Product Reviews

Authenticate and Authorize

Using ActivIdentity 4TRESS AAA Server and ActivIdentity Client can provide greater protection for network assets.

ActivIdentity 4TRESS AAA Server and ActivIdentity Client
Documentation 20%
Installation 20%
Ease of Use 20%
Feature Set 20%
Administration 20%
Overall Rating:

1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

For professional bad guys, getting into an enterprise network isn't particularly difficult. It's not even that hard for the community of amateur and recreational hackers. Often it simply requires knowledge of how to access the VPN, plus some clues as to how the organization constructs user names. It may be especially easy for a former employee to gain unauthorized access, as such a person is likely to know the user names of colleagues and make reasonable guesses of passwords.

There are a variety of solutions available that employ one-time passwords for external access to the network. With a solution like this, you use a device that generates the same one-time password on both the server and on a device carried by the user. The user checks a token and types the corresponding password. The network authentication server checks that password against the one generated by the secure server. If they match, the user is logged in normally.

The ActivIdentity Solution
ActivIdentity's 4TRESS Server and the ActivIdentity Client are one such solution. The 4TRESS Server is a scalable RADIUS- and TACACS+-compliant server that incorporates a full range of authentication, authorization and accounting (AAA) services. The ActivIdentity Client provides a secure environment when using smart card technology for network access.

The ActivIdentity solution generates one-time passwords using a patented computational algorithm based on three variables-time, an event counter and a cryptographic key that's updated for each authentication. You can initialize the tokens (key fob or mini-token) and smart cards locally using software provided by the vendor, ensuring that keys are securely deployed.

The authentication server runs on a Windows 2000 Server or Windows 2003 Server. I don't usually use a VPN on my test network, but I set up remote access specifically for this purpose. I used a notebook system as a domain member and took it outside of the domain and my own network infrastructure to log in.

Then I installed the 4TRESS Server software. The best practice would be to give it a separate server. It also requires a database connection, so I provided SQL Server Developer Edition. The 4TRESS Server supports LDAP directories and SQL-compatible databases, and doesn't use a proprietary database-enabling centralized administration with distributed authentication. Finally, I pointed it to my domain controller (which was also my access server), and made sure it could see both log-ins and the available user profiles. The software provides for administrator, audit manager, device manager and help desk roles. In addition, it provides an optional Web portal to let users unlock and resynchronize their tokens, and report lost tokens.

On the Client Side
Once the server is installed and operating on the network, the fun begins. With the entire package, I received two hardware tokens, a pocket token and a key fob, as well as smart cards.

On the server, you use the Devices | Import menu selection on the Administration console to import the token data stored on disk into the AAA Server database, and assign a pin code. Then you assign the imported tokens to users.

To use ActivIdentity tokens, simply type the one-time password generated by the token-instead of a static password-in the network or application user interface.

There's nothing to install on the client. On an Active Directory network, all you have to do is sign in as you normally do, except that your password is the value generated by the token. I took my notebook to another location and hit the address of my test network. When it asked for a log-in, I checked my token and typed in that number, and received entrance onto my domain.

You don't have to log in using the VPN. ActivClient also provides for secure Web log-in for Outlook Web Access and other Web clients using Microsoft Internet Explorer, Mozilla, Firefox and Netscape. It can even support pre-boot access and authentication, and disk and file encryption using PointSec, SafeBoot, WinMagic and other data-protection solutions. If you have client PCs that have personal data and have to be taken out of a secure area, this may be the best way to avoid a loss or theft that makes the 6 o'clock news.

Smart Cards
The smart cards and a smart card reader came with my configuration. These devices work in a similar manner to the tokens, except that you have to install the ActivIdentity Client software on the user machine. The client installed easily, and I was able to configure the smart cards using the software interface.

You can also use the smart card and ActivIdentity client to work with digital certificates and public key encryption (or PKI, for public key infrastructure). ActivClient provides digital certificate services using RSA key pairs stored on a smart card. You can use PKI and digital certificates to provide for Windows domain log-in, remote log-in, secure Web access and secure e-mail sending and receiving.

Secure Setup
The entire process of setting up the server and client took about a full day from beginning to end-though that didn't include setting up the smart card. Someone more familiar with the technology could probably perform the setup and testing in half the time. For a more complex network environment, it would probably take a bit longer.

This level of security should be standard just about anywhere, but I've only had one employer that used a hardware solution similar to ActivIdentity-and it wasn't when I worked for the Department of Defense.

You may think that you have nothing on your network worth stealing, or that hackers will almost certainly bypass your network in favor of one with a higher visibility, but that's fallacious reasoning. You may have a former employee looking to disrupt your information systems or a hacker that picked up on your company and VPN from other sources.


Another concern is the user losing their token. (When I used one, my token malfunctioned and generated incorrect passwords.) That will almost certainly happen at some point, but it isn't the end of the world by any means. In most cases, you can provide the user with a temporary static password until they return to the office or until you can send them another one.

Worth the Price
Certainly there's an expense involved to establishing this level of security, but the few dollars required for a replacement token is a very small price to pay for the added protection for your network.

ActivIdentity 4TRESS and the ActivIdentity Client are easy to set up and administer. Together, they're a worthwhile addition to any network environment that has employees working remotely and accessing network resources and applications.

And if you have laptops with sensitive personal information on them, it's better than reporting a loss, contacting the individuals involved (potentially in the hundreds of thousands or more), and instituting safeguards that can be much more costly.

About the Author

Peter Vogel is a system architect and principal in PH&V Information Services. PH&V provides full-stack consulting from UX design through object modeling to database design. Peter tweets about his VSM columns with the hashtag #vogelarticles. His blog posts on user experience design can be found at


comments powered by Disqus