The ubiquitous username and password authentication scheme has been with us since the early days of the Internet. Since then, the Internet has grown tremendously in terms of both size and complexity with the threats faced by network devices and applications growing right along with them even though the means used to authenticate users and devices have stayed pretty much the same. To address these shortcomings, BlackRidge Technology introduced a new transparent means of authentication that adds a more robust layer of security while maintaining usability.
BlackRidge Technology‘s new authentication scheme creates a new layer that permits organizations to develop a trust scheme for their entire network environment or across multiple different network environments. This new need to trust an entire environment is prompted by two requirements.
First and foremost, if the environment cannot be trusted, the integrity of the application layer session cannot be trusted. For instance, if a user named “jdoe” logs in from the competition’s campus, that session should not be trusted in the same way a “jdoe” session from a computer on your own organization’s LAN should.
Another reason environmental trust is necessary is the need to authenticate devices that do not natively support authentication, such as an industrial control and monitoring devices. The need for these types of headless systems is growing rapidly, yet their lack of support for authentication either hampers their adoption or exposes networks that use them to ever increasing threats.
In the past, organizations sidestepped these issues by using firewalls or physically separating their networks. However many companies are moving away from housing their entire staff – and their devices – at a single physical location. Instead they are spreading them across metropolitan, regional, national or even international boundaries and, as they do so, are finding it more difficult to maintain this separation of networks.
It is not just company personnel that are being spread around geographically. Now, data and computing resources are also routinely distributed beyond traditional physical environments.
We have seen offsite hosting of customer-facing applications for years. Now, the growing acceptance of cloud computing is accelerating this practice. Beyond that, this trend is now extending to internal applications as well. So with personnel, data, and computing resources being spread far and wide, companies still need them to all communicate and function as a whole.
The natural solution for many enterprises has been to build out a WAN separated physically from the public internet. That way, their internal networks could function as a single, unified environment with private WAN interlinks then being considered trusted connections and “trust” thereby being extended to these connected environments.
The downside to this approach of using private WAN connections is that they are costly, forcing cost-sensitive companies to send sensitive data over the untrusted public internet. This brings into question the integrity of transmitted data as neither the environment nor the user can be confidently trusted. This makes regional networks end up looking like distant forts flung amongst a great, dangerous wild.
To work around these problems, companies have tried implementing more robust trust at the user level. A common tactic used is deploying two-factor authentication directly to the user. Typically, this is done through RSA tokens.
RSA tokens are used at the application level along with a username and password. When an application session is started, a user enters a sequence of numbers provided by a device or application. Once that token is verified, the user then enters their password before being allowed access to the requested application.
While two-factor authentication is certainly an improvement over the standard username and password scheme, RSA is still not a viable replacement for whole-environment trust because:
- RSA is an application layer authentication medium, and is unaware of the user’s network environment
- The user must not lose or misplace a physical or software token generator
- A person must enter the RSA token which prevents headless devices from using two-factor authentication
It is for these reasons that authenticating the entire network environment has become so important, especially considering the growing proliferation of headless devices. The BlackRidge Transport Access Control (TAC) avoids these shortcomings by authenticating the entire network environment. It:
- Resides at the network transport layer and provides end-to-end authentication of the network session
- Drops unauthorized traffic before a connection is established with the application
- Eliminates the need for a physical token generator
- Eliminates the need for user interaction so headless devices may be securely and safely used
The BlackRidge TAC technology allows numerous network topologies to be authenticated in two ways.
The first is through the BlackRidge TAC Gateway network appliance that authenticates an entire network segment and provides TAC-based authentication, control, and management. The TAC Gateway is installed at the edge of the network segment to be authenticated.
As TCP packets traverse through the Gateway, TAC authentication data is transparently added. Once the packet arrives at its destination, the packet is inspected and actions are taken based on the TAC data found. If no TAC data is found, the packets can be dropped immediately. If the session is authenticated, then the packet can be delivered, or another action can be performed, like TAC based routing or QoS packet scheduling.
Using the BlackRidge TAC Gateway, devices attached to corresponding networks do not need any additional software or hardware to authenticate to other TAC-enabled networks. This eases implementation and management for large deployments. It also simplifies network security where industrial controls or security systems are needed because these devices are usually closed systems and do not support third-party software or a user interface.
The second is through using a BlackRidge TAC software driver that is installed on a device to identify an individual host. This software driver is installed on individual systems that require authentication and is commonly used on devices that roam outside the company’s internal network. Installing the driver on systems directly connected to the company’s LAN can provide a higher level of security for sensitive network segments or resources.
Usernames and passwords are here to stay as a means of authenticating users. However, they must be viewed as only one part of a larger scheme of authentication and trust in a company’s security arsenal as additional tools are increasingly needed to fully secure an organization’s environment.
Adding the ability to uniquely identify a network environment provides organizations a powerful tool to better manage trust between networks, and therefore users and applications. Using the BlackRidge TAC technology, organizations can transparently introduce networked-based authentication into their environment. In so doing, they can continue to embrace the advantages that cloud-based computing offers without putting the security and integrity of their applications or data at risk.