Solutions
| Strong Wireless Authentication for Notebooks |
 |
 |
|
Strong Wireless Authentication for Notebooks and Devices BackgroundThe client is a Government Agency that employs thousands of uniformed personnel to perform highly mission critical tasks. A high performance yet secure IT system is critical to enable its personnel to perform these tasks efficiently. Mobile devices use wireless networks that are typically less secure than wired networks. Attackers can potentially use unauthorized devices to obtain access to organization resources by bypassing the authentication mechanism entirely. The Agency recognizes the risks of network security threats and breaches, and decides to implement an IT system that is able to strongly authenticate each device and personnel who connects to the wireless networks. This can ensure that no unauthorized devices or personnel are able to gain access to the networks. In the event of an attack or security breach, the administrator must have fine-grain control to swiftly disallow or deny specific devices or personnel access to the wireless networks. The DS3 solution DS3 deployed a robust, elegant and functional solution to provide strong authentication for the Agency’s networks. The solution comprehensively addresses the need for Public Key Infrastructure (PKI) authentication and two-factor authentication in a single implementation. The dialogue between the authentication server and the device or personnel is conducted through an encrypted channel, which protects it from electronic eavesdropping. Strong authentication is enforced by making sure that both the wireless client and access points are strongly authenticated using digital certificates. This mutual authentication protects the network against man-in-the-middle attacks. On top of that, 2-factor login is implemented to protect the Agency from common keylogger, malware and phishing attacks. Solution DetailsEach notebook or device is pre-registered with the DS3 Authentication Server Module (ASM) where an EAP-TLS (Enhanced Authentication Protocol – Transport Layer Security) certificate is issued by the DS3 ASM using a built-in browser-based self-service registration page. Each certificate includes a Device ID that enables the administrator to identify and track the status. During WLAN connectivity, the device will perform an EAP-TLS RADIUS handshake via the Wireless LAN gateway to the DS3 ASM, where the certificate is verified. The status of the device must be validated before network access is granted. Once connected to the WLAN, the user will enter a one-time password (OTP), generated from an assigned OTP token, as part of the application login process. The application server will then make programmatic calls to the DS3 ASM API for OTP verification, before application access is granted to the user. DS3 Authentication Security Module (ASM)The DS3 ASM is the complete 2-factor authentication solution for the enterprise. It includes a built-in Certificate Authority (CA) and supports the standard RADIUS authentication protocol to seamlessly enable 2-factor logins for common enterprise applications such as VPNs, UNIX, SSH, etc. The flexible token management system allows enterprises a choice of alternative of 2-factor authentication including OTP sent over SMS, Java Browser OTP tokens, Mobile phone OATH tokens, and hardware OTP tokens from RSA, VASCO, SafeNet and Gemalto.
|
