Microsoft

Advanced security options: From Biometrics to Secure ID

Once the stuff that science fiction was made of, now these security options are available. During this Guild Meeting, Ron Nutter showed TechProGuild members how to use them.


Once they were the stuff that science fiction was made of. Now these security options are available, and Ron Nutter has the inside scoop on how you can use them best. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Once they were the stuff that science fiction was made of. Now these security options are available, and Ron Nutter has the inside scoop on how you can use them best. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

Welcome to the meeting
RON NUTTER: Greetings to all those who have joined us this evening. This meeting will discover the different methods available to authenticate. Users to your network taking you beyond the normal user name and password options. For those that have heard the recent Novell announcement involving a product. Called NMAS, short for Novell Modular Authentication Service, this is just one of the methods available. This is just one example of what you can do. Does anyone have specific questions about how they are looking to implement this kind of solution?

ZBL: Ron, concerning the need to remember many "passwords" on multiple sites and the ever-changing mandatory 30-day.

RON NUTTER: Go ahead, zbl.

GGORMAN: So, of the biometric methods reasonably available today, which ones are most cost-effective?

RON NUTTER: Ggorman, the most cost effective one I have seen so far is from Compaq. The SRP is around $100 including the software you need to get it up and running on a MS network. This is the same biosensor that is support with Novell's NMAS product. The others I have seen are about $50 to $100 higher. ZBL, one option of having to remember multiple passwords is RSA Security's SECUREID product. This involves setting up an authentication server (not to be confused with an NT PDC or BDC) which constantly changes the accepted password for a given user which will match the randomly generated password on the SECUREID device. The current version of biometric devices hooks up to each PC using the parallel port and a y adapter to the keyboard connection (this assumes your system is using the PS/2 type of connector). This is fine as long as you don’t need the parallel port to service a local printer. For those companies that are extremely security conscious, the next version of Novell's NMAS product (the enterprise version) will allow multiple versions of authentication (i.e. biometrics, smart card, etc.) that must be used in order to authenticate to the network.

Setting up security
LEQUIN: Do you know how NT 2000's Active Directory integrates with Secure ID?

RON NUTTER: For those that are running an NT based network with no Novel present, you should be able to use Novell's NDS for NT product to provide a similar level of service to NT.

ANDY_DAVIS: With this level of security, are the workstations eventually disconnected automatically?

RON NUTTER: Lequin, haven’t heard on that one yet. I think RSA is going to wait until after AD ships and is debugged before jumping in on that one. The problem I have heard is that MS just finalized the server code so vendors are just now being able to start the process of developing product for something that isn’t a moving target. Andy_Davis, workstations should still be able to be automatically disconnected because this is an option set in the NOS (I think of this as sort of a time-out function that the advanced security options shouldn’t be bypassing).

YMNILE: Well I have a General Question. I work at a health center in MI and we are looking for a Medical Records system so do think there is a Level of Security. If we went to the Internet? And if not what I can do to Protect my Patinas data beside Proxy?

RON NUTTER: You might want to look at some type of client to site VPN system that will authenticate against your network while building an encrypted tunnel from wherever the user is right to your network. The current state of advanced authentication systems is similar to what early PC’s were like—you have several options but you need to be flexible in what type of wiring "mess" you are willing to put up with. The Smart Cards require either an external card reader or a PC that has an open bay slot that will let you put in the reader inside the box. Compaq is one of the first OEM's that has come out with a system readily available. I have seen mention that Keytronics has imbedded a biometrics reader into one of their keyboards but I don’t know what software supports it at this point. Biometrics and other advanced login options do present an additional layer of security but at a price.

The price is right
JCARLISLE: How difficult is it to integrate biometrics on a Netware network? What tools do you need to make it interface with NDS?

RON NUTTER: The IS departments at some companies keep a database or journal of login id's and passwords that allow them or a member of management to get in as that user without the user being present. Using biometrics can cause you to go through a few hoops to be able to do this. Jcarlisle, Novell just made an announcement about NMAS (Novell Modular Authentication Service) that provides the answer to what you are looking for. The starter pack (available for free download) helps streamline the process. It supports only Netware 5 at this point. I tried to get it to work with NW 4 but stopped after having to make manual NDS schema changes that the biometrics software didn’t recognize.

JCARLISLE: How much overhead does it put on the size of the NDS database? I mean, if they're keeping a database of fingerprints on several hundred users, wouldn’t it make the NDS database grow quite large and make replication a pain?

RON NUTTER: I don’t have exact specs on how much space is required to store a fingerprint but I don’t believe it is that much. NDS could grow depending on how many finger printers were stored but partitioning NDS might help curb issues with replicating the database across multiple sites.

JCARLISLE: I just wonder if they store entire fingerprints, retina scans or whatever, or just elements of them... or does that vary from manufacturer to manufacturer?

RON NUTTER: I believe that would vary from OEM to OEM based on the resolution capable of the device capturing the fingerprint or retina scan and how much authentication confirmation you wanted before allowing the user into the network.

100 percent authentic
JCARLISLE: I assume that most manufacturers work with NT 4.0. Do they integrate the information in the SAM database? Or is it another database? And how will it impact AD in Win2K?

RON NUTTER: I remember a way that I used to be able to Rconsole into a server and using one of the functions that appeared in Rconsole would let you see the nds database files. This is a crude way of getting an idea of how much the NDS database would grow.

JCARLISLE: Oh I see. And then you could judge if it's grown so big that you need to start creating more partitions, right?

RON NUTTER: Jcarlisle, you are correct most OEMs are still at NT 4.0. MS just froze the specs that OEMs need to develop software to the AD specs. Right about creating more partitions.

JCARLISLE: What about other OS’s such as UNIX or the ubiquitous Linux? Any word about biometric support there?

RON NUTTER: The jury is still out on the ramifications on biometrics and other options and how they will interact with AD. I am currently researching a detailed article on these types of authentication devices. The OEM's I have talked to are just now releasing some of their products for the NW platform. No open discussion on when they will have support for AD. I have only seen support for NT and NW for biometrics. Haven’t really seen anything on UNIX (also haven’t really looked for it as this point).

LEQUIN: The fingerprint stored in NDS probably isn't much. A company called Biolink Technologies just came out with a fingerprint scanner built into a mouse, it stores the fingerprint as a 500-byte unique ID. Not much data at all.

JCARLISLE: Wow... 500 bytes. That’s not that big at all!

Is that as big as it gets?
RON NUTTER: I think all the vendors realize the need to keep the information they store small to keep things from getting out of hand as to the amount of storage they are using.

JCARLISLE: Are these things available for Linux or UNIX?

RON NUTTER: I think that may be why none of the biometric or other options are available for AD since the OEM's will need to understand how to use it. Despite the fact that the AD database is over 40 megs in size without any users being created. Jcarlisle, I have only seen support for NT and Netware so far.

LEQUIN: I have their info at work, getting a demo unit this week. Trying to find their website now.

JCARLISLE: 40 megs?!? Microsoft must not expect anyone to replicate that across a WAN!

JCARLISLE: Where's Jack Wallen when you need him? :o)

RON NUTTER: Exactly. From the specs I have seen so far, the tools and options aren’t there in order to help trim down what is replicated across the WAN

RON NUTTER: Jack probably would know on this one.

JCARLISLE: LOL. I was thinking more of ribbing him about what Linux *cant* do. :o)

RON NUTTER: There might be a way that you can add this support to UNIX/Linux servers. Novell is working on porting NDS to UNIX/Linux. I think NDS for UNIX is just about to come out if it hasn’t already. Novell has made a statement that they will also port NDS to Linux around mid year. Assuming you are using a Windows based desktop, you should be able to integrate the biometric stuff and be able to access the UNIX/Linux boxes with the same password as for nw/nt.

JCARLISLE: Any other good security add-ons we can use other than biometrics? Smart cards, PC cards or old fashioned magnetic card readers?

RON NUTTER: Smart cards are an option. I have seen both PC card format readers as well as the external types that plug in via parallel port. You also have the option of using the SECUREID product from RSA Security which doesn’t require any type of plug to your PC.

JCARLISLE: How do you make it work then? It's all software?

RON NUTTER: It does, however, require an NT server running an agent from RSA. For NT only networks you are pretty much ready to go. For Novell networks, you can tie this server into Novell's NMAS product. Using Magnetic cards is an option. I talked to the company that Novell has used in the past for its card swipe login function used at Brainshare and the Connecting Points traveling network used at tradeshows. This didn’t appear to be an option that most companies would try to implement. The version I looked at involved a lot of custom code which means that you would have to have a person dedicated to keeping this working each time a client update came out to make sure nothing got broken.

JCARLISLE: That doesn't sound very useful. Certainly the vendor wouldn’t expect you to keep an on staff programmer to support it.

RON NUTTER: True, keep in mind this was a solution that Novell developed in house for use at the trade shows. It took quite a bit of digging before I found out as Paul Harvey would say, the rest of the story. The card writer, AKA programmer, is a device that can run several thousand dollars depending on the number of tracks that are being used on card. ATM cards typically use 3 or 4 tracks ending on the machines used by a bank and the networks they are connected to. Any further questions? I would like to thank everyone for taking time out tonight to come to this Guild Meeting.

Thanks for coming
MODERATOR: Thank you very much Ron for speaking tonight. And thank you to all of our participants.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Editor's Picks

Free Newsletters, In your Inbox