Monday, February 26, 2007

Two Factor Authentication - Squared

I was working with a large SI last week who does a lot of work for the government. I was there to prove out a solution to protect their DHCP servers from unatorized users getting an IP address and subsequently on their network, and their customer's network. I showed them how the solution worked in 15 minutes and was done with that part of the discussion. We just showed a viable alternative to 802.1x - both in implementation time (2 hours of set up, 15 minute deomonstartion) and cost (fraction of $$$ the solutions I know about).

The next part of the discussion was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough?

We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.

Long story short - four factor authentication. Two factor authentication, squared, or 2F2.

Here is how it works:

I identify the user in two ways - PIV Card (something they have), and Login credentials (PAC & LAC Controls)

I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange. Unalterable, proven, and deployed in hours.

Why does this matter?

Audit - Be able to see every network layer event, by who, from what machine, in real time and know that the data is irrefutable and will hold up in court vs. spoofable MAC addrress/IP address.

Control - Make policy based access decisions based on some combination of 4 different attributes providing the ultimate in flexibility and rollout options.

For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.

At the macro level -You have just scoped down your threat vector area to only those you know and trust, be they machines and people.

Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...


Post a Comment

<< Home