Firewall Wizards mailing list archives
RE: Hardware tokens for remote access authentication
From: "Woeltje, Don" <DWOELTJE () sebh org>
Date: Fri, 9 Jul 2004 09:00:21 -0500
My experience has been with RSA's SecureID (Security Dynamics ACEServer/SecureID, actually, back then; I still have one of those old copies, in the Security Dynamics box), Secure Computing's SafeWord PremierAccess, and (back then) Axent Technology's Defender (I don't know if Symantec, which bought up Axent, is stil even marketing that product). Like you, I did not like the ACEServer management product; I found it to be problematic. The system is time synchronization based, so if it gets out of synch, you have problems (and I always seemed to have problems with it). And, as you already mentioned, the SecureID tokens are sealed units, so once the battery goes dead, you have to replace the entire unit. Not exactly condusive to a low TCO. In my experience, unlike you, I've had a much higher token return rate (from personnel no longer requiring the tokens); closer to 85% to 90% (the reason being that if the token is not returned, the individual gets charged for replacement cost). Something that you did not mention, which is pertinent for this persons situation, is that not all VPN solutions support the use of extended authentication and among those that do, not all are compatible with all the major token-based extended authentication systems. By far and away, the system that has the greatest amount of support is the ACEServer/SecureID solution. SecureID has the greatest market share and is supported by more firewalls and VPN solutions than any other authentication system. So, obviously, one important factor for Bill is what authentication system his existing VPN solution supports for extended authentication. Unlike you, I, personally, like Secure Computing's PremierAccess solution. It is designed to work well with my firewall and VPN solution of choice, in all the time I've used it, it has never once given me problems, and it is available with a choice of four different styles of tokens. There are three hardware-based tokens and one software-based token. Among the hardware-based tokens you have a non-programmable/non-customizable "sealed unit" keyfob-style token (the SafeWord Silver token), a programmable/customizable "sealed unit" keyfob-style token (the SafeWord Gold 3000 token), and a programmable/customizable "non-sealed, battery-replaceable unit" credit card-size token (the Platinum token). I've used a combination of the Gold 3000 tokens and the Platinum tokens. The Gold 3000 tokens work well for people that might have PC's in multiple locations or carry a PC (a laptop) around with them. They can put the token on their keyring and it stands up to more abuse. The Platinum token works well for people that will only be accessing systems remotely from one PC; that way they can just leave their token at the PC instead of having to carry it around with them. And the Platinum tokens can have their batteries replaced and then be reprogrammed. it takes me about 5 minutes to program a token, however, you can get them pre-programmed, and then all you have to do is to import the file that Secure Computing gives you. Or you can purchase their programming "wand" which significantly speeds up the programming process. But I prefer to program the tokens manually (which takes about 5 minutes per token). Best of all, I don't have to be a programmer and "write my own code". If you have users that just don't want to be bothered with hardware-based tokens, you can use a software-based one (SofToken). I, personally, don't believe that a "cool factor" has any place in business; the solution should be effective, efficient, and as easy to use as is possible. Anything beyond that (such as "can I program my Palm Pilot to be a token") is unnecessary, but maybe I'm just old fashioned.
-----Original Message----- From: Marcus J. Ranum [SMTP:mjr () ranum com] Sent: Thursday, July 08, 2004 10:13 AM> To: bill.kyle () jhu edu; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Hardware tokens for remote access authentication Bill Kyle wrote:I am looking for security staff real world experience with a deployment of ideally of several hundred users. I would like to know things to help me determine the total cost of ownership, e.g., token failure rate, user failure rate :) (needing pin reset), server issues, etc.I ran a bunch of Digital Pathways SNKs back in the day, and SecurIDs, too. Hopefully SecurID's management software has improved since 1994 - it must have because they're still in business. The old SNKs are gone, now, into the mists of time - I used my own server-side code (part of the firewall toolkit) so I can't comment on the management software. Management was consistently about 5 minutes to activate a device and 10 to beat "train" the user how to log in with it. I suspect that most systems will hang around there. The failure rate was about 10%/year (rough guess) between accidental toilet immersion, folding, and battery death. I liked the SNK because the battery was replaceable whereas the SecurID unit needed to be thrown away every year or so (50%/year replacement). Re-keying was periodically necessary but generally not a big deal. Another factor very few people take into account is the "return rate" - how many people actually give their token back when they leave their job or graduate or whatever. I've found the return rate is about 50%. Given the cost per unit and the management headache, I'd like to encourage you to explore a different route I've recommended to a number of people. So far nobody has done it - I'm not sure WHY because it seems to me to be a very decent concept. ;) Go to bizrate and find someone who is selling the old Palm Pilot organizers CHEAP. Buy cases of them for $50 apiece. Write a version of the SNK code (take it from fwtk!) or S/key or SDI's algorithm. If you think for about 1 minute you can figure out how to make your own time-based token; SDI's patents are on the skew adjustment (and aren't rocket science either) instead of saving the skew like they do, you can just search around the time because processors have gotten really fast. ;) While you're at it, have your little app provide encrypted storage for user passwords, etc. ;) AND your users get free scheduling and you're all using a standard scheduling system. Nifty! Oddly, my guess is people are much less likely to loe a nice useful PDA than a silly dongle that only does security. Expect a near zero return rate. My guess is that you can own your own token architecture AND have PDAs with PGP, etc, for about $60/user, with better software and support and a higher cool factor than with the commercial products. Extra credit if you use SMS phones. ;) mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hardware tokens for remote access authentication Bill Kyle (Jul 08)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- <Possible follow-ups>
- RE: Hardware tokens for remote access authentication Woeltje, Don (Jul 10)
- Message not available
- RE: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Message not available