Martin Khoo <Martin_Khoo/SIN/Lotus @
>> Alternatively, you can look at SecurID tokens from Security Dynamics. FW-1
>> supports SecurID as one of the mode of user authentication. SecurID
>> authentication is client/server based ; the server (ACE server) can be
>> running on the same machine as the firewall or it can be on another
>> Web site : http://www.securid.com
Steve Kennedy <steve @
>Until Security Dynamics implement a distributed server (they may well
>have by now), their solution doesn't scale and multiple master/slaves
>are required for large organisations (you can only have a single master and
>slave for an entire network - I believe).
>Running multiple masters allows for spoofing ...
Not all ACE/SecurID installations are client/server based --
currently there are mainframe software authentication modules for VMS, MVS,
Crays, etc.; and a ton of stand-alone hardware-based authentication boxes,
what SDTI calls ACMs -- but the SDTI product line is migrating toward a
wholly C/S architecture.
SDTI (and most of the FW vendors) would also caution against
running your authentication server on the firewall -- it's possible, but
with inexpensive Intel/NT ACE/Servers now available, it seems to be wholly
Distributed ACE/Servers? Not yet: third quarter, 1997.
Even today, however, multiple servers (ie. masters) "allow for
spoofing" only if the servers are truly duplicates of each other... and/or
the mechanism to mirror or synchronize records among mirrored servers is
flawed. (My impression is that many of the early attempts to distribute
the authentication function among mirrored servers have had many problems,
particularly as corporate users try to scale up beyond a couple of servers.
Any field reports out there?) SDTI, in contrast to some competitors, has
been quite cautious: urging its few customers with global networks to hold
off and forego single sign-on in favor of regional servers with their own
distinctive user (tokencode/PIN) databases.
(The standard SecurID token has the ability to generate up to three
parallel PRN chains -- tokencodes generated from completely different
seeds, within one token -- and, with varied user-memorized PINs, can offer
varied two-factor authentication on any number of ACE/Servers.)
Not the slickest solution, but certainly spoof-proof and (when
enhanced by network or link encryption) tight as a drum. Until recently,
however, this was apparently the only network I&A solution SDTI felt
A week ago, that changed: SDTI announced its third generation
ACE/Servers, scheduled for delivery in the third quarter of '97. These
will be distributed peer-to-peer servers, designed to support user I&A...
plus a variety of new PKC-based network security services, including
certificate management, cryptographic key management, and access/privilege
The ACE/Server 3.X is SDTI's endorsement of a strategic argument
repeatedly made on this List: that HHA tokens like SecurID are only the
smallest piece of the integrated security solution required for the
Enterprise market... and that server functionality (not the design or price
of the token) is the crucial and enabling purchase for new I&A systems.
Obviously, SDTI's 1996 merger with RSA Data Security -- which developed the
public-key and private-key encyption modules now standard throughout the
industry, with 80+ million installations -- has profoundly shaped and
enhanced the potential of this new generation of ACE/Servers.
On the evolutionary scale, SDTI said the ACE/Server 3.X will support:
- a gradual and planned migration from SecurIDs to SecurID/smartcards, and
on to Smartcard/PKC certificate-based authentication;
- RADIUS (in addition to TACACS and TACACS);
- a widely-requested facility for emergency one-time access (at the
discression of the sysadmin);
- new controls which will allow the ACE/Administrator to restrict user or
group logins (based on time, day, or week) -- apparently only the beginning
of SDTI's foray into ACE-based privilege management.
On the revolutionary scale, the impressive stuff was SDTI's
announcement of what it calls its Enterprise Security Services. "ESS" is a
public-key cryptographic infrastructure (offering PKI support for file and
message security and integrity, as well as digital signatures,) apparently
enhanced for robust user authentication and fine-grained access controls.
SDTI said it plans to integrate the tools and systems necessary to
manage the corporate users' cryptographic keys and PKC certificates into
the established I&A functionality of their widely-used authentication
server. SDTI, a fundamentally conservative firm, looked to the future and
apparently decided to reinvent itself. The $250M purchase of RSADSI was
the first step; this initiative in enterprise network security services is
the second. SDTI jumped into client/server authentication services some
five years ahead of its competition -- but even that was a mere adaption
compared to this bet-the-business proposition.
SDTI brings crucial assets to what appears to be a SDTI/RSA joint
venture. In the installed base of ACE/Servers, SDTI customers have a
familiar and secure RDBS, already under the control of the
network/corporate security manager. In the ACE/Administrators, they have a
capable and technically-sophisticated user community already interested in
crypto; customers who value the SDTI heritage of robust two-factor user
authentication. RSA, OTOH, provides its unique experience with PKI: key
and certificate management, smartcards, and the intricacies of
Together, SDTI and RSA tackled the Big Agenda for corporate
security in the 1990s.
After the RSA purchase, PKI-enhancements for the ACE/Server were
widely expected, but the scope and delivery schedule for the SDTI
announcements is impressive. (Were I more unbiased observer, I'd say
"awesome" -- but I'm updating my SecurID FAQ, and I'm not really
unbiased... nor am I going to waste superlatives on this cynical and
cantankerous audience;-) For the record: over the course of the next ten
months, Security Dynamics has promised to introduce new products and reveal
new partnerships that will enable the third-generation ACE/Server to
-- Certificate Management - Security Dynamics believes that in the future,
certificates, which attest to the authenticity of the owners of public
keys, will be increasingly used for identification and authentication,
digital signatures, and to support secure email (S/MIME), secure browser
communications (with SSL), and secure communications over the Internet
(S/WAN). A certificate authority (CA) serves as a trusted third party that
vouches for the authenticity of owners of public keys.
As part of its ESS certificate services, Security Dynamics plans to
simplify the management of diverse certificates. Specifically, Security
Dynamics intends to offer a software service that allows corporations to
create their own certificate services that will create, distribute, and
manage certificates for important confidentiality and integrity
applications. ESS certificate services provide comprehensive management of
user and system certificates. The service will provide certificate chains
to higher level CAs to enable secure exchange of information beyond the
bounds of a single enterprise. In addition, Security Dynamics' certificate
service plans to support certificates from alternative CAs.
-- Key Management - Public and private keys keep communications private
through the use of RSA's genuine encryption technology. Security Dynamics'
key management services are expected to include generation, distribution,
validation, replacement, termination, and recovery of keys. Key recovery is
a particularly important service that allows corporations to protect
against loss of information that has
already been encrypted. Security Dynamics is designing its key recovery
system to meet government requirements pertaining to the international
export of full-strength encryption technology.
-- Privilege Management - As part of its ESS privilege services, Security
Dynamics plans to manage privilege certificates that define what enterprise
resources users can access and what they can do with those resources.
Working with other leading providers of privilege management services,
Security Dynamics plans to provide a common repository of user access
control and privilege definitions that can be managed from a common,
enterprise-wide administrative interface.
Along with the enhancement of the ACE/Server platform and the availability
of add-on service modules, Security Dynamics will add smart cards to its
existing token offerings which presently consists of SecurID hardware
tokens and SoftID software tokens. Machine-readable, credit card-sized
smart cards are being designed to provide a secure and convenient form
factor for delivering authentication functions and key and certificate
Finally, one of the most important benefits to the customer is the
administration of the various security services from a single, easy-to-use
management platform. Security Dynamics expects that ACE/Server will provide
a common management interface, accessible through Web browsers, to manage
all Enterprise Security Services.
SDTI's proposed ESS architecture offers one possible option for the
firewall mavens and corporate security managers worrying about how to
manage an immediate future of encrypted telecom and PKC-certificate
authenticated users. Notably, for many sites, these enhanced services will
not require a new database -- perhaps no significant new hardware at all!
Vin McLellan + The Privacy Guild + <vin @
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548