Token security

iGate’s key-based approach to security works well — in theory

THE CONCEPT BEHIND the NetSwift iGate is a good one: Provide an appliance with SSL acceleration and security that resides in front of your Web servers. That way, you can have secure communications to your network without burdening those servers with the processing overhead of SSL or the problems of setting up security on each server.

Rainbow Technologies accomplishes this by providing iKeys, tokens that plug into a standard USB port on a computer. Once users insert the token and provide a PIN, their systems are authenticated and can reach a protected Web site or server via the appliance.

In theory, Rainbow Technologies’ approach provides very strong protection. One of the basic practices of good security is that authentication must be proven by something you have (a token, for example) and something you know (perhaps a password). As long as these two facets are secure, your authentication is robust.

In practice, however, iGate’s approach is not as secure as one might expect, although it’s far better than user names and passwords. On the other hand, it’s easy to administer and the cost isn’t bad. And iGate isn’t particularly difficult for an administrator or an end-user. Despite the good overall performance of the NetSwift iGate, we found cause for concern about Rainbow Technologies.

Unlocking the iGate

NetSwift iGate is a low-impact appliance. It’s not hard to make this device part of your datacenter. Once it’s in the rack, you need only attach a console cable to a terminal long enough to set the administrative IP address and the virtual IP address to be used by clients. Everything else is done via the appliance’s management tools. One of the nice things about the iGate is that it requires no extra software on the Web server, so virtually any Web server will work.

Using the primary management tool requires an HTTPS connection to the appliance. This browser-based tool allows administrators to set up the operational aspects of the appliance. For example, they can choose whether to use SSL for connections from browsers; they can enable some load-balancing features; they can even select what you would like displayed on the appliance’s front-panel LCD, such as IP address, and transaction rate.

User management is handled via an access control manager. This manager let administrators assign iKeys to users. The software also enables administrators to grant users access to protected Web servers using a name and password in case they can’t use their iKey.

Client software needs to be installed on each workstation to support the iKey token. That installation takes place automatically when the CD is inserted into the workstation CD drive.

To access the Web server via iGate, users need only plug their iKeys into a USB port when prompted to do so. Users are then asked to enter their PIN. Once that’s done, they’re in.

The iKeys, incidentally, contain an LED that lets users know that the port is working. These token are provided with a keychain and key fob. Unfortunately, the token works only on Windows machines; Mac and Linux users are out of luck.

In general, once the NetSwift iGate is set up and the tokens are passed out to employees, there’s not much to do except make changes, such as when a user is added, if his or her information changes, or if a user leaves the company. You can administer the process quickly and easily. Setting up a new user requires only that you insert his or her token into your USB port and define the user’s name. When you’ve finished that, you upload changes to the appliance. It’s that easy.

We did, however, have some concerns about the security of the appliance and about the company. First, the tokens accept only numerical PINs; users can’t enter alphabetical or special characters. If someone wanted to use a pilfered token to break into your server, the numbers-only limitation would greatly simplify their task. Administrators can set the token to lock up after a predetermined number of failed access attempts.

Wait, isn’t this a security company?

Another concern is the lack of security on the CD that comes with the iGate. The product we received contained a quarantined virus. This isn’t a huge threat, but it means that Rainbow Technologies had a virus infection on the computers that created the CD, and one of them was caught. But it also means that other viruses or worms could exist on that disk that weren’t caught. Clearly, Rainbow Technologies needs to clean up its operation and find a way to ensure the CD creation is safe from even the accidental introduction of malicious code.

Furthermore, Rainbow Technologies failed to include the front panel key when shipping the unit. According to a tech support engineer, this has happened with some frequency. Although this oversight does not pose a threat to your network, it delays the IT department in getting the iGate up and running.

Together, the virus and key problems suggest that there may be huge gaps in the quality assurance process. Although the iGate performed flawlessly once we got it unlocked, we never stopped wondering what else the company forgot to check.

When we got the iGate operating, it performed as the company said it would. It’s easy to deploy, fairly easy to use (though the user interface could be more intuitive), and it provides the SSL support and the security companies need for their internal operations and their commerce sites. Unfortunately, Rainbow Technologies needs to address some serious security shortcomings before we can give iGate an unqualified thumbs up.

Source: www.infoworld.com

مقالات مشابهة

Trending now

XML APIs for databases
XML APIs for databases
JNDI overview, Part 1: An introduction to naming services
JNDI overview, Part 1: An introduction to naming services
Spotlight dimmed on J2EE launch
News and New Product Briefs (December 20, 1999)