Flexible Defense for Uncertain Times

January 2002
By Henry S. Kenyon

Access control program manages user authorization, authentication on multiple platforms.

A software-based access control system offers administrators and planners a secure option for wireless and online communications. Capable of working with legacy technologies, the scalable program forms a layered defense against unauthorized entry or use of network components.

As the boundary between the wired and wireless worlds continues to blur, the need for tools that operate in both areas grows, experts say. The increase of wireless communications and Internet access in advanced government and civilian applications opens the door for these tools. Because security is a chief concern for any network, protecting the connections between the online and wireless worlds—from servers to handheld devices—becomes paramount.

One example of flexible security software is SafeWord PremierAccess, developed by Secure Computing Corporation, San José, California. Although primarily designed for an online environment, the authorization system can be modified to operate on wireless networks. According to Secure Computing Product Marketing Manager William Leichter, the program is based on the company’s SafeWord family of authentication and authorization products.

SafeWord PremierAccess differs in several ways from the original program, Leichter explains. The new system is Web-access capable, provides brokered authentication to external systems and features Web-enrollment capabilities and public key infrastructure (PKI) support. He notes that Secure Computing’s Web applications always have been PKI-enabled, and the firm is developing software certificates to install on cellular telephones and wireless devices.

Although many wireless devices can identify themselves when receiving or sending messages, they still face authentication and authorization issues similar to online systems. Security continues to be a pressing concern for large organizations because their networks have multiple access points such as dial-up modems, wireless devices, virtual private networks (VPNs) and Web-enabled applications. While individually these tools may be secure and manageable, they become difficult to manage when combined in a complex network. Many systems have failed or fallen short because their designers did not anticipate the details of servicing a large number of users, Leichter observes.

Secure Computing has experience with deploying products to customers with a large user base. For example, the company has financial industry customers that use between 100,000 and 500,000 hardware and software tokens for employee access.

SafeWord begins with authentication, which is its key function and consists of passwords, tokens, software certificates on Web browsers, smart cards, wireless devices or biometrics. Authorization determines the areas a person can visit when entering the system. For example, a firm with a VPN link to a partner company may restrict visitor access to specific sites on the network. “Obviously, it’s not just who you are, but where you could go,” Leichter says.

New wireless devices with Web applications such as mini-browsers have the same type of security requirements as online systems, Leichter observes. “All of our Web items can work the same way if you’re running a soft token on a [cellular] telephone, or if your telephone identifies itself using our system. So while it’s a different technology and platform, the approach is not that different. The devil is in the details, and we are aware of that and working on it,” he says.

Multiple legacy authentication systems present another complication because it is often impractical to move all the data residing in them. SafeWord features an authentication broker that allows users to access these outside systems and directories, and administrators can set access limits on what can be visited. “Maybe you have another authentication system already in place and you want to call that system and let it do the work,” he says.

Leichter notes that the fastest growing segment of the software security industry is authentication technologies such as VPNs, Web-enabled applications and direct authentication to the Web. This trend also is reflected in the wireless world. Some security solutions for wireless local area networks (LANs) use VPNs. However, while VPNs offer a secure communications pipeline, it is equally important to determine who has access to that information, he adds.

Secure Computing’s largest wireless project is with a major U.S. aircraft manufacturer that is deploying a wireless LAN in its assembly plants. The firm already uses more than 100,000 tokens and employs SafeWord to provide added layers of security for its wireless network. Because the company encountered difficulty with wireless application and LAN vendors, it now requires compatibility with strong authentication systems, Leichter explains.

This approach fits into Secure Computing’s overall wireless strategy to provide authorization support at the points wireless communications connect to an organization’s intranet or the Internet. This is already underway in the aerospace firm’s wireless LAN project, an effort requiring thousands of wireless users to access the network through the SafeWord authentication front end while the system also manages the company’s online users.

The software relies on a number of elements such as role-based authorization for security. Leichter notes that employees have many jobs and titles that often overlap. Role-based authorization allows administrators to assign access based on an individual’s title and responsibilities. An access control list (ACL) system within SafeWord acts like a bulletin board, allowing administrators to post access rules for particular user roles. Multiple ACLs can exist, providing greater flexibility in determining employee access to the company network. Rules also can be written to grant or deny access to certain Internet protocol addresses from specific on- or off-site terminals. For example, a company may employ three different teams of outside contractors. Diverse rules can be set up to apply to each of them.

According to Patrick Prue, network services manager at Fantom Technologies, Welland, Canada, the program’s great advantage is that it combines several applications into one package. The company participated in the beta test of SafeWord PremierAccess. Prior to this, multiple authentication and authorization products had to be individually integrated into the company network. He notes that Fantom uses the software to control access to its supply chain extranet. Role-based authorization allows customers to display their own Web pages on the company network, but this is the only access they have, Prue says.

Another feature allows clients to set authenticator strength to vary security requirements for different parts of their networks. “I may allow you to go to certain Web pages with just a password, or you can access them from home or the airport. Then I may say that certain other pages need a token or must be accessed from your desk or that you do not have that role,” Leichter says. Additional security features such as Web access session logging and encrypted cookies have been added to enhance the program. The cookies are coded on a session-based system, which allows administrators to log session activity and to revoke them.

SafeWord PremierAccess also uses a new technology called a universal Web agent, which differs from similar programs because it does not couple into other software. Leichter explains that maintenance problems are associated with agents because they quickly can get out of sync with the host program. This is a problem with both vendors and customers, especially if they operate multiple Web servers and applications. Secure Computing decoupled the agent from the program and the Web server. Instead, the agent resides within the operating system as a proxy and intercepts hypertext transport protocol and trusted third-party traffic for authentication purposes. This allows SafeWord to protect any Web server and application on a particular computer, he says.

Because Web servers often reside in different platforms, agents and other software must be in every box—a huge problem in very large organizations. The software and its associated tools can be managed and controlled remotely from a central server. Any Web application can now be integrated by custom authentication calls from Secure Computing’s system because other tools can plug into and communicate with the main administrative system.

SafeWord’s authentication is event synchronous. This is a very different technology from time synchronous systems, and it has a number of advantages, Leichter says. Time synchronous systems have limited periods for password entry, which creates difficulties if the system time expires before a user can log in. Computer clocks also drift, and administrators must keep expanding the windows to compensate for being out of synchronization. Secure Computing’s system resynchronizes automatically, making it easier for users to enter randomly generated token passwords, he says.

The product also features a certificate authority that provides an embedded PKI capability. Leichter notes that Secure Computing can support all current smart cards and provide all of the standards-based cryptography. “If you plug in a smart card, we’ll generate the public key and handshake, and with that, create the certificate,” he says. PKI development, use and implementation are stronger in the government sector than in the commercial world, he adds.

SafeWord also features an embedded Web server. The enrollment center allows an administrator to add new users and assign tokens immediately. The system has a reservation feature that allows the definition of user groups, their roles and the rules applicable to them and their authenticators. Leichter notes that it bypasses a number of steps in deployment.

Secure Computing also is partnering with cellular telephone companies such as Sweden’s Ericsson by providing embedded token technology for the telephones and other wireless Internet devices. Access control systems for commercial wireless devices are very successful in Scandinavia and Japan, Leichter observes. These two regions have more advanced wireless technology than the United States and share many similar approaches to authorization technologies for wireless devices. He notes that people in Scandinavia and Japan are more nervous about giving out their credit card numbers online or via telephone and are also less likely to shop online. However, the dynamic password concept is accepted and understood in those markets.

Secure Computing’s Soft Token technology is used in Japan for password services. For example, a person wishing to get a password dials a number, and a code is sent back. Another variant allows users to visit a Web site. Once they identify themselves, their Web-capable cellular telephone is called with a text message containing the pass code. “There are a lot of things there that basically take existing technology but use it in clever ways with wireless,” he says.

Additional information on Secure Computing is available on the World Wide Web at http://www.securecomputing.com.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.