustment (and aren't rocket science either)
> instead of saving the skew like they do, you can just search around the time
> because processors have gotten really fast. ;)   While you're at it, have your
> little app provide encrypted storage for user passwords, etc. ;)  AND your users
> get free scheduling and you're all using a standard scheduling system. Nifty!
> Oddly, my guess is people are much less likely to loe a nice useful PDA
> than a silly dongle that only does security. Expect a near zero return rate.
> My guess is that you can own your own token architecture AND have
> PDAs with PGP, etc, for about $60/user, with better software and support
> and a higher cool factor than with the commercial products. Extra credit if
> you use SMS phones. ;)
>
> mjr. 
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if 
you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this 
information is strictly prohibited.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards