Transcription
E CAHUNTOHLEONGTYI CBA ICOKNG RMOAUNNADGEERRR STAATThe Power Behind RSA SecurID Two-factor User Authentication: RSA Authentication Manager Information security is a necessary underpinning for furtheradvances in electronic business. Technologies such as sessionencryption, firewalls, virtual private networks, wireless LANs anddigital certificates have all emerged as pieces of the solution.While each is designed to enhance some aspect of informationsecurity—whether by restricting access to or preventing theTECHNOLOGY BACKGROUNDERinterception of private data—none of them alone is designed toaddress the fundamental security issue that underlies the mostdamaging information crimes such as “is the person who isattempting to access protected files and/or resources an authenticuser or an impostor?”This white paper discusses how RSA Authentication Managersoftware, as an integral component of the RSA SecurID solutionfor two-factor user authentication, can help efficiently managethe authentication of users to your network, Web-basedapplications or applications within your network. The key security,operational and market issues that are relevant to this discussionare also examined.
T H E P O W E R B E H I N D R S A S E C U R I D T W O - FA C T O R U S E RA U T H E N T I C AT I O N : R S A A U T H E N T I C AT I O N M A N A G E RTABLE OF CONTENTSI.USER AUTHENTICATION:AN E-BUSINESS ENABLER1II.THE RSA SECURID SOLUTIONFOR TWO-FACTOR USERAUTHENTICATION2III. KEY BENEFITS OF RSAAUTHENTICATION MANAGERAND RSA SECURID4IV. PREVENTING UNAUTHORIZEDACCESS WITH RSAAUTHENTICATION MANAGERAUTHENTICATION6V.8FUNCTIONAL DETAILVI. RSA AUTHENTICATION MANAGERADMINISTRATION10VII. RSA AUTHENTICATION MANAGER12ENTERPRISE EDITION LICENSEVIII. CONCLUSION13IX. ABOUT RSA SECURITY14
R S A A U T H E N T I C AT I O N M A N A G E RI.U S E R A U T H E N T I C AT I O N :AN E-BUSINESS ENABLERUser authentication is an e-business enabler.If you can trust the identity of the employee who isattempting to connect to your corporate network fromhome, while traveling or when roaming within the complexusing the corporate wireless network, you can improve hisproductivity and facilitate your business by giving himaccess to the data he needs.If you can trust the identity of the resellers who areattempting to access your partner web portal, you canmake available, on that portal, key information which willhelp them make a sale without worry that you will beexposing such information to a competitor or customer.becomes critical. Customers will need access to yourextranet or intranet and the security administrator willneed to be able to quickly administer their securityprivileges—before they are lost as customers. It is vital,therefore, to have a fast, scalable and efficientauthentication solution.User authentication also prevents fraud.If you can trust the identity of customers who areattempting to access your web-based knowledge database,you can serve them better by providing them with up-todate information while saving support costs.An authentication server is no longer a tactical pointsolution for one group or a single application. Rather,authentication servers such as the RSA AuthenticationManager solution have become a mission-critical, strategiccomponent of the network infrastructure. As employeesand strategic partners increasingly decide to log in fromhome or need to log in from remote offices, the need for aWhat Value / ROI?security solution that is robust and easy to administerMany of the most damaging crimes online have a commondenominator: the circumvention of password protection togain access to information or funds. While basic passwordsmay be sufficient to safeguard non-critical systems, anorganization’s sensitive applications, files and systemsdemand a higher order of protection. Fortunately, a singlesecurity approach can be used to deal with the entirespectrum of intrusions that result from password breaches:replacing basic password security with a two-factor userauthentication solution. This solution not only mitigates therisk of security breaches but also enables companies tocomply with customers and strategic partners who demandsecure e-commerce, thereby avoiding the long-term costsassociated with security breaches and helping to increaserevenues.Which Solution?Which Vendor? New revenue streams Acquisition Total cost of ownership New customers Deployment Technical architecture New markets Operating etc. VisionTOTAL COSTOF OWNERSHIP Competitive advantageHIGHER REVENUES Financial viability Trustworthiness Service & support Cost reduction Convenience / ease of use Cost avoidance Portability Efficiency Multi-purposeVENDORSELECTION CRITERIA EffectivenessLOWER COSTSSTRATEGIC FIT (USERS)When evaluating an authentication solutionthe following questions must be asked: Regulations Relative Security Customers Interoperability / back-endintegration Partners Competitors InternalINCREASEDCOMPLIANCE High value information High value transactionsMITIGATED RISK What is the value of the solution? Whatreturn on investment (ROI) will it bring?(Section III) Robustness / scale Future flexibility Which authentication solution is the bestfit for your organization? (Sections IV-VII)STRATEGIC FIT(CORPORATE / SYSTEM)The answer to this question depends onmore than relative security and acquisitioncost and includes factors such asconvenience for end users, interoperabilityand future flexibility. Which vendor is the best partner forproviding such a solution? (section IX)RSA Security Inc.1
R S A A U T H E N T I C AT I O N M A N A G E RI I . T H E R S A S E C U R I D S O L U T I O N F O R T W O - FA C T O RU S E R A U T H E N T I C AT I O NThe RSA SecurID solution for user authentication is built onan approach called “two-factor authentication.” The premiseof this approach is that a single, remembered factor such as apassword inherently provides a low proof of authenticity, sinceanyone who overhears or steals the password will appearcompletely genuine. It is the addition of a second, physicalproof that makes the certainty of authenticity exponentiallyhigher. The bank ATM card is an example of a widely usedform of two-factor authentication; requiring the combinationof a PIN and also a valid ATM card provides a sufficient levelof security to support access to bank services and funds.With the RSA Security solution for two-factor userauthentication, authorized users are issued individuallyregistered RSA SecurID tokens that generate single-use tokencodes, which change based on a time code algorithm. Adifferent token code is generated every 60 seconds. Theauthentication server (RSA Authentication Manager) thatprotects the network and e-business applications validates thisdynamic code. Each RSA SecurID token is unique and it isimpossible to predict the value of a future token code byrecording prior token codes. Thus when a correct token codeis supplied together with a PIN, there is a high degree ofcertainty that the person is the valid user in possession of theRSA SecurID authenticator.Working Together: Server, Client and Intermediary AgentUser authentication for wired or wireless local networkaccess, remote dial-in, Internet/VPN connections or webapplications is accomplished via the RSA AuthenticationManager authentication server. When a user attempts toaccess a protected system, a special software agent—calledan RSA Authentication Agent—initiates an RSAAuthentication Manager authentication session instead of abasic password session. Most leading remote access server,firewall, VPN, wireless access and router products have builtin RSA Authentication Agents for out-of-the-boxcompatibility with RSA SecurID two-factor authentication. Inaddition, both TACACS and RADIUS authentication sessionsare supported by the RSA Authentication Manager software.RSA Authentication Manager software includes a RADIUSserver, so companies can manage user accounts from a singledatabase for both RADIUS and RSA SecurID authentication.In a two-factor authentication session, the user is required toenter a user name and—in lieu of a password—a PIN numberplus the current token code from his or her RSA SecurIDauthentication device. The agent transmits the informationto the RSA Authentication Manager software, whichapproves access when the information is validated. The useris granted access appropriate to his or her authorizationlevel, which is noted by the RSA Authentication Managersoftware in its log file.RSA AuthenticationManager ReplicasRSA AuthenticationManager ReplicaWeb ServerFirewallRSA Authentication ManagerFirewallRemote User withRSA SecurIDRSA sWindows /UNIXNovellRASVPNIntranetDMZRSA Security Inc.2
R S A A U T H E N T I C AT I O N M A N A G E RAll RSA SecurID authenticators operate using the same patentedtechnology to generate the pseudo-random token code.RSA SecurID authenticators have been designed to takeadvantage of the industry standard AES algorithm. OurRSA AuthenticationAgentsWeb Access Microsoft IISLocal and Remote Access Apache Windows 2000, 2003 Stronghold Windows XP SunONE Solaris IBM AIX HP-UX Red Hat Linux NMAS (Novell ModularAuthentication System)For more detailed information on RSA Authentication Agentsupport.go to ticationagents.htmlRSA SecurID AuthenticatorsSecure network access and access to e-business applicationsbegins with ensuring that users are strongly authenticatedusing an RSA SecurID authenticator. RSA SecurID authenticatorsare offered in many forms: hardware tokens, software tokens,smart cards and USB devices. The most common hardware formis the key fob, a device with a built-in chip, an LCD windowcapable of displaying up to an eight-digit number (or tokencode), yet small enough to be attached to a key ring. Whenshipped from RSA Security, the key fob is initialized with aunique seed value; each minute, the internal chip performs analgorithm combining and scrambling the seed value andcurrent time, to create a pseudo random number.In addition to the key fob style, other token types include acredit card-sized authenticator and the RSA SecurID PINPADtechnology model, which requires the entry of the user’s PIN inorder to display the token code, and the RSA SecurID SoftwareToken for Windows desktops, the Palm Computing Platform,Microsoft PocketPC devices, BlackBerry handhelds and cellphones, which duplicates the function of the RSA SecurIDPINPAD token in the form of a software utility. The RSASecurID Software Token seed value can also be stored on theRSA SecurID Smart Card or USB Token. The RSA SecurIDSoftware Token technology is copy-protected to preventduplication from machine to machine.customers enjoy the benefits of integrity and assurance of qualitythat is provided by using the industry standard AES algorithm.RSA Authentication AgentsThe intermediaries that enable this two-factor authentication areimplementations of RSA Authentication Agent technology, whichfunctions much like a security guard, enforcing security policy asestablished within the RSA SecurID system. RSA AuthenticationAgent technology is built into most leading network equipment,as well as software systems (a complete list of companies thatsupport two-factor authentication via built-in RSA AuthenticationAgent technology is available at www.rsasecured.com). Inaddition, RSA Security offers RSA Authentication Agent softwareto provide strong authentication to popular web servers (such asMicrosoft IIS, Apache and SunONE*) as well as RSAAuthentication Agent software to help to protect UNIXenvironments.A Unique Solution for Microsoft Windows OperatingEnvironmentsWhen used in conjunction with RSA Authentication Agent forMicrosoft Windows software, the RSA Authentication Manageris an ideal solution for organizations seeking strong userauthentication to Microsoft operating environments. Usinginnovative new technology, the RSA SecurID for MicrosoftWindows solution allows RSA SecurID authentication to aMicrosoft environment whether the user is online or offline. Thesolution strengthens security in a Windows environment, andprovides a simple and consistent method for user authentication.RSA Authentication Manager software supports RADIUSauthentication; using the RSA Authentication Manager, allRADIUS users and clients can be managed centrally.RSA Authentication Manager software also supports theTACACS authentication protocol.Most RSA Authentication Agent software uses 128-bit RC5 toencrypt the communication to the RSA Authentication Managersoftware. Some implementations of the RSA AuthenticationAgent software also use SHA-1 or a proprietary hashingalgorithm to hide the user’s PIN and token code inside theencrypted packet.A single RSA Authentication Manager instance can supportthousands of RSA Authentication Agent implementations,offering broad capacity to protect enterprise resources.*Lotus Domino support is available through Winchester Business Systems, Inc.RSA Security Inc.3
R S A A U T H E N T I C AT I O N M A N A G E RAdministration of RSA Authentication Agent software andsetting of policies is done centrally via a Windows basedadmin application that allows security managers to selectand apply settings to users and protected resources byAn RSA ACE Server Base license allows for 2 simultaneouslyauthenticating servers: 1 Primary and 1 Replica server. AnRSA Authentication Manager Advanced license allows for 1Primary and as many as 10 Replica servers to interoperatepointing and clicking rather than writing custom code.A client auto-registration feature automates the task ofwithin one realm and up to 6 realms to be networkedcreating and updating settings securely at eachAdvanced licenses are discussed in more detail later in thisRSA Authentication Agent implementation.document.RSA Authentication ManagerRSA Authentication Deployment ManagerIn the RSA SecurID solution, the authentication engine onthe network is the RSA Authentication Manager software.Managed by the security administrator or networkmanager, RSA Authentication Manager software is used toA web-based workflow system, RSA AuthenticationDeployment Manager software helps reduce administrativecosts by offering end users a self-service platform torequest, activate and initiate deployment of RSA SecurIDhelp:credentials. The system automates the entire credentialdeployment process—including populatingRSA Authentication Manager with user data, tokenassignment and activation, and facilitation of thefulfillment of RSA SecurID token requests. Flexible andscalable, RSA Authentication Deployment Manager is idealfor both enterprise and e-business related deployments,making issuing credentials faster, more efficient and easier Assign RSA SecurID authenticators to trusted individuals Set and enforce security policies, protecting access toprivate network systems, files and applications. Thisincludes the ability to define access based on time of day,day of week or by group or user-defined access Maintain audit logs of user access and administratoractivity Centrally manage user, group, agent, Replica and tokeninformationRSA Authentication Manager software operates onWindows and UNIX-based server platforms. A singleRSA Authentication Manager implementation canauthenticate over a million users.together. The benefits of RSA Authentication Managerthan ever.RSA Authentication Deployment Manager is included withan RSA Authentication Manager Enterprise Edition licenseand available at additional cost with an RSA AuthenticationManager Base Edition license.I I I . K E Y B E N E F I T S O F R S A A U T H E N T I C AT I O NMANAGER AND RSA SECURIDDatabase Replication is an important feature for companiesthat need high performance to support large user basesand the convenience of administering user authenticationacross the network. This level of redundancy not onlyprovides 24/7 availability, but also allows customers to planefficient, economic global network topologies.RSA Authentication Manager software has a number ofadvanced administrative and security monitoringcapabilities (discussed later in this document), including theability to delegate various levels of management tasks,centrally manage user and token information and performsystem management remotely from a Windows desktop orweb browser.RSA Authentication Manager software offers a superiorreturn on investment for enterprises by helping to enablerevenue-generating processes, lower costs, ensurecompliance and mitigate risk.Revenue GenerationBy providing the ability to strongly authenticate users andestablish trust, the RSA SecurID solution allows enterprisesto confidently automate and web-enable their criticalbusiness processes and thereby reach new customers andnew revenue streams. The RSA SecurID solution helpsenable enterprises to make critical information availableonline or through a VPN or remote access server which inturn enables employees and strategic partner to access anduse that information to provide services and close deals.The broad interoperability of the RSA SecurID solution givescustomers the flexibility to efficiently protect incrementalapplications with RSA SecurID technology bringing greatertrust in end user identity and higher security to additionalapplications.RSA Security Inc.4
R S A A U T H E N T I C AT I O N M A N A G E RCost SavingsComplianceThe RSA SecurID solution can save enterprises money byreplacing password systems. Password systems are expensiveto maintain due to the hidden costs associated with help deskcalls and lost user productivity. The RSA SecurID solutionreduces these costs significantly by reducing the number ofpasswords required for each user and simplifying theauthentication logon process.RSA SecurID technology can help enterprises meet theirindustry compliance requirements and governmentalregulations by ensuring the authenticity of users accessingsensitive information. Strong two-factor authentication, likethat provided by RSA SecurID technology, can assistenterprises in complying with regulations in the United Statessuch as the Health Insurance Portability and AccountabilityAct of 1996 (HIPAA) in health care, the Gramm-Leach-BlileyAct (GLB Act) in Financial Services and European regulationssuch as the e-signature laws.The RSA SecurID solution is easy for end users to use. Becauseof its simple, straight-forward approach, end users are quick toembrace and use the system. The breadth of choice inauthenticator form factors (from hardware tokens that can bekept on a key chain to software tokens that run on a PDA orIn addition, some companies may require their suppliers andstrategic partner to have adequate security, including two-desktop) ensures it will fit most customer situations.factor authentication, in place.RSA Authentication Manager software is easy to install anddeploy. Token deployment is further facilitated byRSA Authentication Deployment Manager, a provisioningapplication, which can greatly speed the rollout and reducecosts of RSA SecurID authenticators to end-users.Mitigated RiskThrough the RSA SecurID Ready program, theRSA Authentication Manager technology is instantlycompatible with the industry’s leading security andnetworking products. Over 185 companies have developedover 270 products that are designed to work seamlessly withthe RSA SecurID solution. This out-of-the-box interoperabilitycan significantly reduce integration costs and safeguardexisting investments. For a complete list of RSA SecurID Readystrategic partner and hands-on Implementation Guides, referto rs.html.RSA Authentication Manager software lowers administrationcosts by allowing for centralized user management, ahierarchy of administration through administrator scopingand task lists and web-based administration for help deskadministrators. An LDAP synchronization utility enablescentralized administration of user information in an LDAPdirectory. User information can be synchronized automaticallyfrom the LDAP directory into RSA Authentication Managertechnology according to schedulable synchronization jobs.With database replication, companies can track userauthentication to their network anywhere in the world in realtime, update security policy simultaneously across theirworldwide networks and develop a global network topologythat increases the performance of their network.RSA Authentication Manager software enables companies toaccomplish all of this by providing flexible networkconfiguration, load balancing and, ultimately, simplified andRSA Authentication Manager software helps reduce the riskof authentication downtime. It is a robust, highly availablesolution, capable of handling millions of users and hundredsof simultaneous authentications per seconds. Support for aPrimary server and up to 10 Replica servers per realm providesautomatic load balancing and fail over to increaseperformance and scalability for authentication to a variety ofapplications, including VPN, RAS, Wireless LAN, Windows andweb.If the Primary server fails, disaster recovery functionalityenables the rapid promotion of a Replica server to be thenew Primary server—quickly restoring administration of therealm.RSA SecurID technology helps reduce the risk of securitybreaches thereby saving the customer money, time and theembarrassment of negative publicity. RSA AuthenticationManager software offers superior security. Based onRSA Security’s technology and expertise in encryption, theRSA Authentication Manager technology’s implementation ishighly secure. RSA SecurID technology uses a patented, timesynchronous, two-factor authentication mechanism tovalidate users.RSA Authentication Manager software is a well-tested,production-proven product that has been designed to meetthe requirements of the most demanding environments. Withover 15,000 customers and more than 14,000,000 users testingthe limits of the system daily, RSA Authentication Managersoftware is an award-winning, market-leading, well-provensolution.lower cost of management.RSA Security Inc.5
R S A A U T H E N T I C AT I O N M A N A G E RI V. P R E V E N T I N G U N A U T H O R I Z E D A C C E S S W I T HR S A A U T H E N T I C AT I O N M A N A G E RA U T H E N T I C AT I O NAdditional benefits of using RSA Authentication Managersoftware to prevent unauthorized access to enterprisenetworks or specific applications include:Enterprise AuthenticationRSA Authentication Manager software limits access only tothose users who provide a valid PIN/token code combination;this gives organizations a very high assurance that thosepersons logging on are, in fact, the authorized individuals,vastly reducing the risk of attacks or unauthorized access.Even enterprise networks with millions of users and multipleworldwide offices can be protected, with databasereplication and cross-realm features to seamlessly supportauthentication of users traveling outside of their homerealm.Access Controlreporting of all access to protected resources—helps usersrecognize their accountability for information security andbehave accordingly. And while hackers often try to erasetheir footprints, the RSA Authentication Manager’s accesshistory logs can also be an important part of bothinvestigating and building a legal case against a criminal.Using Two-factor AuthenticationOrganizations can deploy RSA Authentication Managersoftware flexibly to protect corporate network resources ina number of ways. Protection can be comprehensive,authenticating all access to an enterprise network, ordeployed strategically against specific sensitive resources. Asingle RSA Authentication Manager system can supply anyor all of the following services: Authenticating remote user dial-in connections via aremote access server Authenticating VPN or firewall connections from theInternet to an internal networkThe RSA Authentication Manager technology letsorganizations deploy RSA Authentication Agent softwareto protect various access ports, as well as data files,applications and other resources. By grouping users in theRSA Authentication Manager database, organizations caneasily and centrally designate access to certain resources.Customers may also choose to deploy RSA AuthenticationManager software together with RSA Access Managersoftware to enable more granular web access management. Authenticating all access to wireless LANs or wiredcorporate networks; can apply to all users, a particularworkgroup or division, or only those of a certain accesslevelEvasion of Attack Preventing tampering with network administrativesettingsRSA Authentication Manager software will automaticallydisable a token after a series of failed attempts, such as aseries of incorrect PINs or token codes. Hackers will tryunexpected means to gain access to an enterprise networkor a specific e-business application on that network. Bymonitoring the RSA Authentication Manager logs or eventswhich the RSA Authentication Manager software has beenconfigured to report to the UNIX syslog or the Windowsevent log, an RSA Authentication Manager administratorcan help detect and react to potential break-ins before theyresult in loss.User AccountabilityDamage may be done to valuable company information if auser’s password is borrowed (without consent) or stolen.However, because logging on through the RSAAuthentication Manager two-factor authentication processrequires both the user’s token code and personal PIN, it Protecting sensitive data on intranets and extranets, bylimiting access to web pages, URLs and directories Limiting access to mission-critical applications, sensitivefiles or other resourcesRegardless of the scope of protection, the basic process oftwo-factor authentication is the same. When the userattempts to access the protected resource, the RSAAuthentication Agent solution protecting that resource—the RAS server, wireless access device, web server, Windowsenvironment or application—generates an authenticationrequest. To gain access, the user must enter his or her username, PIN and token code. The authentication request isencrypted and then forwarded to the RSA AuthenticationManager.Upon receiving the authentication request, theRSA Authentication Manager technology searches its userdatabase and, when it locates the user name, compares thePIN and token code with its own records. If the combinedPIN and token code are found to be valid, the user isgranted access.provides non-repudiation of his or her involvement in anyunauthorized activities. The knowledge of this fact—and ofthe RSA Authentication Manager’s comprehensiveRSA Security Inc.6
R S A A U T H E N T I C AT I O N M A N A G E RWhich Authentication Solution?CategoryThe Solution: RSA Authentication Manager software with RSA SecurID Hardware TokensAcquisition Less expensive than smart cards or biometrics when you consider smart card card reader middleware, or biometric devices such as retinal scanners, fingerprint readers and associatedsoftware. More expensive than passwordsTCODeployment Deployment requires distribution of the hardware token only—there is no need to deploysoftware, drivers, readers or cables Lower deployment costs than smart cards, biometrics or any other solution with client-sidesoftware that involves touching every end-user desktop RSA Authentication Deployment Manager (bundled at no extra charge with a RSAAuthentication Manager Enterprise Edition license) significantly lowers cost of deploymentManagement Significantly lower operational costs than passwords due to reduced help desk costs(See the white paper entitled “Authentication Scorecard: Passwords vs. RSA SecurID”) Centralized administration eliminates need to manage multiple data storesFit (users)Convenience /Ease of Use Eliminates need for user to remember multiple passwords Easy to use—just type what you see Similar in function to a banking ATM, the combination of a PIN and a device (the token) iseasily accepted by usersPortability Works anywhere—“zero footprint” solutionMulti-purpose Single function—generates a new passcode every 60 seconds. However, a single hardwaretoken can server as the means of access for multiple resources—the RSA SecurID Readyprogram provides out-of-the-box protection for over 295 applications from over 195 vendors,ranging from remote access to VPN to Wireless LAN to web-based resources.Relative Two-factor very strong form of securitySecurity Passcodes cannot be guessed or predicted Eliminates shoulder surfing and Trojan horse threats, as the token code changes every 60seconds Token codes cannot be easily detected as they traverse the network Users are aware when a token is stolen or lostFit (corporate) Because passcodes are generated dynamically, they are not vulnerable to cracking tools Improves security by eliminating the need to write down passwords RSA Authentication Manager software provides logging and reporting functionality for greaterend-user accountability Centralized administration eliminates security holes as new devices, applications andcommunication methods are added and users are added, deleted, or change roles. Provides “roles based” administrator access controlInteroperability/ Integration Interoperable with over 295 certified applications and products from over 195 Partners Supports RSA SecurID authentication to Microsoft Windows online and offline Unlike competitive partner programs, RSA SecurID Ready strategic partner products undergoextensive testing and documentation before being certifiedRobustness /Scale RSA Authentication Manager software scales to millions of usersFuture Flexibility Can be used to provide secure access to digital certificates Replication, fail-over capability and disaster recovery ensure high availability RSA SecurID has been adapted to dial-up, web, VPN and Wireless access methods and willcontinue to provide access control to new products
authentication; using the RSA Authentication Manager, all RADIUS users and clients can be managed centrally. RSA Authentication Manager software also supports the TACACS authentication protocol. Most RSA Authentication Agent software uses 128-bit RC5 to encrypt the communication to
![[MS-OFBA]: Office Forms Based Authentication Protocol](/img/3/ms-ofba.jpg)
