IT systems must manage users and control access privileges to protect sensitive resources. This function is usually implemented in enterprise networks through authentication (verification of identity), authorization (control of access privileges) and accounting (recording of actions for auditing)—an “AAA” security framework.
Any device serving as a gateway to access critical infrastructure resources must be able to adhere to—and enforce—the AAA framework. When an access device authenticates a user attempting to gain admission into a system, it typically issues a username and password challenge. In the simplest configuration, the device stores a user database and can locally validate the identity of the user.
In a large IT environment, however, using local authentication is impractical. Any change (for example, when an employee leaves the company) requires updating all copies of the user database at each access point. We will look next at a more robust method of separating the user database from the devices performing the authentication.
To make management more effective, access devices can be configured to use server-based authentication. The access device prompts the user for a username and password but instead of testing this information against its local database, it forwards it to the server, which then authenticates the user and returns the corresponding authorization privileges.
For this task, the most common vendor-neutral protocol in use today is Radius. There are multiple proprietary and open-source implementations of Radius servers. Other common protocols in use are LDAP (common in Microsoft environments) and TACACS (common in Cisco environments). The advantage of using a central AAA server is that as long as the central directory is up to date, all components of the IT system will provide consistent AAA across the environment.
Authentication Factors: Something You Know, Something You Have and Something You Are
Most systems employ single-factor authentication—typically, a password, which is something you know. To gain undue access to the system, an intruder would have to steal, guess or crack that password.
A data center usually has several layers of security in place, and single-factor authentication for infrastructure management is adequate in most cases. But in some situations, implementing additional layers of authentication is a good idea.
The most common second authentication factor is possession of a physical device—something you have. Users are asked to provide a one-time passcode generated by a token card or sent to their smartphone via SMS. To gain undue access to the system, an intruder would have to not only break the password but also gain access to that physical device, making a security breach more difficult. Using a password and a passcode associated with a physical device is called two-factor authentication.
The third authentication method is usually some biometric information associated with the user—something you are (a fingerprint, facial or hand image, for instance, obtained through a biometric scan). Adding this method gives you three-factor authentication (most commonly used today for physical-access control, not for logical access to network infrastructure).
Multifactor Authentication for Infrastructure Management
Network engineers and system administrators managing the enterprise IT infrastructure have traditionally worked under additional layers of security restrictions (such as limited access only from a dedicated management network) that made simple password authentication adequate for most uses. Only very demanding security environments have employed two-factor authentication for infrastructure management to date.
Most commercial two-factor authentication solutions integrate with the AAA server using Radius protocol. Two examples are RSA SecurID and Duo Security. Users receive a token card (which looks like a small calculator) or a mobile app that present one-time-use passcodes that are time-synchronized with the authentication server.
Two trends are reigniting interest in multifactor authentication for enterprise IT management:
- IT infrastructure is less geographically isolated. Network managers and system administrators are not in the same building as the managed infrastructure and increasingly must be able to intervene from their mobile phones regardless of whether they are connected to the corporate management network. A single IT service might be using resources located at the enterprise data center, a co-location facility and a cloud provider. Boundary-security controls are less effective, and a strong AAA framework gets higher priority.
- Multifactor authentication technology is evolving. In recent years, consumer social networks and other web service applications have started implementing two-factor authentication. In these cases, the AAA client on the browser or mobile device communicates directly with a server in the cloud using HTTPS, a protocol that easily traverses the public Internet. Another trend is the leverage of mobile technologies to eliminate the need for dedicated token cards. Passcodes sent to a smartphone by SMS in real time is a possible alternative to time-synchronized passcodes based on a shared secret key.
Some enterprise solutions for multifactor authentication are moving away from the use of Radius protocols, offering PAM modules that can be easily installed in general-purpose machines. Incorporating them into embedded network appliances (console servers, access gateways, routers and switches) is a new challenge, as they require specific technical collaboration between the appliance and software vendors, or an open-source strategy (Google Authenticator also offers a two-factor authentication scheme that’s available as open source).
In the coming years, we see those technologies coming together and making the implementation of multifactor authentication simpler and less expensive than it has been in the past. Use of mobile and web-services technology will increase, expanding the opportunity for enterprise networks to employ the benefits of multifactor authentication in the application access and consumer spaces.
With these methods available, implementing two-factor authentication for infrastructure management is well within reach for enterprises. Doing so can easily make the difference when it comes to avoiding costly and damaging security issues.
About the Author
Marcio Saito is Chief Technology Officer at Opengear, a company that builds next-generation smart solutions for actively managing and protecting critical IT and communications infrastructure.