Q

Managing internal network devices

In this Ask the Expert Q&A, our expert explains how tokens can be used to manage an internal network. Also learn best practices for implementing this management system.

Are tokens a good solution for managing internal network devices such as routers or switches? What are the alternatives to a token system? What are best practices?
Also known as one-time passwords (OTPs), tokens can be a good way to manage an internal network. Some examples of tokens are RSA's SecurID and Vasco's Digipass. The idea is that the OTP provides an additional layer of authentication, in addition to a user ID and password, to give a system extra protection. This is known as two-factor authentication. The user ID and password are one factor and the OTP is the second. The OTP generates a new, unique PIN every thirty seconds and the user is prompted for it only after successfully entering the user ID and password. The user ID and password are static, meaning they never change, while the OTP value is constantly changing.

So, how can this protect an internal network? Traditionally, routers and switches are accessed through a direct

connection to the device, by telnet or via a Web interface. All of these methods send the user ID and password in clear text, which can be picked off the network by malicious users with packet sniffers. If a user ID and password were stolen, the intruder would still need the OTP value to gain access. Tokens can be defeated through man-in-the-middle attacks, where the credentials are stolen by a malicious user controlling a server between the client and the host. The attacker then immediately forwards its own bogus information by logging on to the real host with the stolen credentials. Since routers and switches are often directly accessed, tokens used for their management aren't susceptible to these types of attacks.

Tokens aren't foolproof. Here are some best practices for using them:

  • Make sure every user has their own unique token. That means no sharing of tokens among users or allowing a single token for an entire user group.
  • Educate users to keep a close eye on their tokens and keep them in a safe and secure place when not in use.
  • Tightly control token distribution. Only issue tokens to active users. When a user no longer needs a token, not only revoke it, but also deactivate it entirely. Users should be required to report any lost or stolen tokens immediately.

  • Keep an accurate inventory of all tokens received and distributed. Whenever a shipment of tokens arrives, keep a record of each individual token and its serial number. Note any irregularity, or defective token, in the record and send defective tokens back to the manufacturer.


More Information

  • Visit our tokens/smart cards resource center for news, tips and expert advice.

  • Learn top 10 don'ts for smart card deployment.
  • Understand your authentication options.

  • This was first published in September 2005

    Dig deeper on Security Token and Smart Card Technology

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close