This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
Price: Starts at $99 per user; includes token, server license and first year support; $4,995 for optional Enterprise Solution Pack
Passwords, though easy to deploy, are no longer effective for remote access to critical applications; increasingly, organizations are turning to two-factor authentication, such as passwords coupled with tokens.
In the latest version of SafeWord, Secure Computing delivers identity management and access using tokens that generate secure single-use passcodes that cannot be stolen or hacked to complement existing remote access infrastructure such as VPNs.
SafeWord is designed specifically for Microsoft Windows platforms (XP, Vista, 32 and 64-bit) and supports a variety of remote access products including Citrix, Cisco, Check Point Nortel, Juniper, F5, Aventail and any other RADIUS-based VPNs, making it an excellent channel up-sell for enhanced security.
It was obvious to us that from the start SafeWord 2008 was designed for a no-nonsense deployment. There are two options for configuration--management via MS Active Directory (standard) or using the SafeWord 2008 Management Console, which is one of the components of the optional Enterprise Solution Pack (ESP). ESP offers a variety of useful features including SecureWire Access Gateway (an SSL VPN with unlimited users and host for Web applications requiring authentication), protection for Windows login, and MobilePass, which generates the same passcodes as the physical tokens through mobile devices such as smart phones and PDAs.
ESP is designed for organizations with small IT staffs that require big security commitments, such as SMBs that are still subject to regulatory compliance. While its SSL VPN may not be as robust as say a dedicated solution, such as Juniper, F5 or Array Networks, it delivers an effective solution capable of supporting strong secured access for Web applications and resources. It offers password, SafeWord, RADIUS, Client Certificates, IP authentication, Keys, PINs and pre-defined personal questions.
The basic installation of the three main components--the SafeWord Server, the management console (an Active Directory snap-in or the console included in the ESP) and the Auto Updater Agent, which automatically installs updates from Secure Computing, were straightforward-- simple port settings for the authentication engine, administrative service and database, host addresses and key signing.
Of the two management options, using AD offered the easiest and quickest setup. After installing the initial software, we only needed to open AD to launch SafeWord, where configuration options appeared in the Users and Computers pane. The Management Console operates independently through the Windows program groups.
Users can be imported directly from AD or a third-party database.
The tokens we tested were the Alpine model and come with a lifetime guarantee.
Secure Computing also offers a premium tokens with numeric keypads for added PIN-based protection.
Of course, the downside to physical tokens is that they are apt to be lost or left in one's pants and run through the laundry cycle (something we didn't test). In such an event, tokens can rapidly be decommissioned, replaced and reassigned through either management interface using the SafeWord tab under the User Properties and the token's serial number. Emergency passcodes can be generated for users whose tokens have been lost or damaged. Our advice is for administrators to understand this process thoroughly prior to an emergency call from a frantic user as it took us a few attempts to successfully assign a temporary passcode.
With regulatory compliance driving many security purchases, SafeWord covers the bases with extensive logs for both administrative actions and authentication. When compliance auditors need to know that sensitive data has remained secure, detailed logs and reports can chronicle the requisite information proving the laws are being effectively followed.
To make log files more manageable, we were able configure how frequently log files would be transferred from the database into an archive file for more efficient storage. However, to view an archived log, the file must be loaded back on to the database. Reports can be created through the Tools option on the admin server. Log data can be exported into third-party report generators or Microsoft Excel spreadsheets for custom graphs, tables and charts. While the data sets for the templates were easy assign, the actual report generation into spreadsheet format didn't work very well, splitting up data into multiple sheets instead of into a single, master table.
For administrators who like to automate and fine-tune their logging and reporting using customized shell script, SafeWord offers an easy-to-use command line tool.
The basic functionality of SafeWord adds another layer of security to existing identity management and authentication infrastructure. When we attempted to access secured applications and resources, such as logging on to a private network remotely through a VPN connection, we were prompted to enter our MS Active Directory assigned user ID as well as the passcode generated by pressing the button on our SafeWord Token. If either were incorrectly entered, access was denied.
SafeWord's flexibility in securing user access provides a variety of ways for organizations to effectively control remote access through various multifactor authentication scenarios. Users have a choice between several methods including a combination of synchronous (event or time-based), asynchronous (challenge-response), memorized, appended, CHAP-encoded and dynamic passwords. Multiple users can also share a single token, but each will have their own password.
While the basic SafeWord 2008 package with the hardware tokens delivers strong authentication, any organization with a significant mobile workforce armed with smart phones and PDAs should seriously consider purchasing the optional ESP for the MobilePass feature which generates authentication codes on mobile devices in lieu of hardware tokens.
With support for leaders in the remote access market, SafeWord 2008's software, hardware, licensing and support package is an attractive option for organizations wanting to add a cost-effective, yet strong two-factor authentication to their network environment.
Testing methodology: We tested SafeWord on Microsoft Windows 2003 Server in two different management configurations—using Active Directory and with the SafeWord 2008 Management Console. After the basic install, we also took a look at the optional add-on module, Enterprise Solution Pack.
This was first published in May 2008