This article can also be found in the Premium Editorial Download "Information Security magazine: IPSec vs. SSL VPNs: Which cures your remote access ills?."
Download it now to read this article plus other related content.
Driving the authentication down toward Layer 2 of the network invokes the question, "Can we authenticate the machine as well as the user?"
Here's the idea: Using a unique footprint or ID from the machine itself provides a reliable way to control access, because it enables companies to lock out any unauthorized machine. Steal the machine but don't know the password? The machine gets cut off from network access. Steal the password but not the machine? Again, no access. So, when used together, passwords and machine IDs give companies strong security without the need deploying smart cards, tokens or other devices that users can misplace or break.
As appealing as this solution is, the offerings in the market for it are still quite new. But with major players such as Microsoft, Intel, Hewlett-Packard and IBM involved, it may gain traction. These companies, with others, formed the Trusted Computing Group (TGC) in April to "develop and promote open industry standard specifications for trusted computing hardware building blocks and software interfaces across multiple platforms, including PCs, servers, PDAs and digital phones. This will enable more secure data storage, online business practices and online commerce transactions, while protecting privacy and individual rights."
While the details are still emerging as to what TCG will actually provide, it's planning to embed crypto keys in the secure platform and chips. Since the keys will be linked to the chip, they will, in essence, become a piece of the hardware itself and able to provide machine authentication.
Diana Kelley is a partner with consultancy SecurityCurve.
This was first published in August 2003