USB tokens tighten up secure WAN links

Authentication boosts security

The latest additions to corporate secure-WAN toolkits are USB tokens that authenticate and encrypt traffic, tighten security and make it simpler for users to make connections versus using standard VPN technology.

Two startups, KoolSpan and Sweetspot, incorporate two-factor authentication via their tokens, increasing the security of user authentication as well as encrypting traffic. In KoolSpan’s case, once a connection is made, the devices change their encryption keys for every packet sent, further boosting the secrecy of the data sent.

Alternatives would call for a VPN plus separate two-factor authentication such as RSA Secure ID tokens.

KoolSpan’s SecureEdge gear consists of “keys”, its name for the tokens, and “locks”, which are appliances located on corporate networks and protected from the internet by firewalls. The keys and the locks have embedded smart cards that contribute to two-way, two-factor authentication. The devices authenticate to each other rather than just the remote device authenticating one-way to a central server.

Once authenticated to each other, the devices go through a process to connect the remote machine via a layer 2 Ethernet bridge link. Traffic across this bridge is encrypted using 256-bit Advanced Encryption Standard (AES), and the encryption key is changed for every packet sent. AES traffic over a standard IPsec VPN uses the same encryption key for an entire session.

Packet-by-packet key changes ensure that even if traffic is intercepted and a key is somehow compromised — which would take powerful computing resources and time — the attacker would get only one packet’s worth of data and then have to try to guess the key for the next packet by trying multiple possibilities, according to Nick Selby, enterprise security analyst for The 451 Group.

“This is very strong encryption,” he says.

Sandy Spring Bank purchased KoolSpan devices because they are simpler to use and more secure than the alternative it had used — a combination of an RSA smart card token and a Cisco VPN — says Curt Purdy, information security officer for the bank.

Unlike RSA tokens, the KoolSpan keys require no manual copying of passwords from the device to a computer screen. “There’s no fumbling with a fob, looking at the code on it and typing it in and having it change halfway through,” he says. “You just stick the USB key into the laptop and type in the password.”

RSA tokens also require a separate server that demands administrative time for upgrades, as well as resultant upgrades to the bank’s RADIUS server, he says. KoolSpan’s gear is self-contained, and he estimates it requires 2% of administrative time. And, once connections are established, encryption is more secure, by virtue of the per-packet keying, he says.

The bank is rolling out keys to 300 employees, for routine use and also as a precaution against emergencies that require employees to work from home, Purdy says. Sandy Spring is buying enough locks to create secure site-to-site internet connections among 34 locations, letting it decommission its traditional frame relay WAN and save more than half its WAN costs, he says.

A package of one lock, ten keys and an enterprise-manager master key costs US$4,950 (NZ$7,746). Locks and keys also can be bought separately. A lock costs US$2,900 and a set of ten keys with software drivers costs US$1,250.

Sweetspot’s tokens perform a different function. They also authenticate remote machines via two-factor authentication, with a Sweetspot appliance inside the corporate firewall. But, once authenticated, they act as VPN clients, creating a secure tunnel between the remote machine and the Sweetspot appliance. Alternatively, the tokens can tunnel to third-party VPN gateways. So far, the tokens are compatible with VPN gateways made by Astaro, Cisco, Nortel and Watchguard Technologies.

Sweetspot customer Mark Snyder, regional IT director for Native Air, a helicopter ambulance service in Arizona, says laptops used by medical personnel on flights to record patient information are equipped with the tokens to set up wireless VPN connections to Native Air billing and quality-control application servers at headquarters.

The tokens eliminate the need to train medical personnel on using VPN clients. They also result in reports getting filed from hospitals via broadband wireless internet connections rather than waiting for personnel to plug into a LAN at a helicopter base. This clears paperwork sooner and gets flight crews ready for the next flight sooner, Snyder says.

Join the newsletter!

Error: Please check your email address.

Tags UBSSecurity IDtokens

More about Advanced Encryption StandardAES EnvironmentalAstaroCiscoLANNortelRSAWatchguardWatchguard Technologies

Show Comments
[]