Organizations are increasingly being asked to provide staff with remote access to corporate systems.
Businesses are looking to minimize overheads with the use of hot desking and facilitating home working. In the U.K., recent government legislation on flexible working will only increase these demands, and while many have implemented virtual private networks (VPNs), many companies are unwittingly increasing the risk of a security breach.
The tremendous growth in the deployment of VPNs brings with it an incredible security risk. But where is this risk? Any security strategy is limited by the vulnerability present in its weakest link. In the case of VPNs this is the means of user authentication, as the default method is the simple username/password. Herein lies the great vulnerability of VPN and most other network security strategies.
The need for strong authentication
The great risk in the deployment of VPNs is that they extend the weak link of the username/password beyond the perimeter of the corporate walls. A malicious remote user can attempt to penetrate the corporate environment through the username/password vulnerability. Armed only with the name of employees, a hacker can guess a valid username. Then, by employing simple dictionary or social engineering attacks, a hacker will invariably be able to log into the network over the VPN.
So clearly, some form of strong authentication must be used if one wishes to deploy a VPN. But what methods are available to provide strong authentication?
Strong authentication is generally implemented by increasing the authentication factors. There are three that can be typically employed. These are: 'what you know,' 'what you have' and the newest factor, delivered by the advent of biometrics, 'what you are.' It is important to note that these factors may be used in any combination.
Fingerprint biometrics as an option
We have alluded to the use of biometrics for providing a unique 'what you are' factor for a strong authentication system. Biometric information (e.g. fingerprint scans, etc.), cannot be easily lost, stolen or shared. While some would argue that biometric data could be impersonated, these arguments do not address the cost or likelihood of doing so.
There are some key questions with biometrics. First, how accurate are they? When used in a typical IT application where one seeks to verify someone is whom they claim to be, it is highly unlikely that today's biometric technologies would permit access to an unauthorized user.
Then, how vulnerable are they? Because of the cost and effort one would incur to compromise a biometric system, it is not a likely scenario. Since any system could eventually be compromised, all security systems are ultimately based upon measure/countermeasure. Procedures such as combining biometric data with PINS can greatly reduce the risk.
How difficult are they to deploy? Early systems were difficult and required bespoke software integration. Many also suffered from the problem of central enrolment. As part of the security process surrounding the deployment of these systems, users were required to report to the central authority, prove their identity and become enrolled in the system. This was a big task, particularly where large number of users were involved. Some systems now offer self-enrolment and are designed to avoid a central repository store.
Will it easily integrate with my existing infrastructure? Systems are available that are shrink-wrapped, plug and play, and already integrated with the popular VPNs from vendors such as Checkpoint and Cisco.
The following is an example of deployment questions users should consider asking their vendor when evaluating biometric solutions.
Ken Douglas is director for Security Analytics (www.security-analytics.com).
Security Analytics are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk
