Secure Nortel VPN access

Using SafeWord® for Nortel Networks to
provide easy, cost-effective strong
authentication for remote users

Download the solutions brief - 406 KB, 7 pages

Table of Contents

Overview
About Nortel VPN products
The password risk
Do stronger password policies really help?
The answer is strong authentication
How SafeWord for Nortel Networks provides strong authentication
What's different about SafeWord for Nortel?
Conclusion
For more information

Overview

SafeWord® for Nortel Networks is a strong authentication system designed specifically for Nortel Alteon or Contivity VPN environments, and designed specifically for VPN administrators to manage. This paper discusses the risks of passwords, how SafeWord for Nortel protects against those risks, and the unique features and benefits of SafeWord for Nortel that make it easy and cost-effective for VPN administrators to manage.

About Nortel VPN products

Nortel's Alteon SSL VPN is a remote access security solution that extends the reach of enterprise applications to mobile workers, telecommuters, partners, and customers. By using secure sockets layer (SSL) as the underlying security protocol, Alteon SSL VPN allows for truly unrestricted remote access -- using the Internet for remote connectivity and the ubiquitous Web browser as the primary client interface.

Nortel Contivity Secure VPNs provide secure connectivity across managed IP networks and the Internet. Contivity Secure VPNs connect remote users, branch offices, suppliers, and customers with the cost and performance advantages of public IP networks and the security and control found in private networks.

The password risk

VPNs, both IPSec and SSL-based, create a secure tunnel over the Internet. This secure tunnel protects against snooping, sniffing, and other "man-in-the-middle" attacks. However, most organizations still rely on simple usernames and passwords to access the entrances to these secure tunnels.

Passwords are a very weak way to guard the entrance to your trusted systems, applications, and networks. In a variety of security studies, many users choose passwords that are very easy to guess, attack, or break.

In one study, 12 percent of users had chosen extremely weak passwords -- the password was the word "password." (Gosh, how clever; it's like hiding in plain sight!)

Many users choose the "vanity passwords" of "stud" or "goddess" -- and many more choose other easily guessable vanity passwords like "cutiepie," "hunk," and similar words. This is an open door into networks for hackers.

A much larger percentage of people -- 35 percent or more, depending on the study -- choose passwords based on personal information that can be found in their work area. The name of a child or spouse, a favorite rock band, classical composer, vacation spot, or car model can often be found on an employee's desk or hanging on the wall of a cubicle or office. Additionally, personal information such as this can be easily gleaned by a smart attacker in a two-minute "friendly conversation" in the elevator.

Do stronger password policies really help?

Some security pundits recommend implementing the following policies to protect passwords against these attacks: mandating passwords of at least six characters; forcing users to change their passwords every 30 days; not allowing users to "replay" a previously used password; no dictionary, slang, or industry words; requiring at least one uppercase letter, one lowercase letter, one numeric, and one symbol; no birthdays or social security numbers; no proper names -- the list goes on and on. Some experts even recommend that users develop complex schemes, including learning a mnemonic alphabet or secret codes. This leads to passwords like G1w$#Ih5W.

There are two problems with implementing such password policies. The first is that the more of these password policies you implement, the harder it becomes for users to remember their passwords. Forgotten passwords are the number one type of help-desk call-and the average help-desk call costs $50-$150 in resources and lost productivity.

The second problem is that the organization's security risk can actually increase. Users in organizations with complex policies may spend their time trying to circumvent their company's password policies. The easiest way to circumvent a complex password policy is to simply write the password down and tape it underneath the keyboard or to the workstation's monitor.

Even stronger password policies cannot defend against the weakest link: the end user.

Of 150 office workers surveyed in 2002, the majority of them said they would give their password to a coworker or colleague, and two-thirds of them gave their network password to the survey taker! A British survey found that over 90% of people would reveal their network password for a free pen. (And that's a cheap ballpoint, not an expensive fountain pen.)

Organizations lose hundreds of millions of dollars every year because of password breaches. An identity theft ring was uncovered in early 2003 after a help-desk employee was found to be stealing credit companies' passwords. The victims numbered in the dozens, and lost more than $30 million combined. No password policy is strong enough to defend against this kind of attack.

Clearly, organizations with valuable information must choose something stronger than passwords to protect their resources.

The answer is strong authentication

Strong authentication refers to systems that require multiple factors for authentication and use advanced technology, such as secret keys and encryption, to verify a user's identity. The simplest example of strong authentication is your ATM card. This requires something you have (your card), and something you know (your PIN). Most people wouldn't want their bank to allow access to their checking account with just one factor. Yet many organizations allow entrance to their valuable Nortel resources (often much more valuable than a single personal checking account) with only one factor -- a weak password!

How SafeWord for Nortel Networks provides strong authentication

SafeWord for Nortel Networks delivers security through one-time passcode-generating hardware tokens, combined with a user's PIN.

Figure 1: SafeWord for Nortel Networks hardware token

When a Nortel VPN user pushes the button on the SafeWord token, it immediately generates and displays a single-use passcode (via a unique secret key and an advanced encryption algorithm that is contained inside). The user enters the passcode, followed by the user's unique PIN, to gain access. The SafeWord server, with each user's token and PIN on file, can confirm the authenticity of each passcode presented by each user. After one use, the passcode is thrown away by the system. If someone attempts to re-use a passcode, access is denied by the authentication server.

Each Nortel VPN user must have the SafeWord token in their possession (much like the ATM card) and know the PIN. This is true two-factor authentication, and it eliminates the risks of stolen or compromised passwords.

What's different about SafeWord for Nortel?

As mentioned earlier, SafeWord for Nortel Networks is designed to be easily and cost-effectively managed by VPN administrators. The following are the main differences between traditional strong authentication systems and SafeWord for Nortel:

1. Installation is lightning-fast. Competing solutions can take hours or days to install and configure properly. Often, systems engineers must be scheduled from the vendor to install the software correctly. Security policies must be mapped out. Ports must be opened, or closed, or both. But it's easy with SafeWord for Nortel: Pop in the CD. The wizard-driven installation leads you through the process in less than 10 minutes.

   Figure 2: Installing SafeWord for Nortel is quick and easy.

2. No separate machine needed. Competing solutions require the software to be loaded on a separate server. A server with the minimum requirements costs about $3,800. But SafeWord for Nortel installs directly on your Active Directory box, saving thousands of dollars (and the hassle of a purchase requisition).

3. Manage everything from Active Directory. Other solutions use a proprietary user database which must be managed separately. With SafeWord for Nortel, plug-ins to the Microsoft Management Console in Active Directory tie the SafeWord tokens directly to your Active Directory users, so there's just one place to manage users and tokens.

   Figure 3: The SafeWord plug-in to Active Directory.

4. Deliver tokens to end users in a quarter of the time, with a quarter of the expense. With traditional token deployment, administrators must create user accounts, import user records, test tokens and assign to each user, label and process each token for delivery, find each user, and deliver the correct token. This takes about 30 minutes per user, which can add up very quickly. But SafeWord for Nortel includes a user self-enrollment capability (offered in all Secure Computing SafeWord products). With user self-enrollment, administrators don't have to match each user to their correct token or assign tokens-users can enroll themselves. One-time setup takes an administrator about a half hour, and the per-user time drops from 30 minutes to less than 5. Even if you just have 25 users, you'll save over a day of work using SafeWord for Nortel's user self-enrollment.

   Figure 4: Users can enroll themselves with the SafeWord User Center.

5. Never buy another replacement token. Some competing solutions require you to repurchase tokens every 2, 3, or 4 years -- their tokens are programmed to expire at the end of that time period. But with SafeWord for Nortel, simply return any nonfunctioning token to us and we'll replace it for free, no questions asked. Our tokens are not programmed to expire, and if one fails for any reason (you dropped it into a running garbage disposal, your dog chewed it up, you ran over it with a steamroller, or if it simply has a dead battery in 10 years), we'll replace it free of charge. All that's required is that your organization has a valid, up-to-date support contract with us.

6. All of this at half the price. Competing solutions for 100 users list for $200 or more per user. SafeWord for Nortel is less than half the cost.