A variety of tools are now available to help you secure access to network assets. Among them are USB security tokens such as the Aladdin eToken, which integrates with existing network infrastructure to authenticate users. These devices can help you lock down your networks to prevent unauthorized users from breaking in and launching internal attacks or stealing data.
The Aladdin eToken Enterprise adds a layer of security to your network; only end users with the devices and the proper credentials can log on to network workstations where the eToken software is installed. The setup for the eToken is complex, but it has the potential to bolster security and to encourage good security practices on the part of your users.
The eToken Enterprise package includes the security device, which is the small USB key shown in Figure A, a USB extension cable (a must-have if you don’t have USB ports on your keyboards or on the front side of your workstations) and the installation CD, which contains documentation, utilities, and the eToken RTE. The eToken R2 offers 120-bit DES-X two-factor authentication, while the eToken PRO provides RSA 1024-bit encryption for integration into PKI architectures. For additional specification details see the eToken page on Aladdin’s Web site.
Getting users up and running with eToken Enterprise security solutions on a Win2K network is an involved process that requires work on both servers and clients. Obviously, if you want to use eTokens to authenticate users, you have to specify the settings to achieve this in Active Directory. You must install the eToken RTE on both the server machines and the client machines. You must install the RTE on the server because it enables the necessary certificate components for network logon.
Once the necessary components are installed, you can use the Certification Authority to issue the eToken certificate. You’ll use the Smartcard User template to set up the certificate. You must also set up an enrollment station and configure it for smart card use. Once you’ve performed these preliminary steps, you can specify settings in the Active Directory User options to require the eToken for network logon. Notice in all of the settings that the eToken is considered a smart card. For each user with an eToken you must select the option Smart card Is Required For Interactive Logon. This specifies that users can log on to the network only if they have an eToken device. This disables the [Ctrl][Alt][Delete] user ID and password logon. To log on, the user must insert the eToken into a USB port and type in a PIN (password). The eToken login window thus supercedes the standard Windows network logon.
This is the short version of the process required to install the eToken solution. A number of server-side settings must mesh together to make this work, so the burden is on the net admin to configure everything. The time it takes to properly configure and test the eToken system depends heavily on your network's size and complexity.
Using the tokens
On the client side, all you really have to do is install the eToken RTE, which enables the use of the device on client workstations. The first thing users will notice at the logon screen is that instead of being prompted to perform the standard three-key combo, they’re instructed to insert a smart card.
Because the eToken disables the standard logon, the terminal is effectively blocked to anyone without a key and the proper network credentials.
Users have various options for personalizing the eToken, including changing the name on the device and resetting the password, as shown in Figure B.
|Users can personalize the eToken.|
The default password the device ships with is 1234567890, and when the user changes it, a handy tool in the interface rates the quality of the password (as shown in Figure C). The password quality goes up with complexity and length.
|The interface rates the password quality.|
Mixing alpha and numeric characters, varying case, and not repeating characters all contribute to a high quality rating. Even with this password rating, security lapses can occur; for example, what if a user forgets to remove the key? Or if users make their passwords too complex, they're likely to write them down. So even if the key is an added layer of security, it could end up being just like ATM cards—against all recommendations some people actually write their PINs on the cards themselves so they won’t forget them.
Obviously, the eToken can't eliminate security threats altogether; it simply adds another element to user authentication that has the potential to improve network security.
Covering the bases
The good thing about the eToken is that all of the hard work comes up front with the installation and configuration. Once that’s finished, it’s just a matter of users plugging in the USB devices to authenticate to the server.
It’s the server setup that can cause some headaches, though. If you don’t have the right components installed in the right way, the eToken authentication won’t function properly. That means you must make sure that you have the certificates installed and configured, that the eToken RTE is installed on the server and the clients, and that user profiles in Active Directory are configured correctly to use the eToken. Any missing element will prevent eToken from working.
Aladdin offers plenty of documentation to explain the concept behind eToken and the configuration procedures. It would be nice, however, to have a better organized set of instructions and more explicit information about the various setup paths that different users must follow. For example, I had to do some serious digging on the provided CD to locate the information I needed to configure our test server. And it wasn't until after a phone call to Aladdin's technical support center that I found out that the RTE must be installed on the server and the workstations. We attempted to configure users to authenticate via the smart card, but this won’t work without the certificates, and the certificates aren’t available unless you first install the RTE.
Aladdin should present clear paths of action to the user beginning with cues like “If you’re installing the eToken to authenticate to a Win2K server, follow the procedures outlined in document XYZ.”
An online help system or wizard pointing to the various settings and configurations might also be helpful. That way, the net admin could be viewing the instructions on screen while installing certificates and setting user logon options. This would make the implementation go a lot smoother.
The tech support representative I worked with was knowledgeable and helpful and took the time to walk me through the installation of the certificates. But because things aren’t spelled out as clearly as they could be, Aladdin likely receives a lot of support calls. It’s not that the information available isn’t good; it’s just that it’s hard to find. And as I can attest, any net admin can zip through the configuration as long as they have the right documentation in their hands.
What's it all worth?
Another important consideration is how much this type of security is worth to you. The prices for the packages run as follows:
- R2 Enterprise package (includes 10 eToken 32K R2s): $499
- PRO Enterprise package (includes 10 eToken 32K PRO's): $578
Depending on the size of your organization, this security solution will run thousands of dollars, but it’s a better authentication method than the standard Windows logon.
In short, once you get past the complex configuration, eToken offers an added layer of security that can help you safeguard your network. It’s not a perfect solution, but it can help you lock unauthorized users out of your network.