Why and how to implement SecurID Authentication

A primer for one form of second-factor identification

Authenticating users who log onto your network by account name and password only is the simplest and cheapest (and thus still the most popular) means of authentication. However, companies are recognizing the weaknesses of this method. Passwords can be guessed or cracked using dictionary attacks or more sophisticated methods such as rainbow tables, or users can be coerced, charmed or tricked into revealing their passwords to others. These latter techniques, called social engineering, have become a growing problem for companies of all sizes.

One way to thwart social engineers and reduce other risks associated with passwords is to implement some form of two-factor authentication. If users are required to not only type in a password or PIN but also provide something additional – whether a card, token, fingerprint, iris scan or other factor – simply obtaining a password won’t be enough to get the cracker or social engineer into the network.

There are two basic categories of “second factors” that you can implement: devices users carry with them, or biometric characteristics. In this article, we’ll look at how to implement a particular form of the first category, SecurID cards and tokens from RSA.

Advantages of authentication devices

Authentication devices, or authenticators, come in several forms:

  • Credit card-size smart cards on which a user’s digital credentials are stored.
  • Hardware tokens resembling thumb drives that can be carried on a keychain and plugged into a computer via its USB port.
  • Software tokens (digital credentials) that can be stored on a portable device such as a smart phone, BlackBerry or handheld computer/PDA.

Each has advantages and disadvantages. Smart cards can be carried in a wallet, but with the number of ID cards, credit cards, insurance cards, ATM cards and membership cards that some of us need to carry these days, our wallets may be filled to overflowing. Tokens are easy to carry in a pocket or on a keychain, but may also be more easily lost and for many of us, our key rings are just as full as our wallets. For those who already carry smart phones or PDAs, the most convenient solution may be to store authentication credentials on the device – but failure of the portable device (or even a dead battery) could render those users unable to log onto the network.

Cost factors may also vary. To use smart card authentication, you’ll need to install smart card readers on the systems where users log on, as well as purchasing the cards themselves. Tokens may be more cost-effective, because they connect directly to the USB port; however, older systems may not have USB ports, or you may wish to disable USB for security reasons, to prevent users from attaching other USB devices. Smart phones and PDA devices, of course, are much more costly than cards and readers or tokens, but if the users already carry them anyway, this can be the most cost-effective (as well as the most convenient) way to deploy two-factor authentication.

RSA SecurID: How it Works

Well-known security company RSA (named after the popular Rivest Shamir Adleman public key encryption algorithm on which it held the patents) provides SecurID authenticators in all three form factors. Here’s how it works:

  1. The SecurID authenticator has a unique key (symmetric or “secret” key).
  2. The key is combined with an algorithm that generates a code. A new code is generated every 60 seconds.
  3. The user combines the code with his personal identification number (PIN), which only he knows, to log on.

Components of the SecurID system include:

  • The authenticators
  • Authentication Manager software that is installed on a server or appliance and includes the database, administration and reporting tools
  • Authentication Agent software that’s embedded into remote access servers, firewalls, VPNs, Web servers and other resources you want to protect, to intercept access requests and redirect them to the Authentication Manager
  • RSA Card Manager software can be used to provision smart cards individually or in batches and large volumes, and supports self-service requests so users can unlock cards, renew certificates and request temporary credentials if cards are lost

According to RSA, there are over 200 products such as firewalls, VPN gateways, wireless access points, remote access servers and Web servers that support SecurID “out of the box.” Small-to-medium-size companies can buy a SecurID appliance with the Authentication Manager software preloaded that supports from 10 to 250 users. Authentication agents are available for:

  • Microsoft Windows
  • Internet Information Services (IIS)
  • UNIX/Linux
  • Apache web server
  • Sun Java
  • Matrix
  • Novell Modular Authentication Service (NMAS)

SecurID in the Enterprise

At the enterprise level, single sign-on is a big issue because users often much manage and remember multiple passwords. This creates frustration and can become a security issue as users resort to writing down passwords in order to remember them all.

RSA’s Sign-On Manager is identity management software that provides for single sign-on so that enterprise users can access multiple applications without having to log on again, and integrates with SecurID smart cards and tokens. It also includes technology that allows users to reset their Windows logon passwords. Sign-On Manager can run on Windows 2000 and XP clients and the server component runs on Windows Server 2003 with SP1. The server requires a connection to Active Directory/ADAM, Novell eDirectory, or Sun Java System Directory Server.

Implementing SecurID with ISA Server 2004

ISA Server 2004 supports native SecurID application programming interfaces, and you can install the RSA Authentication Agent software to add support for RSA EAP authentication. You need to have ISA Service Pack 1 installed.

Steps for implementing SecurID to protect a web site published through the ISA Server include the following:

  1. Add an agent host record to the RSA Authentication Manager to identify the ISA Server in the Authentication Manager database. This allows the ISA server to communicate with the Authentication Manager software. Configure the ISA server as a Net OS Agent and include the following information in the agent host record: host name, IP addresses for all NICs, RADIUS secret if you’re using RADIUS authentication.
  2. Configure the ISA Server 2004 web listeners. This consists of the following sub-steps:

    - First verify that the ISA Server and the Authentication Manager server or appliance can communicate, using the RSA Test Authentication Utility in the Tools folder on the ISA Server installation CD. Copy the utility to the ISA Server Program folder.

    - Copy the sdconf.rec file from the Authentication Manager server to the System32 folder on the ISA Server.

    - Run the sdtest.exe tool by entering the following at the command prompt: %Path to ISA installation directory%\sdtest.exe
  3. In the ISA Server MMC, enable the SecurID web filter by following these sub-steps:

    - Under the node for your ISA Server, right click Firewall Policy and select Edit System Policy.

    - In the System Policy Editor’s left Configuration Groups pane, under the Authentication Services folder, click RSA SecurID, and check the Enable checkbox on the General tab. Click OK to save the change.

    - Don’t forget to click the Apply button on the ISA dashboard to apply the change to the firewall configuration. You’ll also need to restart the ISA Server computer.
  4. Configure a Web publishing rule for RSA SecurID authentication by performing these sub-steps:

    - In the ISA MMC, click Firewall Policy and on the Task List pane, click Create New Server Publishing Rule.

    - Type a name for the rule.

    - On the Select Rule Action page, click the Allow option button.

    - On the Select Web Site to Publish page, type the computer name or IP address and the folder you want to publish.

    - On the Select Public Domain Name page, type the public domain name or IP address for the Web site you’re publishing.
  5. Select a Web listener to host the web traffic by following these sub-steps:

    - On the Select Web Listener page, click the Edit button.

    - Click the Networks tab, and check the boxes for the networks to which you want the Web listener to bind.

    - Click the Preferences tab, and click the Authentication button.

    - On the Authentication page, check the SecurID checkbox from the list of authentication methods. Check the box that says Ask Unauthenticated Users for Identification. Click OK to apply the changes.
  6. In the web publishing rule wizard, SecurID should now show up in the Listener Properties list.
  7. Add “All Users” to the rule’s user sets, so the firewall will apply the rule to all users who try to access this web resource.
  8. Click Finish to save the new rule and again, remember to click the Apply button on the dashboard to save the new rule to the firewall configuration.

In summary

You can use RSA’s SecurID technology to reduce the risk of network security breaches that result from password cracking and social engineering by requiring two-factor authentication for Windows logon, access to Web resources through the firewall, VPN logon, etc. With its well-established reputation and widespread interoperability, RSA smart card or token authentication offers one of the best options for implementing multifactor authentication on your network.

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security. She is also a tech editor, developmental editor and contributor to over 20 additional books.

Related:

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon