Identity-enabled network devices promise extra layer of authentication

This emerging authentication paradigm is intended to add an extra layer of security to any kind of network device, be it a workstation, desktop or laptop, PDA, cell phone or even a wireless access point. A user would still have to use his or her user ID and password, or some other authentication mechanism, to log on to a network, but the device itself would also have to authenticate.

Traditional access management is meant to allow authorized users, while blocking unauthorized or malicious ones. Hardware authentication does the same thing for devices. An authorized device, like an authorized user, is trusted: it's confirmed virus and malware free, is patched with up-to-date software, and won't bring anything harmful in, or take anything unauthorized out -- like data -- from the network.

The heart of identity-enabled device technology is an embedded chip called the Trusted Platform Module (TPM) that comes preinstalled with all the usual accoutrements for authentication, such as passwords, encryption keys and digital certificates. The organization behind this hardware-authentication initiative is the Trusted Computing Group (TCG), a vendor consortium founded in 2003 to promote the use of vendor-neutral specifications.

The key to the TPM is its internal firmware, which can't be easily accessed or manipulated, and doesn't need to be programmed again after installation. If a device is lost or stolen, the certificate or other authentication credentials can be revoked, like any other authentication credential, and it won't be able to connect again to the network.

A NAC for device authentication
The field of identity-enabled network devices goes under different names. It's been called trusted computing, endpoint security or network access control (NAC). But NAC is actually a little different. NAC is a process. It's a series of technologies that may include software, hardware or servers that monitor devices accessing a network, or a combination of all of the above. NAC systems verify that devices hooking up to the network are trusted and safe, but don't necessarily authenticate them.

For more information: Learn about the ins and outs of two-factor authentication and compliance. Check out our Identity and Access Management Security School lesson on next-generation authentication.

Identity-enabled network devices are locked down to a greater degree. They are authenticated and secure endpoints in themselves. But the question is: do they deliver on the promise of increasing security and locking down a network any tighter than other NAC systems? Are they a realistic? Who are the players and how do they plan to roll out the technology to the technical masses?

For identity-enabled devices to work, they must be cross-platform. It must be possible to move them around the network, just like any other piece of hardware. Obviously, the chips embedded in the hardware must be standardized.

A VPN or wireless client with a TPM can use its self-contained digital certificates to authenticate. In fact, TPMs can be combined with other authentication methods, like smart cards, one-time passwords tokens and biometrics for a multilayered approach to securing network access.

The future of identity-enabled devices
According to the TCG, by 2006 every enterprise device shipped from the top 20 vendors had a TPM, covering an estimated 20 million devices shipped by vendors including Lenovo Group Ltd., Hewlett-Packard, Dell Inc., Gateway Inc., Fujitsu, Toshiba, Acer Inc. and Panasonic Corp.

The TCG also cites usage examples from companies in a number of industries, including pharmaceuticals, food and car rental companies, plus government institutions, such as the National Security Agency (NSA).

Its success to date has been attributed in part to the cross-platform nature of the TCG's initiative. It's seen as an alternative to Microsoft's Network Access Protection (NAP) and Cisco Systems Inc.'s Network Admission Control (NAC), which is strongly tied to its networking hardware.

But that may change, as Microsoft has recently partnered with the TCG to incorporate trusted computing into NAP.

Any company considering implementation of identity-enabled devices needs to thoroughly study its network architecture -- as it would for any new deployment -- to determine if the TPM is compatible with its existing infrastructure. Implementing trusted computing can only be done in phases as TPM-enabled hardware is rolled in.

Identity-enabled technology is still developing and growing. It's already a part of most new hardware. The question is whether it'll become a widely adopted part of enterprise authentication systems, or if it'll go largely ignored.

About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and is the author of The Little Black Book of Computer Security available from Amazon. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Enterprise Identity and Access Management,   User Authentication Services,   Two-Factor and Multifactor Authentication Strategies,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) Kerberos  (SearchSecurity.com) password hardening  (SearchSecurity.com) typeprint analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.