Today's column starts an ongoing periodic feature where I'll be covering various real-world scenarios I've come across in my professional consulting life. We're talking about real-world solutions for real-world security problems.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
When it comes to security enforcement, there appear to be two major types of companies that I run into regularly: Those who don't have a clue and seem bothered by even having to patch their systems, and those who routinely run their employees through retina scans and consider bomb-resistant shielding on the walls leading to the server room a necessary essential.
I was recently at one of the latter. This particular company is doing away with passwords all together because it considers passwords as one of the weakest links in their security armor. It has moved to RSA tokens for two-factor VPNs and fingerprint readers for local logons.
The company did a multiyear test into the best fingerprint readers, which I'll discuss in a future column. My fondest memory (besides watching all the ways you could fool a fingerprint reader, many of which are absolutely trivial), was looking at the boss's desk -- he had 15 USB fingerprint readers plugged into his desktop computer. It was a scene out of a Mike Meyers movie.
The company is trying to remove any instance where an employee would have to put in a password so that it can increase the password length to a far greater than normal maximum. In this particular case, it wanted the minimum password size to be 128 characters or greater. Yes, it understands that Windows logon passwords only go to 127 characters, but it is willing to patch the appropriate DLLs.
The thought is to make passwords so uncrackable and unguessable that they essentially become a crypto private key (although that would be a misnomer). With passwords at 128 characters, a password cracker obtaining one of the password hashes would be far more likely to have a hash collision -- which is just as good as the real password in a Windows environment -- than to crack the actual password.
However, the company's Outlook for Web Access server required an employee password for users to authenticate. There are many possible solutions, but the company wondered if it could leverage its current RSA and Citrix investments and do away with passwords altogether. Under this plan, employees would face a logon screen where they would enter their PIN and RSA token information and get authenticated. Behind the scenes, RSA and Citrix would accept the two-factor token authentication information and pass an extremely long Windows password to authenticate to the needed Windows resources.
It was an interesting proposal, so I called RSA and Citrix. Both companies replied back immediately, that, yes, this was possible. Both companies shipped us the necessary software to try it out in a lab environment, assigned us support engineers, and sent copious amounts of documentation. I was impressed with the number of "solution guides" covering all sorts of software combinations, including IIS and Citrix integration projects.
We started with the RSA Authentication Manager component (formerly known as RSA ACE/Server). This is the software engine that serves up the server side of the RSA SecureID authentication tokens. It was an easy install, and the documentation walked us through step by step from installing the software to initializing and managing the tokens. The reason we had to install a new RSA token manager server was that the older version, which the client had running for years, didn't support the new token/password integration feature that would completely eliminate the need for employees to know their passwords.
We installed the RSA Access Manager (formerly called RSA ClearTrust) and installed the RSA Web Agent product on the IIS server that hosted OWA. In a few hours, we had our first test servers up and running. We did have to call the RSA system engineer twice, but both times, we got them on the phone in under a minute, and the last guy gave us his cell phone number when he headed to lunch.
For the second stage of the pilot project, we planned to integrate the RSA SecureID-only idea with the client's existing Citrix investment. Citrix sent us their Citrix Access Gateway in both software and hardware appliance forms.
Again, installation was fully documented, and went pretty smoothly. We called a Citrix system engineer to confirm some of our findings, and again, we got fast, quick support. Within a day and a half, we had the test lab up and working.
Both RSA and Citrix impressed me. I've dealt with these firms a lot over the past decade, but it had been a few years since I'd interacted with them directly on a sustained new pilot project. Installing RSA ACE/Servers and Citrix Web server farms has become a pretty rock-solid process these days.
To be honest, on a project like the one I was performing, I expected both vendors to oversell what they could do and provide crappy documentation and nonexistent tech support. What I found was the exact opposite. Both RSA and Citrix had quality products, were responsive, and had great integration documentation. I can say this: If you are thinking of getting away from passwords, RSA and Citrix have a great integration solution for you.