Manage Learn to apply best practices and optimize your operations.

Managing internal network devices

In this Ask the Expert Q&A, our expert explains how tokens can be used to manage an internal network. Also learn best practices for implementing this management system.

Are tokens a good solution for managing internal network devices such as routers or switches? What are the alternatives to a token system? What are best practices?
Also known as one-time passwords (OTPs), tokens can be a good way to manage an internal network. Some examples of tokens are RSA's SecurID and Vasco's Digipass. The idea is that the OTP provides an additional layer of authentication, in addition to a user ID and password, to give a system extra protection. This is known as two-factor authentication. The user ID and password are one factor and the OTP is the second. The OTP generates a new, unique PIN every thirty seconds and the user is prompted for it only after successfully entering the user ID and password. The user ID and password are static, meaning they never change, while the OTP value is constantly changing.

So, how can this protect an internal network? Traditionally, routers and switches are accessed through a direct...

connection to the device, by telnet or via a Web interface. All of these methods send the user ID and password in clear text, which can be picked off the network by malicious users with packet sniffers. If a user ID and password were stolen, the intruder would still need the OTP value to gain access. Tokens can be defeated through man-in-the-middle attacks, where the credentials are stolen by a malicious user controlling a server between the client and the host. The attacker then immediately forwards its own bogus information by logging on to the real host with the stolen credentials. Since routers and switches are often directly accessed, tokens used for their management aren't susceptible to these types of attacks.

Tokens aren't foolproof. Here are some best practices for using them:

  • Make sure every user has their own unique token. That means no sharing of tokens among users or allowing a single token for an entire user group.
  • Educate users to keep a close eye on their tokens and keep them in a safe and secure place when not in use.
  • Tightly control token distribution. Only issue tokens to active users. When a user no longer needs a token, not only revoke it, but also deactivate it entirely. Users should be required to report any lost or stolen tokens immediately.

  • Keep an accurate inventory of all tokens received and distributed. Whenever a shipment of tokens arrives, keep a record of each individual token and its serial number. Note any irregularity, or defective token, in the record and send defective tokens back to the manufacturer.


More Information

This was last published in September 2005

Dig Deeper on Two-factor and multifactor authentication strategies

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.