• Home
• Collateral - White Papers

Why strong authentication is essential to secure wireless networks

Why wireless network access?

Many organisations are installing wireless access points on their office Lans to liberate their staff from their desktops. The individual can now carry their wireless enabled laptop, tablet or PDA into any meeting room, the canteen or to a colleague's office and still have full access to their e-mail, databases and other network resources.

Users love the freedom to work where it suits them; they don't have to worry about finding the right piece of Ethernet cable and reaching behind the desk to plug it in and everyone's productivity is enhanced.

What about security and data privacy?

The problem with wireless networks is that they have no boundaries: they spread far wider than the office space they are designed to serve and can be monitored from the company car park or the street outside by whoever happens to 'drive by'.

As any of your neighbours can pick up your WiFi transmissions and attempt to log into to your network, you need to treat all connections to your wireless access points as essentially untrusted, and implement the same levels of data encryption and user authentication as you would for Internet VPN sessions from remote users.

These new, flexible ways of working are putting the Identity of our users at the centre of our security model, with the critical question being: 'Is each roaming user really who they claim to be?'

From Fortress to Airport Security

To meet the increasing user demand for Anywhere Access, we can no longer build 'fortress' style IT security where we simply trust everything on the inside and regard everything outside as hostile.

With Wireless Lans in the boardroom, SSL web connections from teleworkers, Extranet sessions from clients, and the boss wanting to read his e-mail from an Internet cafÈ on holiday, the security model we have to build is much closer to that of an airport.

You have to accept all-comers into your outermost, low security areas, but as individuals request access to more sensitive resources, you filter and control them according to their identity and their access privileges.

Identity is the foundation of trust

As in an airport, trust is entirely based upon the individual's identity and authorisation level which must be proved at each checkpoint they pass. Instead of showing their passport and visa to an Immigration Officer, the wireless user must be challenged by the wireless access point or other access control device to present their 'digital identity' which comprises their Username plus their Authentication Credentials.

Given that the connection may be from anyone carrying a wireless-enabled device anywhere in the vicinity of our offices, we are now entirely reliant on the user's digital identity to differentiate our trusted colleagues from our competitors down the street.

The threat of Identity Theft

Your users' digital identities are their keys to your critical business systems. If one person's password or other authentication credentials are stolen, shared or borrowed, then that user's entire digital identity is compromised.

In the wrong hands the stolen identity can be used to impersonate the victim and gain access to your most sensitive resources. This is Corporate Identity Theft.

It is difficult to protect your systems once you have suffered Identity Theft. An impostor can present a stolen identity to your wireless access point, VPN or other perimeter defence systems, and will be allowed to enter without further challenge. Given that their session will be logged as being that of the registered user, it is unlikely that their activities will ever be reviewed or detected.

Authentication is key

Given that Identity Theft is now the world's fastest growing crime (U.S. Federal Trade Commission 2005), we must take a long hard look at:

• How we authenticate the identity of each wireless and remote user,
• The types of authentication credential that can be used reliably from an untrusted PC in an unknown location,
• How we issue these identity credentials to our users,
• How we manage and support our users over their working life to keep their identities secure and private at all times.

The Problem with Passwords

For many organisations rolling out Wireless Lans, the classic 'username and password' combination is all that stands between their most sensitive business information and hostile prying eyes. Static passwords can provide only 'weak authentication' of a user's identity. They must be re-used every time the user logs in and can be easily snooped, phished, cracked or guessed by an attacker.

If the password can be acquired by snooping the user's wireless connection or installing a simple keyboard logging device or Trojan software on the user's machine, then that password can be reused by the attacker time and time again.

Once someone's username and password has been hijacked, that person's entire digital identity is vulnerable and the attacker instantly acquires all the privileges of his/her victim. All this can happen without the victim being aware that their password has been compromised and, if the attacker is careful, no-one may ever know that the attack has happened.

With the weak authentication provided by standard passwords you can never be really sure that a user is who they claim to be.

What form of Strong authentication credentials are best?

Stronger forms of authentication credentials that a user can present to rigorously validate their identity can take many forms: a one-time passcode, a token, smartcard, biometric or any combination of these factors.

Typically a user must present two different forms of credential:

• Something the user knows: a secret PIN or password

plus

• Something the user has: a unique token, smartcard, mobile phone, PDA or other uncloneable device

Despite the claims of the various manufacturers - there's no one form of strong authentication credential that is ideal for all users and applications.

One-time Passcodes: the user presents a different passcode every time they login, which means that even if a user's session is snooped, the copied passcode cannot be reused. OTP's can be sent on request to a user's mobile phone or PDA by SMS or e-mail. They are ideal for Anywhere Access because the user is not tied to logging in from any specific PC.

Tokens: typically tokens (eg RSA SecurID) are used, in combination with a secret PIN, as the most secure and convenient to generate One-time Passcodes.
They are ideal for any form of corporate network access: whether Wireless, VPN, Web or RAS based.

Smartcards & USB Smartkeys: used to securely store a user's PKI digital certificate, these devices can be used to 'digitally sign' documents and most appropriate for corporate 'Single Sign-On' and hotdesking projects where the users will always be logging in from a corporate-controlled PC or laptop. Modern 'Combo' tokens can now support both OTP and USB smartkey authentication methods.

Biometrics: despite generating many column inches in the press, fingerprint, iris and other forms of biometric authentication are mostly used for physical access security rather than as a digital ID for network access. The user is tied to a using a computer with an appropriate reader or scanner attached, so most biometrics are not suitable for Wireless or VPN based Anywhere Access.

No one system fits all needs

The reality is that each of these forms of authentication is appropriate for different users and in different applications. There's no one perfect system that fits all needs and budgets.

Larger organisations often find that they need to implement several different authentication systems to support travelling staff, hotdesking workers, supply chain and consumer access.

This can end up in an Identity Management nightmare where people find they have to carry different digital ID's and authentication credentials to access the same systems and applications from different locations.

Identity Management takes more than just technology

Whatever form of authentication that you choose to implement, you will find that secure identity management cannot be delivered by technology alone. To handle the roll out of devices, PIN's and passwords to a widespread user base you need well integrated policies, procedures and logistics, and then you need to provide your users with lifetime management and 24x7 support to ensure your that their digital ID's are secure and can be trusted at all times.

How Signify delivers Secure Identity Management

Signify is unique in delivering strong user authentication as a fully managed service, making it straightforward, quick and cost effective for organisations of all sizes to roll out and enforce secure digital ID's across their user community; whether they have 5 users or 50,000.

Signify's Service Portfolio includes:

• RSA SecurID from Signify - based on the market-leading RSA SecurID token
• Signify Passcode OnDemand - delivers secure one-time passcodes to your mobile phone or wireless PDA by SMS or e-mail
• Signify SmartID - USB Smartkey based authentication and digital signing (PKI)

Consistent management via the Signify IMC

All these services are managed via Signify's innovative web-based Identity Management Centre (IMC). This allows clients to mix and match the appropriate forms of authentication to fit the requirements and budget of different projects and user groups, without having to run multiple back-end authentication systems.

Signify's service takes care of not only of the authentication technology, but also the softer, human aspects of Identity Management such as security policy definition, device provisioning and replacement, end user support and emergency access.

Signify provides a complete framework for Secure Identity Management which you can quickly adopt, integrate into your e-Business applications and roll out to your users without having to go through the pain of building the entire technical, procedural, logistics and support framework from scratch.