Device authentication doesn't replace user authentication. It augments it. Hence the idea behind using identity-enabled
network devices is to authenticate a device, rather than a user, before it can access a network.
This emerging authentication paradigm is intended to add an extra layer of security to any kind of network device, be it a workstation, desktop or laptop, PDA, cell phone or even a wireless access point. A user would still have to use his or her user ID and password, or some other authentication mechanism, to log on to a network, but the device itself would also have to authenticate.
Traditional access management is meant to allow authorized users, while blocking unauthorized or malicious ones. Hardware authentication does the same thing for devices. An authorized device, like an authorized user, is trusted: it's confirmed virus and malware free, is patched with up-to-date software, and won't bring anything harmful in, or take anything unauthorized out -- like data -- from the network.
The heart of identity-enabled device technology is an embedded chip called the Trusted Platform Module (TPM) that comes preinstalled with all the usual accoutrements for authentication, such as passwords, encryption keys and digital certificates. The organization behind this hardware-authentication initiative is the Trusted Computing Group (TCG), a vendor consortium founded in 2003 to promote the use of vendor-neutral specifications.
The key to the TPM is its internal firmware, which can't be easily accessed or manipulated, and doesn't need to be programmed again after installation. If a device is lost or stolen, the certificate or other authentication credentials can be revoked, like any other authentication credential, and it won't be able to connect again to the network.
A NAC for device authentication
The field of identity-enabled network devices goes under different names. It's been called trusted computing, endpoint security or network access control (NAC). But NAC is actually a little different. NAC is a process. It's a series of technologies that may include software, hardware or servers that monitor devices accessing a network, or a combination of all of the above. NAC systems verify that devices hooking up to the network are trusted and safe, but don't necessarily authenticate them.
For identity-enabled devices to work, they must be cross-platform. It must be possible to move them around the network, just like any other piece of hardware. Obviously, the chips embedded in the hardware must be standardized.
A VPN or wireless client with a TPM can use its self-contained digital certificates to authenticate. In fact, TPMs can be combined with other authentication methods, like smart cards, one-time passwords tokens and biometrics for a multilayered approach to securing network access.
The future of identity-enabled devices
According to the TCG, by 2006 every enterprise device shipped from the top 20 vendors had a TPM, covering an estimated 20 million devices shipped by vendors including Lenovo Group Ltd., Hewlett-Packard, Dell Inc., Gateway Inc., Fujitsu, Toshiba, Acer Inc. and Panasonic Corp.
The TCG also cites usage examples from companies in a number of industries, including pharmaceuticals, food and car rental companies, plus government institutions, such as the National Security Agency (NSA).
Its success to date has been attributed in part to the cross-platform nature of the TCG's initiative. It's seen as an alternative to Microsoft's Network Access Protection (NAP) and Cisco Systems Inc.'s Network Admission Control (NAC), which is strongly tied to its networking hardware.
But that may change, as Microsoft has recently partnered with the TCG to incorporate trusted computing into NAP.
Any company considering implementation of identity-enabled devices needs to thoroughly study its network architecture -- as it would for any new deployment -- to determine if the TPM is compatible with its existing infrastructure. Implementing trusted computing can only be done in phases as TPM-enabled hardware is rolled in.
Identity-enabled technology is still developing and growing. It's already a part of most new hardware. The question is whether it'll become a widely adopted part of enterprise authentication systems, or if it'll go largely ignored.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and is the author of The Little Black Book of Computer Security available from Amazon. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog.