A USB key to a secure VPN

Nevada's Washoe County wanted a way to provide remote access to its workers without sacrificing security – or breaking the bank.

The county, which covers 6,600 square miles and includes tourist hot spot Lake Tahoe, started its search for VPN connectivity by checking out Microsoft's Routing and Remote Access Service (RRAS) using Point-to-Point Tunneling Protocol. However, the authentication mechanism it used – user name and password – did not seem very secure, says Phil Chitren, Washoe County's security administrator.

"We needed some sort of secure mechanism to identify the user to make sure he is indeed the person who he says he is," Chitren says. "That's how the whole thing got started."

Engineers investigated solutions such as Symantec's pcAnywhere, which has a bevy of features for very secure authentication, but soon realized it was out of reach for the cash-strapped county. "Everyone these days is broke, including us," Chitren says.

An engineer discovered an economical solution at a security seminar: Authenex Strong Authentication System (ASAS) with its A-Key USB token. Washoe snapped up 100 tokens for $3,000, which includes server software and technical support.

The county uses the tokens in conjunction with its VPN. It set up a secure tunnel into its network by installing a hardened Windows 2000 dual-homed RRAS server behind its firewall. About 57 employees use A-Keys to log in from home or elsewhere.

"It gives me a sense of security that we have provided a secure tunnel. If there's a problem with the user, with the click of a button, I can disable that token," Chitren says. "Let's say he loses it, I just click a button and that token becomes null and void. It can't be used."

To access the network, an employee plugs his A-Key into a USB port or hub and enters his password. The A-Key, which has an on-board ASIC chip, conducts challenge-response sequences with the ASAS server using 128-bit Advanced Encryption Standard (AES). The ASAS server uses Radius and TCP/IP protocols.

Aside from its affordability, ASAS was easy to install and features a web interface that simplifies administration. "It's just point and click," says Chitren.

If he does run into a problem, the technical support staffers at Authenex go the distance, Chitren adds: "You call those guys up and they will spend hours with you if they need to. Usually it's just simple stuff you just overlooked."

The implementation did hit a few hitches along the way. For one, employees would lose their tokens. "I told everyone, 'Put your token on your key ring'," Chitren recalls.

Secondly, if someone changes his password for the A-Key and forgets it, the token is useless. "There's no master override so you have a token with a password no one knows. It's worthless. You have to send it back and Authenex has to re-key that token to the encrypted database you've created," he says.

As an alternative, Authenex offers a hosted service that allows users to register the A-Key, including password, which enables password recovery according to Mark Lemmo, Authenex director of product management. Alternatively, companies can decide to host the service themselves.

At Washoe, Authenex is just part of the overall security infrastructure. Other elements include a Check Point firewall, McAfee anti-virus software, and a system for hardening clients that involves eEye Digital Security's eEye Retina vulnerability scanner and Microsoft Baseline Security Analyzer.

"ASAS provides a secure mechanism for authentication into our network, but you still have to address other security issues," advises Chitren. "The client has to be secure because otherwise you're setting up a nice secure tunnel into your network for a hacker to get in."

Patching is another piece of the security puzzle, one that Washoe pursues aggressively after getting hit hard by last year's Blaster worm. Although the county already had a patch management product, engineers could not get employees to commit to a time for updating and rebooting their servers.

"Some of our operations are 24/7 – the sheriff's office, for example. We'd ask, 'When's a good time to turn off your server and work on it?' They would say, 'There's no good time'," Chitren recalls.

"We got hit with the worm and every workstation and server got hit. We just got killed. Ever since then I decided we're just going to bite the bullet and proactively patch all the servers and workstations. When a patch comes out from Microsoft, we schedule time immediately and patch everything."

This has paid off, he adds. Since last summer, major worms circulating on the internet have not affected Washoe. The county is likely to expand its use of ASAS although it plans to remain fairly stingy on granting more employees remote access privileges. "Everybody wants remote access but we have to be very careful," Chitren says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.