By Mike Mullins
Whether you're trying to control physical or network access to a system or facility, you have three basic options for access control:
If you only depend on the first basic method to defend your network, you're leaving it wide open to any password hack. It could be as simple as sniffing your wire to capture a username and password transmitted via clear text, or it could be as difficult as stealing the Security Accounts Manager (SAM) file from your domain controller—or even stealing passwords through social engineering.
One of the latest standards in secure access is secure ID cards, also known as smart cards. Given enough time and computing power, hackers can and will obtain your passwords. That's why you should consider implementing smart cards, which boost access security.
By incorporating smart card logon access control to your network, you eliminate a username/password compromise as a potential point of entry. In addition, deploying smart card logon to your network offers the following benefits:
ActivCard tops a very short list of vendors that support several operating systems, including Red Hat Linux, Mac OS X, Solaris, Windows 98, Me, NT, 2000, and XP. This includes authentication for the applications that run on these platforms and Web-enabled applications.
Smart cards are an enhancement to Public Key Infrastructure (PKI) certificates. From your certificate server, you can generate user certificates to verify a client's identity. However, the private key for these certificates ends up on the hard drive of the system the client uses to access the secure content.
By transferring that private key to a physically mobile device, such as a smart card, you have a secure, mobile identity certificate that clients can safely use for network access and document or e-mail signing, regardless of where the access point originates.
In addition, the current generation of smart cards allows you to easily create and manage access policies through roles for different users and groups.
If you want to deploy 100-percent mobile security throughout your enterprise, be prepared for the up-front costs in labor and hardware. You need to install smart card readers on all of your mobile platforms, such as laptops and PDAs.
Don't forget that you must develop a strategy for installation on your users' home PCs. If your network configuration doesn't support a total conversion to the change in secure access, you must still maintain the existing username/password structure.
Furthermore, remember that most public systems at hotels, airports, and internet kiosks won't have a smart card reader attached to the terminal.
Smart card technology is becoming the authentication standard for enterprise networks. Your organization can gain significant cost savings if you remove its dependency on antiquated username/password logins.
We all know that users write down or forget complex passwords. Stop relying on users to defend your organization's network. Let technology do the job for you.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.